Aguardic logoAguardic
Start Free Trial
AI Management System Standard

ISO 42001 Compliance. Govern AI by Design.

ISO 42001 is the first international standard for AI management systems. Aguardic automates the Annex A controls — risk classification, deployment governance, continuous monitoring — so you can certify faster and maintain certification without the annual scramble.

Start Free TrialBrowse ISO 42001 Pack

14-day free trial · No credit card · Free ISO 42001 policy pack

Does This Apply to You?

ISO 42001 Is Becoming the Gold Standard for AI Governance

Enterprise AI Teams

  • Organizations building or deploying AI systems that want a recognized governance framework
  • Companies pursuing ISO 42001 certification as a competitive differentiator
  • Teams already ISO 27001 certified looking to extend governance to AI

AI Vendors & Consultancies

  • AI vendors selling products where certification builds buyer confidence
  • Consultancies advising on AI governance who need to demonstrate best practices
  • Organizations responding to customer or regulator requests for AI governance evidence

ISO 42001 certification signals that your organization takes AI governance seriously — a growing requirement in enterprise procurement.

Annex A Controls

Automate ISO 42001 Controls for Your AI Systems

AI Risk Management

Classify AI systems by risk level, assess impacts on individuals and society, and implement proportionate controls. Aguardic's AI System Registry tracks risk tiers automatically.

AI System Lifecycle

Govern design, development, deployment, and decommissioning with documented processes. Track every stage with versioned policies and audit trails.

Continuous Monitoring

Monitor AI system performance, detect drift, track incidents, and generate management reviews. Evidence generated automatically for certification audits.

Requirements Coverage

ISO 42001 Coverage Matrix

No single tool covers every ISO/IEC 42001 control. This is the Annex A to control reference — what Aguardic enforces, the evidence it produces, and the work your AIMS owner still handles.

8Covered
2Partial
2Not Covered
Total: 12
Covered·

A.2

AI Policy & Risk Management

Establish an AI policy and risk management program appropriate to the organization's purpose, covering risk assessment, treatment, and residual risk acceptance.

How Aguardic helps

Risk Management pack enforces the policy's operational clauses: flags AI deployments without documented risk assessment, high-risk AI uses without treatment plans, residual-risk acceptance without proper authority, risk registers missing AI entries, AI changes without risk reassessment, and risk decisions not communicated to stakeholders.

Evidence produced

Undocumented risk assessment detections · high-risk-without-treatment flags · residual risk authority gaps · risk register AI-entry detections · change-without-reassessment flags · policy version history

What you handle

Author the organizational AI policy document, approve the strategic direction, and ratify the policies Aguardic enforces.

Not Covered·

A.3

Internal Organization

Establish roles, responsibilities, and authorities for AI management across the organization.

How Aguardic helps

Aguardic enforces technical policies, not organizational role assignments.

What you handle

Assign AI governance roles (AI owner, risk officer, etc.) and document responsibilities in your AIMS charter.

Not Covered·

A.4

Resources for AI Systems

Determine and provide the resources needed for the AI management system.

How Aguardic helps

Resource planning and allocation sit outside automated policy enforcement.

What you handle

Allocate budget, headcount, and tooling for the AIMS. Run the annual resource planning process.

Covered·

A.5

AI System Impact Assessment

Conduct impact assessments for AI systems considering risks, opportunities, and affected parties.

How Aguardic helps

Risk Management pack's High-Risk AI Without Treatment rule flags automated hiring, credit scoring, diagnostic, and autonomous decisions shipped without mitigation controls. AI System Registry captures risk classification, data categories, and integration scope to feed the assessment document.

Evidence produced

High-risk-without-treatment detections · AI System Registry exports · risk classification data

What you handle

Author the final impact assessment document using Aguardic exports as source input. Sign off on acceptance of residual risk.

Covered·

A.6

AI System Lifecycle

Govern AI system design, development, validation, deployment, operation, and decommissioning.

How Aguardic helps

Lifecycle Governance pack enforces the full chain: missing design requirements, unversioned model deployments, missing validation evidence, deployments bypassing approval gates, production AI without operational monitoring plans, and retirement without decommissioning procedures.

Evidence produced

Design requirement detections · unversioned model flags · validation evidence gaps · deployment approval gap flags · missing monitoring plan detections · decommissioning procedure gaps · VCS integration logs

What you handle

Define lifecycle stage gates (who approves production deployment) and own decommissioning decisions.

Covered·

A.7

Data for AI Systems

Manage data used by AI systems including quality, provenance, bias assessment, preparation, and lineage.

