AI Assurance with DQS: Governance, Security and Quality — Aligned.
DQS has audited management systems across 60+ countries for more than 40 years. As a globally accredited certification body, DQS extends that same track record to ISO/IEC 42001 for AI management systems, alongside ISO/IEC 27001 and ISO 9001 where AI governance integrates with existing information security and quality frameworks — giving organisations one coordinated route to demonstrable AI governance maturity.
ISO/IEC 42001-Recognised
Certification body for AI management systems
ISO/IEC 27001-Aligned Audits
Information security integration for AI-handling organisations
ISO 9001 Integration
Documented information and traceability baseline
Flexible Audit Delivery
Remote, hybrid or on-site audits — delivered wherever your AI governance team is based.
DQS AS A TRUSTED PARTNER
Accredited, global and independent — the foundation for credible AI certification.
ISO/IEC 42001 is a new standard. The accreditation, infrastructure and independence behind a DQS certificate are not. Here is what that looks like in numbers.
3,100+ Auditors worldwide
To support global standards like ISO/IEC 42001, ISO/IEC 27001 and ISO 9001 and more.
65,000+ Certified locations
Across all DQS standards — including the AI assurance portfolio.
60+ Countries
Local auditor presence across major markets — Europe, Asia-Pacific, Americas.
40+ Years of experience
Founded 1985 by DGQ and DIN — Germany's first management-system certifier.
The rules for AI systems have changed. Most governance structures have not.
Three shifts are happening simultaneously. Regulation has arrived — the EU AI Act sets binding obligations for high-risk AI systems, and similar frameworks are developing worldwide. AI systems themselves behave differently from conventional software, requiring governance approaches that match how they actually work. And ISO/IEC 42001 has become the reference standard regulators and customers increasingly expect to see — not in five years, but now.
AI governance is now a regulatory gate, not an internal best practice.
Where the EU AI Act applies, high-risk AI systems require documented risk management, technical documentation and human oversight — and this is increasingly assessed alongside existing ISO 9001 and ISO/IEC 27001 scopes rather than as a standalone exercise.
Fragmented ownership, inconsistent documentation, failed audits.
Without a structured AI management system, organisations risk fragmented ownership across business units, inconsistent documentation, and difficulty demonstrating governance maturity to regulators or customers. Audited in silos, the same evidence gets produced — and questioned — multiple times across different parts of the business.
One audit programme across AI governance, security and quality — coordinated, calibrated, audit-ready.
- One certification body across ISO/IEC 42001, ISO/IEC 27001 and ISO 9001
- Aligned audit cycles, shared evidence, consistent interpretation across standards and sites
- Independent of advisory — the separation that makes the certificate credible to regulators and customers
Implementing AI Governance: Putting ISO 42001 into Practice
Practical perspectives on integrating AI governance into operational management systems.
AI governance does not sit in one standard — or one team.
The standards that cover AI governance overlap with information security, quality management and sector-specific regulation — not because the frameworks are redundant, but because AI systems touch all of these at once. Which combination applies depends on what you build, what you deploy, and which markets you operate in.
- ISO/IEC 42001 — AI management system; covers risk classification, accountability and continuous monitoring
- ISO/IEC 27001 — Information security; covers the data AI systems are trained on and process
- ISO 9001 — Documented information and process control; the traceability baseline most AI governance builds on
- EU MDR 2017/745 — Where AI functionality is embedded in a medical device
- EU AI Act risk-tier obligations — regulatory driver; but the obligation framework ISO/IEC 42001 is most commonly used to address
WHICH REQUIREMENTS APPLY TO YOU
Your role in the AI value chain determines where to begin.
Your AI governance requirements depend on your role in the value chain — whether you build AI systems, deploy them operationally, distribute them, or embed them in regulated products. Here is where each role typically lands.
Trust in AI is no longer built through technology alone. Organisations increasingly require governance structures that remain transparent, scalable and auditable across international operations and regulatory environments.
Four certifiable layers — what each one covers and why it matters.
Each standard answers a different question — about governance, data, process control, or sector-specific compliance.
Here is how the layers fit together.
Each layer is independently certifiable — and can be scoped individually or as part of one coordinated programme. Together they cover what regulators, customers and your own teams will ask when they review your AI programme.
ISO/IEC 42001 establishes the management system for AI governance — risk management, documented information, roles and responsibilities, and continuous monitoring across the AI lifecycle.
ISO/IEC 42001 Certification — AI Management System covers risk classification, governance accountability, data management oversight, and monitoring requirements across the AI lifecycle. Applicable to organisations that develop, deploy or substantially modify AI systems.
Your benefit: demonstrate AI governance maturity to regulators, customers and partners — with a recognised international baseline.
How AI training data, model outputs and operational data are protected.
