ISO 42001 Won't Make You Compliant with the AI Act. Here's Why That's Fine!
July 6, 2026
ISO 42001 doesn't automatically cover the EU AI Act, since it's a voluntary management standard for how you run AI internally, not one of the official "harmonised standards" the Act gives automatic legal credit to. What it does give you is the foundation: an AI inventory, clear ownership, real risk controls. The upcoming EU standard for the AI Act (prEN 18286) is actually designed to map onto ISO 42001, so if you already have it, every new AI law that comes along becomes cheap paperwork on top instead of a new project from scratch.

ISO 42001 added to FEHA GRC and since then we keep getting the same question:
"If we get certified, does that mean we're covered for the EU AI Act?"
Short answer: no. But it's worth actually explaining why, because once you get it, it tells you exactly what ISO 42001 is good for and it's still very good for something.
So let's break it down plainly, shall we?
What ISO 42001 actually is
It's a management standard for how you run AI internally. Same family as ISO 27001, if you know that one. You write down your objectives, you assess risks, you assign someone to own them, you put controls in place, you check on it regularly. It's voluntary, it's international, and it's not written for any one country's law. It was never meant to be.
Why that means it can't be a compliance passport
The EU AI Act has one specific legal shortcut built in, called a presumption of conformity. Basically: if you build your system following a "harmonised standard," one that's been specifically developed by European standards bodies at the Commission's request and officially published, the law assumes you're compliant unless proven otherwise. That's a real legal perk. But ISO 42001 isn't one of those standards. It never went through that process and it's not on track to. So a 42001 certificate proves you manage AI risk properly. It doesn't prove you've ticked any specific legal box in the AI Act.
Same story if you're looking at South Korea's AI law or Singapore's guidance. Each one asks for its own specific things. No single standard clears all of them automatically. Anyone telling you otherwise is selling you something.
Worth knowing too: there are actual gaps. Reviewers looking at ISO 42001 for AI Act purposes have pointed out that it treats things like detailed logging as optional, where the AI Act treats it as basically mandatory. So even the overlap isn't perfect.
So why bother with it at all?
Because it's the foundation everything else gets built on top of. The actual EU standard being written for the AI Act right now, it's called prEN 18286, is designed to map straight onto ISO 42001's controls. The people writing it did that on purpose, so companies that already have an AIMS running can reuse that work instead of starting from scratch.
And that pattern holds no matter which country's law you're looking at. Whatever a new regulation ends up asking for, an inventory of your AI systems, someone who owns the risk, a way to catch problems, ISO 42001 already gives you that. The new law just becomes a bit of extra paperwork on top of something that already exists. Instead of a whole new project every time a new country passes a law.
That's really the whole pitch. Don't build toward ISO 42001 because it satisfies a specific regulation. Build it because every regulation that shows up afterward will be cheaper and faster to deal with, because you already did the real work.
This is basically why we added ISO 42001 support to FEHA GRC.
If you're not sure whether to start here or wait for a specific law to force your hand, happy to talk it through

.png)


