
ISO 42001 evidence,
built on every request.
ISO 42001 is the first certifiable standard for AI management systems. AegisPlane connects its clauses to live controls on your traffic. You get the continuous, traceable records an audit asks for, without the manual bookkeeping.
No code changes. Live on your traffic in a day.
One control sits in front of every model your teams already call, checking each request against the standards your auditors recognize.
What is ISO 42001?
Most AI governance is a policy no one can prove. ISO/IEC 42001:2023 is the first certifiable management-system standard for AI. Like ISO 27001 for security, it defines how you run an AI management system (AIMS): risk assessment, operational controls, and performance evaluation.
- Defines an AI management system (AIMS) with the Plan-Do-Check-Act cycle.
- Requires documented AI risk assessment and treatment (Clause 6.1).
- Mandates operational controls and documented information.
- Certifiable by accredited third parties, signalling governance maturity.
What ISO 42001 requires
An AI management system runs on documented, repeatable controls. AegisPlane supplies the operational half.
AI policy and objectives
Governance expressed as versioned config, compiled into a signed, auditable bundle.
Risk and impact assessment
Clause 6.1 requires documented assessment before deployment. Requests without it are flagged.
Operational controls
Clause 8 controls run inline on every request through the policy engine.
Performance evaluation
Clause 9 monitoring is backed by telemetry, drift, and burn-rate alerts, feeding continual improvement.
One request, checked in real time
Here is one interaction. AegisPlane classifies the request, checks it against the framework, blocks what it must, and logs the decision as evidence. It happens in milliseconds, on live traffic.
Business value
- Improves organization-wide AI governance maturity.
- Links governance to real operations.
- Builds stakeholder and customer confidence.
How AegisPlane supports your ISO 42001 AIMS
AegisPlane links AIMS clauses to live controls in the AI Control Plane (AICP), so the management system is backed by real operational data instead of static documents.
Policy as config
AI policies and operational controls are expressed as versioned config-as-code and compiled into signed bundles, the documented information Clause 7.5 expects.
Controls at the gateway
Operational controls (Clause 8) are enforced inline by the OPA policy engine on every request, so the AIMS is exercised continuously.
Performance evaluation
OpenTelemetry metrics, drift detection, and burn-rate alerts feed the monitoring and measurement Clause 9 requires.
Continual improvement
Logged decisions and alerts surface where controls need tuning, supporting the improvement loop of Clause 10.
Frequently asked questions
No. Certification is issued by accredited certification bodies. AegisPlane supplies the operational controls and continuous records that make an audit against the standard far easier to pass.
Config maps to Clause 7.5 documented information, gateway enforcement to Clause 8 operational controls, telemetry to Clause 9 evaluation, and logged findings to Clause 10 improvement.
No. ISO 42001 addresses AI-specific management concerns that ISO 27001 does not, and the two are designed to coexist. AegisPlane can enforce both.
No. Controls run at the gateway around your existing models; there is no retraining or application code change.
Versioned policy bundles, per-request enforcement logs, performance telemetry, and improvement findings, all exportable.
Why now
Continuous checks and evidence, not a stale annual assessment
AI due-diligence questionnaires increasingly ask for ISO 42001 alignment. Every selected framework is checked on live AI traffic and the decision is logged as evidence, so audit prep stops being a fire drill. No code changes.
