What is the ISO/IEC AI standards family?
AI regulation: concepts, institutions and standards
The ISO/IEC AI standards family is a growing set of voluntary international standards, developed mainly through ISO/IEC JTC 1/SC 42, that gives organisations a common architecture for governing AI. At its core, ISO/IEC 22989 provides shared terminology, ISO/IEC 42001 sets management system requirements, ISO/IEC 23894 guides AI specific risk work, ISO/IEC 42005 guides AI system impact assessment, and ISO/IEC 42006 underpins third party audit and certification of AI management systems.
What this means
This family is best understood as a stack, not a single rulebook. One layer defines the language of AI. Another sets organisational requirements for managing AI. Others guide risk analysis, impact assessment and external assurance. Around that core are further supporting standards on governance, trustworthiness and related topics.
That is why the family is useful in regulation and governance even though it is not law. It gives organisations a stable way to describe systems, assign responsibility, document decisions, run checks and show buyers or supervisors that AI is being managed through a repeatable process rather than ad hoc judgement.
Why it matters
For most organisations, AI governance fails first at the joins: legal and product teams use different language, risk teams cannot compare systems consistently, procurement asks suppliers for vague assurances, and boards get high level promises without much traceable evidence. The ISO/IEC AI standards family helps fix those joins by giving a common vocabulary, a management structure, a risk method, an impact assessment method and an assurance pathway.
That matters in practice because AI is rarely governed by one rule alone. Organisations usually need to satisfy combinations of contract terms, procurement demands, internal audit, sector supervision, privacy duties, product safety expectations and public trust. The ISO/IEC family does not replace those duties, but it helps turn them into documented governance work that can be reviewed, challenged and improved.
How it works
It is a standards architecture, not a single code
The phrase "ISO/IEC AI standards family" is shorthand for a connected set of international standards rather than one closed instrument. The work sits mainly in ISO/IEC JTC 1/SC 42, the joint ISO and IEC committee for AI standardisation. That matters because these documents are standards body instruments, not legislation, not a treaty and not a vendor method.
In other words, the family offers a governance architecture. Organisations can use it directly, buyers can build it into supplier assurance, and regulators can point to parts of it in guidance or technical frameworks. But the standards themselves are still voluntary unless another instrument, such as a contract, procurement rule or regulation, makes their use obligatory in a specific context.
The terminology layer sets the shared language
The family starts with common concepts and terminology. ISO/IEC 22989 exists to establish the vocabulary of AI and describe the field's core concepts. That sounds basic, but it is one of the most important layers in practice. Governance work gets messy when "AI system", "model", "autonomy", "bias", "risk" or "use" mean different things to engineering, compliance, procurement and audit.
A related support document, ISO/IEC 23053, gives a generic framework for describing AI systems that use machine learning. Together, these documents help teams describe what is actually being governed. They give later standards a common base and reduce confusion in policies, due diligence questionnaires, audit criteria and internal reporting.
The management system layer is the organisational anchor
ISO/IEC 42001 is the family member that anchors the organisation's overall AI governance. It is a requirements standard for an artificial intelligence management system, or AIMS. That means it tells an organisation to establish the policies, objectives, roles, processes and review mechanisms needed to manage AI responsibly across the business.
This is a crucial distinction from a model benchmark or a technical test. ISO/IEC 42001 works at organisation level. It is about leadership, accountability, risk management, data governance, transparency information, monitoring and continual improvement. It is the document most likely to become the backbone of board reporting, internal assurance and supplier governance because it asks whether the organisation has a reliable management structure for AI, not just whether one model performed well in a lab.
The risk and impact layer adds operational depth
ISO/IEC 23894 provides guidance on AI related risk management. Its role is to help organisations that develop, produce, deploy or use AI integrate AI specific risk work into their existing governance and operational processes. It is not trying to replace enterprise risk management. It adds AI specific thinking to it.
ISO/IEC 42005 provides guidance for AI system impact assessment. Its focus is different. It asks organisations to examine how an AI system, and its foreseeable applications, may affect individuals, groups or society. In practice, that means impact assessment is the family member most clearly aimed at documenting human, social and broader societal effects of a particular system over time.
