ISO/IEC 42001: The Global Standard for AI Management Systems (AIMS)

Its core components.

Benefits.

Associated regulatory framework.

Guidance on implementation and certification. the first international standard for Artificial Intelligence Management Systems (AIMS). In response to growing concerns about ethics, bias, privacy, and transparency, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have introduced. ISO/IEC 42001 It serves as a practical resource for quality management professionals and organizations seeking to integrate and manage AI responsibly. KPMG Switzerland certification body is one of the world’s leading Conformity Assessment Bodies (CABs) providing certifications for AI management systems (AIMS) based on ISO/IEC 42001.

Human and institutional involvement.

Data and input characteristics.

AI model design and functionality.

Deployment context.

Expected impacts on society and the environment. Each dimension supports a holistic approach to understanding where and how AI risk arises — from privacy and bias, to transparency, accountability, and unintended societal consequences. The NIST AI RMF, developed by the U.S. National Institute of Standards and Technology, provides a structured and technical model for building trustworthy and secure AI systems. It emphasizes that managing AI risk is a shared responsibility across the AI lifecycle and aligns well with ISO/IEC 42001 and other governance standards. A central feature of the NIST framework is TEVV – Test, Evaluation, Verification, and Validation – which helps organizations ensure that AI systems behave as expected, safely and reliably. Key lifecycle stages emphasized by NIST include:

Collect & process data: Collect and prepare data for training, ensuring accuracy, representativeness and regulatory compliance.

Build & use model: Develop the AI model, train it on data sets and deploy it in real-world environments.

Verify & validate: Test and evaluate the model to ensure it performs as intended and does not exhibit bias, security vulnerabilities or unpredictable behavior. OECD Framework – Socio-technical dimensions of AI risk NIST AI Risk Management Framework (RMF) organization of independent firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved. Both the OECD and NIST frameworks promote a multidimensional, risk-aware approach to AI governance. They are particularly valuable for:

Identifying risks early in the AI lifecycle.

Engaging diverse stakeholders in AI design and deployment decisions.

Supporting alignment with legal, ethical and organizational values.

Enhancing transparency and enabling better auditability of AI systems. These international perspectives provide essential context for organizations seeking to implement ISO/IEC 42001 and demonstrate a commitment to global best practices in responsible AI. Why these frameworks matter Together with ISO/IEC standards, these frameworks help bridge the gap between technical performance and ethical responsibility – a key factor in building trust in AI. International risk management frameworks for AI (OECD & NIST) (cont.) Source: Lifecycle and Key dimensions of an AI System based on the Framework of OECD. Security & Robustness Performance & Functionality BiasExplainability Data Management Reliability Data Quality TEW includes internal & external validation Data & Input Actors include data collectors & processors Collect & process data AI Model Build & use model Verify & Validate Actors include developers and modelers TEW includes model tuning & testing TEW includes integration, compliance testing & validation Task & Output Actors include system integrators Deploy Application context Plan & design Operate & monitor Actors include system operators TEW includes audit & impact assessment People & Planet Use or impacted by Actors included end-users & stakeholders organization of independent firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved. Model validation and Trusted AI As AI models become more complex and dynamic, understanding how they behave – and whether they can be trusted – becomes increasingly difficult. Organizations face the challenge of not only evaluating performance, but also ensuring that models operate in ways that are reliable, explainable, secure and fair. This is where model validation comes in. It is the process of confirming that AI systems work as intended, meeting both technical requirements and ethical expectations. Robust model validation is essential for ensuring responsible AI. It assesses whether models are:

Robust to adversarial conditions.

Predictable in performance under varying operational environments.

Fair across demographic or contextual variations.

Free from bias, or capable of mitigating unintentional discrimination.

Transparent, with results that can be interpreted and explained.

Safe and secure, especially in high-risk or regulated settings. Model validation also ensures compliance with both regulatory obligations and internal risk tolerances – particularly in light of evolving regulatory landscapes such as the EU AI Act and ISO/IEC 42001 requirements. KPMG takes a systematic approach to model validation, combining in-house expertise with the support of trusted external partners, such as LatticeFlow. This partnership brings in-depth technical expertise and leverages industry-leading validation methodologies – including:

White-box testing: Examining model internals to understand logic and detect bias or blind spots.