ISO/IEC 27001 Certification — Information Security Management addresses data security controls relevant to AI training data, model inputs and outputs, and system access. Commonly held alongside ISO/IEC 42001 where AI systems process sensitive or personal data.
Your benefit: demonstrate secure handling of the data your AI systems depend on.
The documentation and traceability foundation most AI governance requirements build on.
ISO 9001 Certification — Quality Management provides the documented information, process control and continuous improvement structure that ISO/IEC 42001 builds upon for organisations with an existing QMS.
Your benefit: integrate AI governance into a structure you may already operate, rather than building a parallel system.
EU MDR 2017/745 Conformity Assessment
Where AI functionality is embedded in a medical device, conformity assessment under EU MDR applies in addition to AI-specific governance. Relevant for manufacturers of AI-enabled diagnostic, monitoring or decision-support devices.
Your benefit: align AI governance with existing regulated-product compliance obligations rather than managing them separately.
Regulating AI under the EU MDR: Ensuring Compliance & Innovation
How AI governance intersects with regulatory requirements in medical and highly regulated operational environments.
Every stakeholder is asking a different question about your AI systems.
A regulator wants to know your AI systems are under control. A customer wants to know their data is protected. Your own teams want to know who is responsible when something changes. These are not the same question — and no single standard answers all of them. That is why the right AI governance programme covers more than one layer.
ISO/IEC 42001 certification covers risk management, documented information and accountability across the AI lifecycle.
ISO/IEC 27001 certification covers data security controls; ISO/IEC 42001 adds AI-specific data management requirements on top.
ISO 9001 and ISO/IEC 42001 documented-information requirements together support the technical documentation expectations regulators increasingly look for.
ISO/IEC 42001's roles-and-responsibilities clauses establish accountability for AI system oversight.
ISO/IEC 42001's continuous improvement processes cover ongoing review as models, data and operational conditions change.
EU MDR 2017/745 and other sector frameworks apply in addition to AI-specific governance, where relevant.
ISO/IEC 42001 is increasingly used as a common operational baseline referenced across the EU AI Act, the US NIST AI RMF, and emerging frameworks in China, Japan, South Korea and Brazil.
FinTech AI Governance in a Regulated Market
How organisations are addressing accountability, oversight and governance expectations in evolving international AI frameworks.
Why regulation is driving demand for an AI Management Layer
The Four Risk Tiers
The classification of AI systems determines the level of governance, documentation and oversight required. While the model provides a high-level structure, organisations must translate these categories into concrete operational measures.
Unacceptable Risk (Prohibited)
AI systems in this category are considered incompatible with fundamental rights and societal protections under the EU AI Act. These applications are prohibited because they present an unacceptable level of risk to individuals, public safety or democratic values. Organisations must therefore ensure that prohibited use cases are identified and excluded through appropriate governance and review mechanisms.
High Risk (Strict regulatory requirements)
High-risk AI systems are subject to the most extensive regulatory obligations due to their potential impact on health, safety and fundamental rights. These systems typically require structured risk management, technical documentation, monitoring mechanisms and clearly defined human oversight throughout the AI lifecycle to ensure ongoing compliance and operational control.
Limited Risk (Transparency requirements)
Limited-risk AI systems are primarily subject to transparency requirements designed to ensure that users remain aware when interacting with artificial intelligence. Organisations must implement clear communication and disclosure practices, particularly where AI-generated content or automated interactions could otherwise create confusion or reduce transparency for users.
Minimal Risk (Voluntary measures)
Most AI applications fall within the minimal-risk category and are not subject to specific obligations under the EU AI Act. Nevertheless, organisations increasingly recognise the value of implementing voluntary governance measures that support accountability, operational consistency and long-term readiness as regulatory expectations continue to evolve globally.
One governance structure, adaptable to every market you operate in.
For multinational organisations, AI governance is rarely limited to a single legal framework or operational region — systems may be developed in one country, deployed across several jurisdictions, and integrated into globally distributed processes. While the EU AI Act remains the most comprehensive framework and the most common global reference point, jurisdictions worldwide increasingly share governance principles such as transparency, accountability, risk management and human oversight — even where the legal structure and implementation differ. The challenge isn't understanding each framework individually; it's building a governance system standardised enough for global consistency, yet adaptable enough for local regulatory expectations.
EU AI Act
The EU AI Act establishes the first comprehensive cross-sector regulatory framework for AI, with risk-based classification, transparency requirements and conformity obligations for high-risk systems. It is increasingly used as a global reference point for AI governance structure.
The US relies on a more decentralised approach: the voluntary NIST AI Risk Management Framework, federal executive orders, and a growing patchwork of state-level AI legislation. Emphasis falls on accountability, cybersecurity and operational risk management rather than one binding cross-sector law.
China has introduced multiple frameworks covering generative AI services, recommendation algorithms and algorithmic governance, with strong emphasis on provider accountability and content governance.
