AI Governance

ISO 42001 Is Now a Procurement Requirement. Is Your AI Program Ready?

ISO/IEC 42001, the world's first certifiable AI management system standard, is now a procurement requirement at 72% of enterprise buyers. It covers 70% of EU AI Act high-risk documentation and sits alongside SOC 2 and ISO 27001 in vendor assessments. Here is what that means in practice.

By Leon Soliman · 2026-06-23 · 2 min read

What is ISO 42001 and why does it matter now?

ISO/IEC 42001:2023 is the world's first international standard for an AI management system. Published in December 2023, it gives organizations a structured framework for governing AI development, deployment, and ongoing operation. It is certifiable, which means an independent body audits your practices against the standard and issues a certificate that third parties can verify.

By 2026, the certification market has entered its first real growth wave. Major certification bodies have operationalized their audit services, and leading technology vendors have acquired certification. More importantly, the buyers who work with those vendors have begun requiring it. 72 percent of enterprise buyers now screen for ISO 42001 before the first RFP round. The standard has moved from forward-thinking to expected.

The connection to the EU AI Act

ISO 42001 was designed independently of the EU AI Act, but the two align closely in practice. For organizations subject to the high-risk obligations of the AI Act, which remain on the original timeline into 2027 and 2028, ISO 42001 certification covers approximately 70 percent of the required documentation. This makes it the fastest credible path to demonstrating conformance, far faster than building a custom documentation framework from scratch.

With the EU AI Act transparency obligations still applying from August 2026, and the broader high-risk requirements coming in the following years, organizations that pursue ISO 42001 now are building the governance infrastructure that will serve both procurement requirements and regulatory compliance in a single investment.

What does certification actually require?

ISO 42001 follows the same high-level structure as ISO 27001 and other management system standards. Organizations need to establish an AI management system: document their AI use cases and the objectives behind them, classify AI systems by risk, define controls for development, deployment, and monitoring, and demonstrate that those controls operate in practice. Certification costs range from around 85,000 dollars to over 650,000 dollars in year one, depending on organizational size and complexity, with roughly 30 to 50 percent savings for organizations that already hold ISO 27001.

For organizations that have not started, the message from the procurement market is clear: the standard is now a gate, not a bonus. The buyers who require it will not wait for you to build the capability after they have already shortlisted your competitors who have it.

Frequently asked questions

Does ISO 42001 replace the EU AI Act?

No. ISO 42001 is a voluntary standard; the EU AI Act is law. However, ISO 42001 certification covers approximately 70% of the documentation required for EU AI Act high-risk system compliance, making it a practical and efficient path toward meeting the legal requirements. Organizations pursuing certification are building the governance infrastructure that serves both purposes.

Is ISO 42001 really becoming a standard procurement requirement?

Yes. In 2026, 72% of enterprise buyers screen for ISO 42001 before the first RFP round. KPMG, Microsoft, and Synthesia are among the early certified organizations. Procurement teams now reference ISO 42001 alongside SOC 2 and ISO 27001 in vendor assessments, which is the clearest signal that the standard has moved from optional to expected.

ISO 42001 is not the kind of certification you pursue to check a box. It is a structured process that forces an organization to look clearly at every AI system it runs, every risk it accepts, and every control it relies on. The companies that pursue it early will have that clarity. The ones that wait will pursue it under procurement pressure, on a tighter timeline, with less room to do it well.

AI AIGovernance Compliance ISO42001 EUAIAct RiskManagement EnterpriseAI

More from the Servola Journal

AI Governance

The EU AI Act Deadlines Just Moved. Is That Good News or a Trap?

2026-06-23 · 2 min read

Read the article →

AI Governance

The AI Agent Governance Gap: Why Fast Deployment Is Building Tomorrow's Liability

2026-06-23 · 2 min read

Read the article →

AI Governance

Is Your Company Ready for the EU AI Act?

2026-06-21 · 2 min read

Read the article →

Servola

Servola helps principals, family offices, and serious companies understand what ISO 42001 requires of them and build the governance to pursue it with confidence, in German and English. Request a private introduction at servola.de/contact/.

Request a private introduction About Servola →

Servola is technology counsel for a small number of families and offices. When a decision cannot be delegated, we sit on your side of the table.

Servola Systems GmbH · Ludwigshafen, Germany · [email protected]

← All articles