These two standards are complementary, not interchangeable. Risk management asks what hazards, failures, uncertainties or control weaknesses must be managed. Impact assessment asks who may be affected, in what ways, under what conditions, and what governance follow up is needed. Good AI governance usually needs both lenses.
The conformity layer turns governance into assurance
ISO's own drafting rules matter here. Documents that contain requirements can be used for conformity assessment. Documents that are guidance only are not intended to be used that way. That is why ISO/IEC 42001 occupies a different position from ISO/IEC 23894 and ISO/IEC 42005. The latter two are important support standards, but they are not the main badge an organisation seeks to certify against.
ISO/IEC 42006 sits on top of ISO/IEC 42001 and provides the additional requirements for bodies that audit and certify AI management systems. It builds on ISO/IEC 17021-1 and is also relevant to accreditation bodies assessing those certifiers. This is the start of a recognisable conformity infrastructure for AI management systems: an organisation implements an AIMS, an external certification body audits it, and an accreditation body may assess whether that certifier is competent to do so.
That still does not create a universal public approval mark for every AI product. It creates a structured way to assess an organisation's management system for AI. ISO/IEC 42006 also signals a wider direction of travel because it can be integrated into broader conformity assessment schemes for AI products, processes or services, but the family's published assurance architecture is strongest at the management system level.
The family supports regulation without replacing law
The legal status is straightforward. ISO states that its international standards are voluntary and do not displace national law. National law takes precedence. So the ISO/IEC AI standards family does not create statutory duties by itself, and there is no single global enforcement authority for it.
Its regulatory value is different. The family gives organisations a disciplined way to create evidence: defined terms, governance policies, role assignments, risk records, impact assessment records, internal audits, management reviews and, if chosen, third party certificates. That evidence can support procurement, supplier reviews, supervisory discussions and internal accountability. But none of it should be confused with automatic legal compliance. Domestic AI, privacy, sector and consumer rules still have to be mapped and met on their own terms.
Examples
Example 1: Supplier assurance for a higher risk use case. A buyer procuring an AI recruitment or screening system might ask the supplier to show that it operates an AI management system under ISO/IEC 42001, uses a structured AI risk method consistent with ISO/IEC 23894, and can provide a system impact assessment record consistent with ISO/IEC 42005. That does not settle the buyer's legal duties, but it gives the buyer a much stronger evidence base than a generic "responsible AI" statement.
Example 2: Internal governance for an in house AI deployment. A public body or regulated firm introducing an internal decision support tool might begin with ISO/IEC 22989 to standardise terminology across legal, technical and procurement teams, run the organisational controls through ISO/IEC 42001, and then use ISO/IEC 42005 to document effects on people and society from design through deployment and later review. This creates a traceable record for internal audit and senior oversight.
Example 3: External certification of an AI management system. An organisation that wants independent assurance of its AI governance may seek certification of its AIMS against ISO/IEC 42001. The certifier is not supposed to invent its own AI audit rules from scratch. ISO/IEC 42006 sets additional requirements for those certification bodies, and accreditation bodies can use it when assessing whether the certifier is competent to perform that work.
Common misunderstandings
Misunderstanding: The ISO/IEC AI standards family is a global AI law. Correction: It is a voluntary standards architecture. Law comes from legislation, regulation, case law, contracts and supervisory powers.
Misunderstanding: ISO/IEC 42001 is a stamp of approval for every AI model an organisation uses. Correction: ISO/IEC 42001 is about the organisation's management system for AI. It is not a blanket technical approval of each model or product.
Misunderstanding: ISO/IEC 23894 and ISO/IEC 42005 do the same job. Correction: ISO/IEC 23894 is AI risk management guidance. ISO/IEC 42005 is AI system impact assessment guidance. They work together but answer different questions.
Misunderstanding: If a company is not certified, the family is irrelevant. Correction: Certification is only one use. Many organisations will use these standards for internal governance, customer assurance, procurement and audit readiness without seeking a certificate.
Misunderstanding: This family is only for AI developers. Correction: The published scopes and summaries cover organisations that develop, provide, deploy or use AI. Buyers and operators are part of the picture too.
