Regulus
Install See the diff
ISO/IEC

ISO/IEC 42001:2023

Certifiable AI management-system standard. Clauses 4–10 plus Annex A controls. Regulus ships a Statement of Applicability generator.

What it is #

ISO/IEC 42001:2023 is the first certifiable management-system standard for AI. Modeled on ISO 27001 (information security) and ISO 9001 (quality), it specifies clauses 4–10 (context, leadership, planning, support, operation, performance evaluation, improvement) plus Annex A containing the catalogue of operational controls.

Adoption is driven by:

  • Procurement pressure — large enterprises are starting to require ISO 42001 certification from AI suppliers (similar to how SOC 2 became a procurement gate for SaaS).
  • EU AI Act alignment — the Commission’s draft GPAI Code of Practice references 42001 as one path to demonstrate Article-9 compliance.
  • Internal governance — boards of regulated firms increasingly ask for a certifiable management-system standard for AI.

How Regulus maps to it #

Two layers of mapping:

1. Annex A controls (44 controls in 4 groups): Regulus emits citations against the specific A-control IDs each event provides evidence for. Example: a DENY decision from the policy plugin emits iso-42001:A.8.4 (Use of AI System) on the audit event.

2. Statement of Applicability (SoA): The CLI generates an SoA template from the active profile + framework set:

regulus framework iso-42001 generate-soa > my-soa.md

The output is markdown listing each Annex A control with three fields: Applicable (yes/no/justification), Implementation (where Regulus delivers it), and Evidence pointer (the audit-chain filter or configuration line). You complete the document; Regulus pre-fills the mechanical parts.

What Regulus doesn’t claim #

A certifiable management system is not just runtime controls. It requires organisational artefacts — an AI policy, leadership commitment evidence, internal audit programme, management review records — that live outside the runtime. Regulus delivers the operational controls in Annex A. The clauses 4–7 management-system artefacts (context, leadership, planning, support) are your organisation’s documentary work.

Activating #

regulus:
  frameworks:
    - iso-42001
  iso-42001:
    organisation-name: "Acme Bank plc"
    soa-revision: 2

Cross-references #

ISO 42001 + NIST AI RMF + EU AI Act profile is a strong combination — each emits citations on the same event, building a multi-framework coverage report from one runtime.

Install the CLI All 6 frameworks