How Aguardic helps

Data Quality pack enforces A.7.2-A.7.5: undocumented data source detections, datasets without quality metrics, missing provenance / data cards, datasets without bias assessments, undocumented preparation steps, and data lineage gaps in AI pipelines.

Evidence produced

Undocumented data source detections · missing quality metrics flags · missing provenance detections · bias assessment gap flags · preparation step gaps · lineage gap reports

What you handle

Run upstream data-governance tooling for dataset lineage and provenance capture. Own the bias assessment methodology and remediation when Aguardic flags gaps.

Covered·

A.8

Information for Interested Parties

Provide relevant information about AI systems to stakeholders, affected parties, and oversight bodies.

How Aguardic helps

Risk Management pack's Missing Risk Communication rule flags AI risks documented but not shared with impacted teams, end users, or oversight bodies. Evaluation results and audit trails back the disclosure narrative.

Evidence produced

Missing risk communication detections · exportable evaluation reports · compliance dashboards

What you handle

Author stakeholder communications, disclosures, and reports using Aguardic data as source input.

Covered·

A.9

Use of AI Systems

Define and document the intended use of AI systems and enforce operational boundaries.

How Aguardic helps

AI System Registry documents intended use, risk tier, data categories, and bound policies. Continuous enforcement blocks actions that fall outside the documented operational boundary.

Evidence produced

AI System Registry exports · boundary violation logs · policy enforcement records

What you handle

Define and sign off on intended-use boundaries per AI system. Approve scope changes when business context shifts.

Covered·

A.10

Third-party and Customer Relationships

Address risks from third-party AI systems and customer use of your AI.

How Aguardic helps

Network policy sharing enables org-to-org compliance monitoring. Shadow policies auto-sync when partner policies change.

Evidence produced

Network connection records · shared policy evaluation logs

What you handle

Negotiate AI clauses in vendor and customer contracts. Approve which partners you connect via network policies.

Covered·

B.2

Monitoring, Measurement, Analysis, and Evaluation

Monitor AI system performance, detect drift, establish baselines, trigger improvement actions, and enforce periodic review schedules.

How Aguardic helps

Monitoring & Improvement pack enforces A.9.2-A.9.4: production AI without performance monitoring, model / data / concept drift indicators, missing performance baselines, degradation without incident response, missing improvement actions after performance issues, and missing periodic review schedules.

Evidence produced

Unmonitored production AI detections · drift indicator alerts · missing baseline flags · degradation-without-incident detections · missing improvement action flags · periodic review gap reports · compliance dashboard metrics

What you handle

Define success metrics for your AIMS and review Aguardic dashboards on a defined cadence.

Partial·

B.3

Internal Audit

Conduct internal audits of the AIMS at planned intervals.

How Aguardic helps

Audit trail exports provide evidence for internal audits. Does not schedule or manage the audit process itself.

Evidence produced

Exportable audit trails · compliance evidence packages

What you handle

Schedule and conduct internal audits; pull evidence packages from Aguardic as audit input.

Partial·

B.4

Management Review

Review the AI management system at planned intervals to ensure its continued suitability.

How Aguardic helps

Compliance dashboards and trend reports provide input for management reviews. Does not generate review meeting agendas or minutes.

Evidence produced

Compliance trend reports · violation summaries

What you handle

Schedule management reviews, draft agendas and minutes, and authorize AIMS changes coming out of review.

Browse the ISO 42001 Policy Pack

Coverage mappings reflect Aguardic's current product capabilities mapped to ISO/IEC 42001:2023 Annex A and Annex B controls. Validate with your certification body for your specific AIMS scope.

ISO 42001 questionnaire?

Answer ISO 42001 AIMS questions with controls Aguardic enforces

Upload it. We draft answers citing the AIMS clauses — risk management (Clause 6), AI system impact assessment (Clause 8.3), operational planning, and continuous improvement — describing what Aguardic enforces continuously rather than what your AIMS documentation claims.

Upload questionnaire

Explore Other Frameworks

HIPAAHealthcareEU AI ActEU RegulationSOC 2Trust ServicesColorado AI ActUS StateNIST AI RMFUS FederalAIUC-1AI Agent Security

View all compliance frameworks

Start your ISO 42001 journey today.

Install the ISO 42001 policy pack, register your AI systems, and start generating certification-ready evidence.

14-day free trial
No credit card required
Free ISO 42001 policy pack
Start Free Trial

Or explore the documentation

ISO 42001 Compliance with AI Agent Governance — AI Management System Automation - Aguardic