AI Regulation Reference

ISO/IEC 42001 AI Management System

Jurisdiction:
OECD
 voluntary
Effective:
Dec 18, 2023
Authority:
International Organization for Standardization
 Official text Verified Mar 26, 2026

Obligations Covered

Risk Assessment Data Governance Record-Keeping & Documentation

AI Risk Management System #

Obligation:
Risk Assessment
 voluntary
Effective:
Dec 18, 2023
Risk tier:
all
Scope:
providers, deployers

Requirements

RequirementDetails
Risk assessmentEstablish processes to identify and assess AI-related risks
Risk treatmentImplement controls to treat identified risks
ObjectivesSet measurable AI management objectives
Leadership commitmentTop management must demonstrate commitment to the AI management system

Penalties

ViolationFine
Non-complianceVoluntary — certification-based, no direct penalties

AI Data Governance #

Obligation:
Data Governance
 voluntary
Effective:
Dec 18, 2023
Risk tier:
all
Scope:
providers

Requirements

RequirementDetails
Data qualityEstablish processes for ensuring AI training and operational data quality
Data provenanceDocument data sources and lineage
Data lifecycleManage data throughout the AI system lifecycle

Penalties

ViolationFine
Non-complianceVoluntary — certification-based

AI Documentation and Record-Keeping #

Obligation:
Record Keeping
 voluntary
Effective:
Dec 18, 2023
Risk tier:
all
Scope:
providers, deployers

Requirements

RequirementDetails
Documented informationMaintain documented information required by the AI management system
Performance evaluationMonitor, measure, analyze, and evaluate AI system performance
Internal auditConduct internal audits at planned intervals
Management reviewTop management must review the AI management system at planned intervals

Penalties

ViolationFine
Non-complianceVoluntary — certification-based