ISO/IEC 42001

Gamut supports work towards an ISO/IEC 42001 AI management system, with implementation guidance aligned to the standard’s clause headings and control themes.

Does not replace the standard

Gamut provides implementation guidance aligned to clause headings and control themes. It does not reproduce ISO standard text and does not replace a licensed copy of the standard or a certification audit. Work from a licensed copy of ISO/IEC 42001 and engage an accredited certification body for certification.

What ISO/IEC 42001 is

ISO/IEC 42001 is the management-system standard for artificial intelligence, the AI equivalent of management-system standards in other domains. It frames AI governance as a managed system with policy, objectives, controls and continual improvement, rather than a one-off exercise. That framing maps directly onto Gamut’s governance lifecycle, which is itself built around continual improvement.

The eight sections

Gamut organises ISO/IEC 42001 work into eight sections, following the standard’s structure: the management-system clauses 4 to 10, plus the Annex A controls.

Section	Clause	Themes covered
Context of the organisation	Clause 4	Understanding the organisation, interested parties and the scope of the AI management system.
Leadership	Clause 5	Leadership and commitment, AI policy, roles and responsibilities.
Planning	Clause 6	AI risk assessment and treatment, AI system impact assessment, objectives.
Support	Clause 7	Resources, competence, awareness, communication and documented information.
Operations	Clause 8	Operational planning and control, risk assessment and treatment in operation.
Performance evaluation	Clause 9	Monitoring, measurement, internal audit and management review.
Improvement	Clause 10	Nonconformity, corrective action and continual improvement.
Annex A controls	Annex A	The reference set of AI-specific controls (23 control themes).

Gamut carries detailed clause-level mappings (33 mapped clauses) so that assessment work and evidence attach to the right part of the standard.

How Gamut helps

• Clause-aligned assessment, organised around clauses 4 to 10 and Annex A.
• Evidence management, the evidence and findings model a management system needs to demonstrate operation.
• Continual improvement, the Improve stage, tracking remediation and change over time.
• Management review, reporting outputs that support clause 9 review.

Crosswalk

ISO/IEC 42001 work shares evidence with GTSAF (every GTSAF control carries ISO/IEC 42001 clause anchors), NIST AI RMF and the EU AI Act. Impact assessment under clause 6 aligns with ISO/IEC 42005. See the GTSAF crosswalk table.

Next

• ISO/IEC 42005, AI impact assessment guidance.
• Reporting & exports, outputs for management review.