Japan's approach emphasises voluntary, internationally interoperable governance frameworks focused on operational reliability and industrial innovation.
South Korea's framework balances innovation with transparency and accountability obligations, with growing emphasis on risk management aligned with international trustworthy-AI discussions.
Both markets continue to develop AI governance through evolving frameworks rather than a single comprehensive law. Brazil is advancing risk-based AI governance proposals alongside broader digital governance initiatives, with current focus on accountability and oversight for high-impact systems. India relies on a mix of existing statutes — the IT Act, the 2026 IT Rules amendment addressing AI-generated content, and the Digital Personal Data Protection Act — together with the voluntary, principle-based AI Governance Guidelines issued in 2026, while sector regulators such as the RBI and SEBI develop AI-specific supervisory expectations of their own.
Five steps from scattered requirements to one coordinated programme.
Knowing where to start — and in what order — is usually the hardest part. The steps below help you get there without unnecessary rework.
Identify your requirements.
Review which AI systems are in scope, their risk classification under the EU AI Act, and how they intersect with existing ISO 9001 or ISO/IEC 27001 management systems.
Assess your current setup.
Review existing management systems, audit cycles and internal AI governance responsibilities.
Align and consolidate.
Where possible, integrate AI governance into existing certified management systems rather than building a standalone structure.
Prepare for emerging requirements.
EU AI Act phase-in deadlines and evolving frameworks in the US, China, Japan, South Korea and Brazil continue to develop.
Plan audit capacity early.
Secure ISO/IEC 42001 audit slots with your certification body in line with your regulatory and commercial deadlines.
What you get when you certify with DQS.
Every engagement follows the same structure — from the first documentation review through to certificate issuance and ongoing surveillance. Whether you are certifying one standard or several, the process is consistent.
WHY DQS
One audit partner across AI governance, data security and quality.
Managing AI governance obligations across multiple standards does not have to mean managing multiple certification bodies. DQS covers the full scope within one programme — so audit cycles align, evidence is shared, and findings are consistent across standards.
Ready to get started?
- Tell us what you build, deploy or distribute
- We identify which standards apply to your role and map the scope
- You get one audit plan, one point of contact, one consistent approach
Frequently asked questions.
Is ISO/IEC 42001 certification mandatory under the EU AI Act?
No. The EU AI Act does not name ISO/IEC 42001 certification as a legal requirement. Where high-risk AI systems are in scope, however, ISO/IEC 42001 is widely referenced as a structured way to demonstrate the risk management, documentation and human oversight expectations the Act sets out.
Do we need both ISO/IEC 42001 and ISO/IEC 27001?
Many organisations hold both, since they cover different layers. ISO/IEC 42001 addresses AI-specific governance — risk classification, monitoring, human oversight. ISO/IEC 27001 addresses information security broadly, including the data AI systems are trained on and process. Where development data is sensitive, both are commonly held together.
What counts as a high-risk AI system under the EU AI Act?
The Act classifies AI systems into risk tiers — unacceptable, high, limited and minimal. High-risk systems are those affecting health, safety, fundamental rights, or critical infrastructure, such as certain recruitment, credit-scoring, or biometric identification systems. Exact classification depends on the specific use case set out in the Act's annexes.
How does the EU AI Act compare to the US NIST AI RMF?
The EU AI Act is a binding, cross-sector regulation with risk-tiered legal obligations. The NIST AI Risk Management Framework is a voluntary framework widely used in the US, often alongside sector-specific and state-level rules. Organisations operating in both markets typically align internal governance — often through ISO/IEC 42001 — to satisfy both consistently.
Can ISO/IEC 42001, ISO/IEC 27001 and ISO 9001 run through one certification body?
Yes. Where management systems share the common High-Level Structure used across modern ISO standards, audits can be coordinated and, where appropriate, combined into integrated audit cycles with one certification body.
Does ISO/IEC 42001 cover generative AI systems specifically?
ISO/IEC 42001 applies to AI management systems generally and isn't limited to a specific AI technique. It governs the structure around any AI system an organisation develops, deploys or uses — including generative AI — rather than prescribing technique-specific technical controls.
Do AI governance obligations apply if we use third-party AI tools rather than building our own?
The EU AI Act's obligations fall on providers and deployers differently, and deployer obligations may still apply even when the underlying AI model was sourced from a third party. Where an organisation deploys a high-risk AI tool, its own governance obligations under the Act and supporting standards may apply regardless of who built the model.
Can multi-jurisdictional AI governance be managed through one certification programme?
For many organisations, yes. While the EU AI Act, the US NIST AI RMF, and emerging frameworks in China, Japan, South Korea and Brazil differ in legal structure, they share common governance principles — transparency, accountability, risk management, human oversight. ISO/IEC 42001 is increasingly used as a common operational baseline referenced across these frameworks, with regional specifics addressed within the governance system rather than through separate certifications.