ar.io
ISO 42001 Compliance

ISO 42001 verifiable records for your AI management system.

The standard requires controlled, retained records and recorded event logs (Clauses 7.5 and 9, control A.6.2.8). ar.io anchors them to permanent storage, so the evidence an auditor samples is provably the same record that was created at the time.

Book a demo
See the requirements
Controlled·Self-authenticating·Audit-ready
Standard at a glanceISO 42001
  • Standard
    ISO/IEC 42001
    AI Management System (AIMS)
  • Published
    Dec 2023
    First international AI MSS
  • Annex A
    9 / 38
    Control objectives / controls
  • Certification
    Voluntary
    Via accredited bodies
  • Recert cycle
    3 years
    With annual surveillance

Published by ISO and IEC. Certification is awarded by accredited certification bodies.

01 — At a glance

What ISO 42001 requires, in one block.

ISO/IEC 42001:2023 is the first international AI Management System (AIMS) standard. It specifies requirements (Clauses 4 to 10) for establishing, maintaining, and improving how an organization governs AI, supported by a normative Annex A of 9 control objectives and 38 controls. It applies to any organization that develops, provides, or uses AI systems. Certification is voluntary and awarded by accredited bodies, but it is increasingly required in enterprise procurement and aligns with EU AI Act governance expectations.

02 — What's actually required

The clauses and controls that generate evidence.

Clauses 4 to 10 are the management system; Annex A is a normative catalogue you select from and justify in a Statement of Applicability. The requirements below are the ones that produce records an auditor samples, and the ones that pair with EU AI Act evidence obligations.

Clause7.5

Documented information

Documented information the AIMS requires must be created, controlled, version-managed, access-controlled, and retained.

What the evidence looks like

A controlled record set with provable version history and retention, so an auditor can trust the records have not changed since approval.

Clause9.1

Monitoring & measurement

Monitor, measure, analyse, and evaluate the performance of AI systems and the AIMS itself.

What the evidence looks like

Retained system event logs, performance-evaluation reports, and tracked KPIs kept as documented information.

Clause9.2

Internal audit

Conduct internal audits at planned intervals and keep records of the results and any follow-up.

What the evidence looks like

Audit plans, checklists, reports, findings, and corrective-action records, available at every surveillance audit.

ControlA.6.2.8

Event logs

Record event logs across the AI system life cycle as part of the Annex A life-cycle controls.

What the evidence looks like

Machine-generated event logs, retained and controlled so they remain trustworthy evidence over time.

ControlA.5

Impact assessments

Assess the impacts of AI systems on individuals and society, and document the assessment.

What the evidence looks like

Completed AI system impact assessments, retained as part of the evidence base.

ControlA.7

Data provenance

Manage data for AI systems, including provenance and quality across the life cycle.

What the evidence looks like

Data-provenance and data-quality records that establish where training and operating data came from.

03 — How ar.io solves it

Proof without access, in five steps.

Cryptographic fingerprints of the records your AIMS produces are generated inside your environment and anchored to permanent storage. The underlying documents never leave your perimeter. Only the fingerprint and timestamp are anchored. The architecture is called proof without access.

  1. 01

    Capture

    A REST client or MLflow plugin hashes the record (impact assessment, technical doc, event log, audit report) inside your environment.

  2. 02

    Sign

    The fingerprint is signed with your private key, authenticating the commitment.

  3. 03

    Anchor

    The signed fingerprint is written to Arweave through the ar.io gateway network. Records cannot be silently altered without leaving evidence.

  4. 04

    Bundle

    The evidence bundle (records, hashes, timestamps, chain of custody) exports in formats designed for certification and internal-audit review.

  5. 05

    Verify

    An auditor or customer compares fresh fingerprints to anchored ones using only your record and the public entry. No vendor cooperation required.

What this satisfies

The clauses and control that turn on record integrity.

  • Clause7.5
    Documented information kept controlled and provably unaltered.
  • Clause9.1
    Monitoring evidence and event logs anchored as they are generated.
  • Clause9.2
    Internal-audit records preserved and independently verifiable.
  • ControlA.6.2.8
    Event logs anchored across the AI system life cycle.

The architecture meets the three properties auditors test for: existence at the time, tamper-evidence, and self-authentication. ar.io is not a certification body and not an AIMS; it is the integrity layer beneath the records your AIMS produces.

