ISO 42001: Why AI Governance Certification Is No Longer Optional
Most people filing ISO 42001 under "compliance admin" are going to feel that decision in a sales meeting somewhere around Q3 next year.
By Hoshi Editorial
Most people filing ISO 42001 under "compliance admin" are going to feel that decision in a sales meeting somewhere around Q3 next year.
I'll explain what ISO 42001 actually is, why we at Hoshi are pursuing certification, and why it should matter to any SME buying or building AI systems right now.
What it actually is
ISO/IEC 42001 is the first global standard that defines how to establish, implement, maintain and continually improve an AI management system. That phrase, "AI management system," does a lot of work. It is not a technical standard. It does not specify how to build AI models or which algorithms to use. It governs the organisational and management system that surrounds AI, covering the policies, processes, roles, and oversight mechanisms that determine whether AI is deployed responsibly and sustainably.
Think of it like ISO 27001, but for AI behaviour rather than data security. Where ISO 27001 certifies that you manage information security, ISO 42001 certifies that you manage AI: its risks, its impact on the people it touches, and its behaviour across the full lifecycle. Annex A defines 38 controls grouped into nine areas, covering AI policy, impact assessment, the AI system lifecycle, and data governance.
Why it's not just paper
Here's the part that should get a business owner's attention.
ISO/IEC 42001 is becoming a practical vendor requirement for AI companies, as enterprise buyers, cloud customers and regulated clients ask for third-party proof that AI systems are governed, monitored and documented. The certified population is still small, but the direction is clear. Salesforce has achieved ISO 42001 accreditation for Agentforce, Einstein AI Platform and Slack AI. AWS announced accredited certification for Amazon Bedrock and related services in November 2024, and Anthropic followed in January 2025 as one of the first frontier AI labs to certify. When your own platform vendors are certifying, the expectation trickles down.
Vendors without ISO/IEC 42001 may face longer security questionnaires, more custom audit requests, delayed enterprise sales cycles and weaker responses to AI Act readiness reviews. That is a commercial cost, not a compliance one.
The procurement signal is hard to ignore. In 2025, procurement trackers flagged over 250 enterprise RFPs in the EU, US, and UK as specifically requiring or scoring ISO 42001 status. Procurement has lost its tolerance for empty claims. When every deal is scrutinised for risk, compliance, and trust, especially when AI is in play, ISO 42001 becomes the yardstick that sorts hopefuls from winners. This is playing out daily in bid rooms and board reviews across major industries.
What it means for agencies and their clients
For an agency building AI systems for clients, certification does two things.
First, it makes the work auditable end to end. ISO/IEC 42001 requires an AI management system that covers policies, objectives, roles, risk treatment, monitoring, documentation, controls and continual improvement. For vendors, the practical evidence set usually includes AI inventories, risk registers, model governance records, data controls, testing records, human oversight procedures and supplier controls. That list sounds bureaucratic. In practice, it forces a discipline that most AI projects skip entirely, and that clients are now starting to ask about explicitly.
Second, it signals something to clients that a proposal deck cannot. B2B customers and enterprise partners increasingly require AI governance evidence before procurement. ISO 42001 certification provides third-party validation that AI systems are governed responsibly, reducing due diligence friction and enabling faster sales cycles.
For the client side, the benefit is equally direct. If an AI hiring tool flags candidates inconsistently by zip code and you discover it during a class-action discovery process, that is a very expensive conversation. ISO 42001 mandates AI impact assessments before deployment and at change points, covering bias, fairness, safety, privacy, and societal effects. A certified implementer has already run those checks. That is a concrete risk transfer, not a marketing claim.
Why we're doing it
Hoshi is currently working through the certification process. We build agentic AI on top of Salesforce, which is itself now ISO 42001 certified. It makes no sense for the platform to hold that standard and for us to operate without one. More practically, we are already doing the work: documented AI risk registers, defined human oversight procedures, change controls on model behaviour. Certification turns internal practice into externally verifiable proof.
It is still a differentiator while the certified population is small and visible. That window closes fast.
What to watch
In Europe, CEN-CENELEC JTC 21 is developing AI standards to support the EU AI Act. The European Commission says standards can translate legal requirements into common technical language and may create a presumption of conformity after Official Journal citation. When that happens, ISO 42001 moves from "preferred" to "presumed necessary." The agencies and clients that built the system earlier will be in a much cleaner position than those scrambling to retrofit it.
If you're an SME buying AI services, ask your vendor if they're certified or certifying. If they can't answer, that's the answer.
