On May 13, 2026, Insight Assurance hosted an Ask an Auditor session on ISO 42001, the international standard for AI management systems. The session was designed for compliance leaders, security teams, and executives trying to understand what AI governance actually requires and whether ISO 42001 makes sense for their organization right now.

What we covered

The session focused on practical questions from a live audience. Topics included:

  • What ISO 42001 evaluates and who it applies to, including AI builders, AI users, and AI service providers
  • How ISO 42001 relates to ISO 27001 and SOC 2, and what carries over if you already have either
  • What a realistic assessment timeline looks like for small and mid-size organizations
  • How to think about AI governance before regulatory or procurement pressure arrives
  • The difference between an independent ISO 42001 assessment and consulting or advisory services

Is ISO 42001 relevant to your organization?

ISO 42001 applies more broadly than most organizations expect. It is not limited to companies building AI products. Any organization that uses AI systems, whether in operations, in customer-facing services, or through third-party tools, falls within scope of the standard.

Three categories are relevant: organizations that produce AI systems, organizations that provide AI-enabled services, and organizations that use AI tools as part of their operations. Most organizations today fall into at least one of these categories.

If you already have ISO 27001 or SOC 2

One of the most common questions in the session was about the relationship between ISO 42001 and existing compliance frameworks.

For organizations with ISO 27001, the overlap is significant. The management system structure, including risk assessment methodology, internal audit process, management review, and document control, carries over directly. The net new work is focused on AI-specific requirements: the impact assessment, AI system inventory, and the subset of Annex A controls that apply to your context.

For organizations with SOC 2, the overlap is smaller but still meaningful. The control discipline, evidence collection habits, and vendor risk management practices built through SOC 2 are directly applicable. The primary gap is the management system structure, which ISO 42001 requires and SOC 2 does not establish.

About the session

This was an Ask an Auditor format with no product demos and no sales pitch. Our auditors answered questions submitted live by attendees. The session was hosted in collaboration with Drata.

Insight Assurance performs independent ISO 42001 assessments. If you have questions about the standard or want to understand what an assessment would involve for your organization, get in touch.