04 — FAQ

Frequently asked questions.

01What is ISO 42001 and who needs it?
ISO/IEC 42001:2023 is the first international standard for an AI Management System (AIMS), published in December 2023 by ISO and IEC. It specifies requirements for establishing, implementing, maintaining, and continually improving how an organization governs AI, using a Plan-Do-Check-Act model and the Annex SL structure shared with ISO 27001 and ISO 9001. It applies to any organization that develops, provides, or uses AI systems, of any size or sector. It is most pressing for AI product vendors, enterprises deploying AI in consequential decisions such as credit, hiring, underwriting, and fraud, and any supplier whose customers ask about AI governance in procurement.
02How do I comply with the ISO 42001 AI management system standard?
Compliance starts by defining the scope of your AIMS and the AI policy behind it (Clauses 4 and 5). You then run AI risk and impact assessments, select applicable Annex A controls, and document a Statement of Applicability justifying inclusions and exclusions. From there the work is operational and evidentiary: implement the controls, control and retain documented information (Clause 7.5), record event logs (A.6.2.8), monitor and measure performance (Clause 9.1), run internal audits (Clause 9.2), and hold management reviews (Clause 9.3). Certification, if you pursue it, is a two-stage external audit followed by surveillance audits. Throughout, the records you produce have to be controlled and retained in a way an auditor can rely on, which is the integrity problem tamper-evident storage solves.
03What evidence does an ISO 42001 auditor expect to see?
An auditor expects the documented information the AIMS requires and proof that it is controlled. Typical artefacts include the AIMS scope and AI policy, the risk-treatment plan and Statement of Applicability, AI system impact assessments (A.5), technical documentation (A.6.2.7), event logs (A.6.2.8), data-provenance and quality records (A.7), monitoring and performance-evaluation reports and KPIs (Clause 9.1), internal-audit plans, reports, and findings (Clause 9.2), and management-review minutes (Clause 9.3). At surveillance audits the auditor re-samples these and checks they are current and unaltered, which is why retention and tamper-evidence matter as much as the records themselves.
04How many controls are in ISO 42001 Annex A?
Annex A is normative and contains 9 control objectives supported by 38 controls, grouped from A.2 (policies related to AI) through A.10 (third-party and customer relationships). Organizations select the controls relevant to their AI systems and document the rationale for inclusions and exclusions in a Statement of Applicability. Annex B provides implementation guidance for the controls.
05What is the difference between ISO 42001 and the EU AI Act?
ISO 42001 is a voluntary international management-system standard you can be certified against; the EU AI Act is binding law in the European Union. ISO 42001 describes how to govern AI as an organization; the EU AI Act sets specific legal obligations for prohibited, high-risk, and general-purpose AI. They are complementary: a certified ISO 42001 management system is a strong way to demonstrate the systematic governance the EU AI Act expects of high-risk systems, though certification does not by itself make you compliant with the Act. Many organizations pursue both, using ISO 42001 as the operating framework and the EU AI Act as the legal requirement.
06Is ISO 42001 certification mandatory?
No. Certification is voluntary and is carried out by independent certification bodies that may be accredited by national accreditation bodies (examples include BSI, A-LIGN, Schellman, KPMG, and DNV). What is increasingly non-optional is the market expectation: enterprise customers and regulated buyers are adding ISO 42001 questions to vendor due diligence, so for many AI vendors certification or a credible roadmap has become a commercial requirement even though the standard itself is voluntary.
07Does ar.io provide ISO 42001 certification?
No. ar.io is not a certification body and is not an AI management system. ar.io provides the integrity layer beneath the records your AIMS produces: it anchors cryptographic fingerprints of your documented information and event logs to permanent, tamper-evident storage so the evidence an auditor or customer reviews is provably unaltered. You still implement the AIMS and engage an accredited certification body for the audit; ar.io makes the evidence trustworthy.
Get started

Build records your auditor can verify independently.

Policies are the visible work. The records behind them are what an auditor tests, and with ar.io they are independently verifiable, so an auditor or customer can confirm they are unaltered without taking your word for it. Anchor your impact assessments, event logs, and internal-audit records before your next surveillance review.

Book a demo
Read proof without access