Risks and boundaries
The biggest boundary is legal. Implementing these standards, or even holding certification, does not by itself prove compliance with data protection law, product safety rules, equality duties, sector regulation, procurement law or consumer law. It can help organise evidence and strengthen governance, but the legal test still comes from the applicable jurisdiction and sector.
The second boundary is scope. ISO/IEC 42001 is the organisation level management standard. ISO/IEC 23894 and ISO/IEC 42005 are guidance standards that support that management work. They should not be treated as stand alone certification badges. Nor should an ISO/IEC 42005 impact assessment be mistaken for every other assessment an organisation may need, such as a data protection impact assessment, a safety case or a sector specific review.
The third boundary is practical overclaiming. Organisations sometimes treat standards language as marketing copy and skip the hard governance work underneath. The family only creates value when its methods are tied to system inventories, named owners, documented controls, review cycles and evidence that people actually use. It is also a living area of standardisation, so version control matters. Organisations should be clear about which published editions they rely on and when they last reviewed their mapping.
What to do next
Start by deciding whether you need a family map or an implementation plan. If your organisation is early in AI governance, first map the published standards by role: terminology, management system, risk, impact assessment and assurance.
Create a single inventory of AI systems, use cases, owners, suppliers and affected business processes. Without that, no standard will help much.
Adopt a shared vocabulary based on ISO/IEC 22989 in policies, contracts and internal reporting. This removes a lot of avoidable ambiguity.
Use ISO/IEC 42001 as the organisational backbone if you need a structured AI governance system. Then use ISO/IEC 23894 and ISO/IEC 42005 where they add depth: risk work for AI activities and impact assessment for specific systems with material effects on people or society.
Decide what level of assurance you actually need. Some organisations only need internal audit and buyer ready evidence. Others may want independent certification of their AIMS. If external certification is in scope, ask early how the certifier applies ISO/IEC 42006 and whether accreditation is available.
Finally, map the standards to your actual legal duties. Standards can organise the governance work, but they do not replace the law that governs your sector, market and use case.
FAQs
Is ISO/IEC 42001 the whole family?
No. It is the management system core, but the family also includes standards for terminology, AI specific risk guidance, impact assessment and audit and certification infrastructure, plus other supporting documents on governance and trustworthiness.
Are the ISO/IEC AI standards legally binding?
Not by themselves. ISO states that its international standards are voluntary and that national law takes precedence. They become practically binding only where contracts, procurement rules, regulation or customer requirements make them so.
Which standard should most organisations start with?
If the question is "How do we govern AI across the organisation?", start with ISO/IEC 42001. If the immediate problem is inconsistent language, begin with ISO/IEC 22989. If you already have governance in place and need a better method for system level effects, add ISO/IEC 42005.
Can you certify against ISO/IEC 23894 or ISO/IEC 42005?
They are guidance standards, so they are better used as supporting methods than as the main object of certification. The main certifiable organisational standard in this part of the family is ISO/IEC 42001.
What does ISO/IEC 42006 add beyond ISO/IEC 42001?
ISO/IEC 42001 tells organisations what an AI management system must contain. ISO/IEC 42006 tells certification bodies how they must audit and certify that management system with AI specific competence and rigour.
Does the family apply only to AI developers?
No. The published scopes and summaries cover organisations that develop, provide, deploy or use AI. That includes operators, buyers, public bodies and firms relying on third party systems.
How does this compare with a framework such as the NIST AI RMF?
They are complementary. A simple way to think about the difference is that the NIST AI RMF is a voluntary risk and governance framework, while the ISO/IEC family adds a formal terminology layer, a management system standard that can be certified, and supporting standards for impact assessment and conformity infrastructure.
Sources
publisher: ISO title: url: date_accessed: 2026-06-05 what_it_substantiates:
publisher: ISO title: url: date_accessed: 2026-06-05 what_it_substantiates:
publisher: ISO title: url: date_accessed: 2026-06-05 what_it_substantiates:
publisher: ISO title: url: date_accessed: 2026-06-05 what_it_substantiates:
publisher: ISO title: url: date_accessed: 2026-06-05 what_it_substantiates:
publisher: ISO title: url: date_accessed: 2026-06-05 what_it_substantiates:
publisher: ISO title: url: date_accessed: 2026-06-05 what_it_substantiates: