Any organization developing, providing, or using AI at material scale benefits. It's increasingly being requested by enterprise buyers, regulated industries, and as readiness signal for the EU AI Act. SaaS companies that ship AI features (drafting, retrieval, agentic workflows) are prime candidates.

How does 42001 relate to the EU AI Act?

ISO 42001 is the leading control framework cited by EU AI Act guidance as evidence of due diligence for high-risk AI systems. Certification doesn't satisfy the AI Act on its own, but it materially reduces compliance burden by reusing artifacts and aligning to expected obligations.

How does 42001 relate to NIST AI RMF?

NIST AI RMF is a voluntary US framework with four functions (Govern, Map, Measure, Manage). ISO 42001 is the international management-system standard. They're complementary — 42001 provides certifiable management, AI RMF provides operational guidance. episki crosswalks the two.

AI governance, certifiable

The world's first certifiable AI Management System

ISO 42001 is the new international standard for governing AI inside an organization. episki operationalizes it — agent registry, AI use-case inventory, risk treatments, and crosswalks to NIST AI RMF and the EU AI Act.

Start free trial Book a demo

What is ISO 42001?

ISO/IEC 42001:2023, published in December 2023, is the world's first international management-system standard for artificial intelligence. It defines requirements for establishing, implementing, maintaining, and continually improving an AI Management System (AIMS) — modeled on the pattern used by ISO 27001 for information security and ISO 9001 for quality.

The standard contains a set of management-system clauses (4–10) covering context, leadership, planning, support, operation, performance evaluation, and improvement, plus a normative Annex A with 38 controls covering the AI lifecycle from policies through third-party providers.

Who needs ISO 42001

Any organization developing, providing, or using AI systems at material scale. The standard is rapidly becoming the de facto demonstration of mature AI governance for enterprise buyers, regulated industries (financial services, healthcare, public sector), and as a readiness signal for the EU AI Act, which references ISO 42001 as evidence of due diligence.

How episki helps

episki is the only GRC platform built with AI governance as a first-class concern — because we ship AI features ourselves. The platform inventories your AI use cases (including agents in episki), classifies them by risk, treats AI-specific risks through the same workflows you use for cyber risk, and crosswalks 42001 to NIST AI RMF and the EU AI Act so evidence is reusable.

ISO 42001 outcomes with episki

Quantify the impact security and compliance brings to your business.

AIMS

A certifiable AI Management System modeled on the ISMS pattern from ISO 27001.

38 controls

Annex A operational controls covering the AI lifecycle.

NIST AI RMF

Cross-walked to NIST AI RMF and the EU AI Act for reusable evidence.

Why teams choose episki for ISO 42001

Framework-specific automation, collaboration, and reporting in one workspace.

Agent registry and use-case inventory

Track every AI use case in your organization with risk classification, ownership, and lifecycle stage.

Inventory across vendors, internal builds, and shadow AI
Risk tier per use case using ISO 42001 criteria
Lifecycle stage from concept to retirement

AI-specific risk treatments

Run AI risks (bias, hallucination, security, drift) through the same treatment workflows as your existing risk register.

AI-specific risk taxonomy
Acceptance, mitigation, transfer, avoid paths
Tied to controls and ongoing monitoring

Annex A controls

The 38 operational controls in ISO 42001 Annex A, ready to scope, implement, and evidence.

Policies, leadership, resources, lifecycle controls
Data quality, fairness, interpretability
Third-party AI provider obligations

ISO 42001 readiness inside episki

Stand up an AIMS in days, not quarters.

Plug episki into your stack and work directly from this checklist during the free trial.

✓ AI use-case inventory and risk tiering
✓ Annex A control selection per use case
✓ AI ethics and acceptable use policy
✓ AI risk register with treatment plans
✓ Third-party AI provider (sub-processor) assessment
✓ Ongoing AI performance and incident monitoring

ISO 42001 accelerators

AI governance accelerators

Translate ISO 42001 from a 50-page PDF into a running program.

AI use-case scoping wizard

Determine which 42001 controls apply per use case based on risk classification.

NIST AI RMF crosswalk

Map 42001 controls to NIST AI RMF functions for reusable evidence.

EU AI Act readiness checklist

Prepare for high-risk and general-purpose AI obligations under the EU AI Act.

ISO 42001 frequently asked questions

Other compliance frameworks

CCPA / CPRA CMMC FedRAMP GDPR HIPAA HITRUST CSF ISO 27001 ISO 27701 NIST 800-171 NIST 800-53 NIST CSF PCI DSS SOC 1 Type I/II SOC 2 Type I/II SOX

Build a certifiable AIMS in episki

Inventory your AI, treat the risks, map to NIST and the EU AI Act — one workspace.

Start free trial Book a walkthrough