The AI standards landscape spans ISO/IEC 42001 (AI management systems), ISO/IEC 23894 (AI risk management), IEEE 7000 series (ethical design), and CEN-CENELEC harmonised standards that provide a presumption of conformity with EU AI Act requirements.
AI Standards Landscape: ISO, IEEE, and CEN-CENELEC Standards for AI
Why AI Standards Matter for Compliance
AI standards translate high-level regulatory requirements into implementable technical and organisational specifications. Under the EU AI Act, harmonised European standards (hENs) published in the Official Journal of the EU will provide a presumption of conformity with the corresponding legal requirements. The European Commission has issued a standardisation request to CEN-CENELEC (M/593) to develop these harmonised standards, making the standards landscape directly relevant to compliance planning.
Key AI Standards Overview
| Standard | Scope | Status | EU AI Act Relevance |
|---|---|---|---|
| ISO/IEC 42001:2023 | AI management system (AIMS) | Published | Supports Articles 9, 17 (quality management, risk management) |
| ISO/IEC 23894:2023 | AI risk management guidance | Published | Supports Article 9 (risk management system) |
| ISO/IEC 42005 | AI system impact assessment | Under development | Supports Article 9 and fundamental rights impact assessment (Article 27) |
| ISO/IEC 25059:2023 | AI system quality model | Published | Supports Article 15 (accuracy, robustness) |
| ISO/IEC 24028:2020 | AI trustworthiness overview | Published | General framework for trustworthy AI |
| ISO/IEC 24029-1:2021 | AI robustness assessment (neural networks) | Published | Supports Article 15 (robustness) |
| IEEE 7000-2021 | Ethical concerns in system design | Published | Supports responsible AI governance |
| IEEE 7001-2021 | Transparency of autonomous systems | Published | Supports Article 13 (transparency) |
ISO/IEC 42001: The AI Management System Standard
ISO/IEC 42001:2023 specifies requirements for establishing, implementing, maintaining, and continually improving an AI management system (AIMS) within organisations. Structured around the Plan-Do-Check-Act cycle common to ISO management system standards (27001, 9001), it provides a systematic framework for AI governance that covers risk assessment, controls selection, competence requirements, documentation, performance evaluation, and continual improvement.
For EU AI Act compliance, ISO/IEC 42001 is particularly relevant to Article 17 (quality management system) and Article 9 (risk management system). Organisations that implement an AIMS based on 42001 establish many of the governance structures the AI Act requires, though the standard alone does not guarantee compliance with all specific EU AI Act obligations.
CEN-CENELEC Harmonised Standards
CEN-CENELEC Joint Technical Committee 21 (JTC 21) on Artificial Intelligence is developing harmonised European standards under mandate M/593. These standards will cover risk management, data governance, transparency, human oversight, accuracy, robustness, and cybersecurity, corresponding to the Chapter III requirements for high-risk AI systems.
Once published in the Official Journal, compliance with harmonised standards provides a presumption of conformity under Article 40. This does not make the standards mandatory, but non-conforming organisations must demonstrate compliance through alternative means, which is typically more burdensome and uncertain.
Key work items include prEN standards for risk management methodology (mapped to Article 9), data quality requirements (mapped to Article 10), transparency and explainability (mapped to Article 13), and human oversight implementation (mapped to Article 14).
NIST AI RMF and ISO Alignment
The NIST AI Risk Management Framework (AI RMF 1.0) provides four core functions: Govern, Map, Measure, and Manage. While not an EU standard, the NIST framework is widely adopted globally and aligns conceptually with ISO/IEC 23894. Organisations operating in both US and EU markets can map NIST AI RMF functions to ISO/IEC 42001 clauses and EU AI Act articles to build a unified compliance framework.
Implementation Strategy
- Adopt ISO/IEC 42001 as the organisational backbone for AI governance
- Use ISO/IEC 23894 to structure AI risk management processes aligned with Article 9
- Monitor CEN-CENELEC JTC 21 work programme for draft harmonised standards and participate in public consultations
- Map existing ISO 27001 and ISO 9001 controls to AI-specific requirements to avoid duplication
- Consider IEEE 7000 for value-based design processes where AI systems affect fundamental rights
Standards Selection Guidance
Organisations should select standards based on their role in the AI value chain. Providers of high-risk AI systems should prioritise ISO/IEC 42001 and forthcoming CEN-CENELEC harmonised standards. Deployers benefit from ISO/IEC 42001 for organisational governance and ISO/IEC 23894 for risk assessment. Research organisations and open-source contributors should monitor standards development to understand requirements that will apply to downstream users of their work.
Certification against ISO/IEC 42001 by an accredited body provides external assurance of AI governance maturity, though it does not constitute conformity assessment under the EU AI Act. Separate conformity assessment procedures under Articles 43 and 44 apply for high-risk systems.
Check your AI compliance readiness — free.
Take the Readiness Check 3 minutes · 10 questions · no signup requiredThis article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.