Grey-box testing: Combining partial model knowledge with scenario-based validation.

Black-box testing: Testing outputs based on inputs, without access to the model’s inner workings. These methods are tailored to evaluate critical model properties and behaviors across a variety of contexts and use cases. KPMG’s approach to model validation Key model validation objectives Test results and model fare not evaluated in isolation. At KPMG, they are interpreted in the broader context of the Trusted AI Framework – a proprietary, multi-dimensional governance model developed through global experience and applied in numerous client engagements.

Ethical alignment.

Technical robustness.

Privacy and data protection.

Human oversight.

Transparency.

Accountability.

Inclusiveness.

Sustainability.

Security.

Explainability. By applying this holistic lens, organizations can build AI systems that not only perform well but also align with their core values and stakeholder expectations. KPMG’s Trusted AI Framework organization of independent firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved. Tailored service approach Like other ISO management system standards (e.g. ISO 9001, ISO/IEC 27001), ISO/IEC 42001 is designed to help organizations establish, implement, maintain, and continually improve their internal AI governance systems. An AIMS is defined as a set of interrelated, interacting elements that define:

AI-specific policies and objectives.

Risk and impact assessment processes.

Governance, monitoring, and continuous improvement mechanisms.

Alignment with legal, ethical, and business requirements. KPMG supports clients throughout this lifecycle — whether the goal is certification, compliance with emerging regulations (such as the EU AI Act), or building stakeholder trust. ISO/IEC 42001: A Management System (MS) standard While ISO/IEC 42001 provides a clear path to certification, many organizations are at different stages of their AI maturity journey. KPMG offers tailored services to help organizations assess their readiness, close gaps and build a certifiable AI Management System (AIMS) – whether or not full certification is the immediate goal. These services range from strategic assessments to technical validations and are aligned with both the requirements of ISO/IEC 42001 as well as broader industry best practices. ISO/IEC 42001 was intentionally written as a standard for management systems (MS), intended for organizations wishing to implement an MS and pursue accredited certification for it. Accredited certification to ISO/IEC 42001 means an independent third-party MS certification body has verified that a company’s internal MS meets internationally recognized standards (e.g., ISO/IEC 42001). The leading AI standard, ISO/IEC 42001, provides the framework and requirements for organizations to build a responsible, ethical and trustworthy management system, and when coupled with accredited certification, the organization should be able to assure its customers of consistency and effectiveness. organization of independent firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved. Tailored service approach (cont.) KPMG offers a comprehensive portfolio of services that support organizations in managing and governing their AI systems effectively. KPMG’s AIMS services These services encompass various stages of AI management, including pre-audits, full audits, single assessments, and technical model validation. Each service is carefully tailored to meet the specific needs of the organization. ISO/IEC 42001 Certification Pre-Audit on AI Management System Certification on AI Management System AI Risk Assessment (strategic and operational) AI Impact Assessment Data Governance, Management and protection AI Regulation compliance and local and global requirements Ethical Oversight and Guidance to Promote Transparency Performance and Monitoring, continuously evaluating AI systems AI Security on ICT core systems and platforms Control objective and control goals ISO/IEC TR 24029 -1 ISO/IEC TR 24028 ISO/IEC TR 24027 Pre-Audit on AI Management System A preliminary review to assess the organization's AI management processes, identify gaps, and ensure alignment with certification standards prior to the formal audit. AI Risk Assessment (strategic and operational) The process of identifying, assessing, and mitigating risks associated with AI systems, such as bias, security vulnerabilities, or unintended outcomes, to ensure safe and reliable operations. AI Impact Assessment Evaluating the potential societal, environmental, and organizational impacts of AI systems to ensure they are aligned with ethical, safety and business objectives. Data Governance, Management and protection Implementing policies and processes to ensure data integrity, quality, privacy, and security throughout the AI lifecycle. AI Regulation compliance and local and global requirements Ensuring the AI systems adhere to applicable laws, regulations, and standards at both local and international levels to avoid legal risks. Ethical Oversight and Guidance to Promote Transparency Establishing ethical frameworks to guide AI development, ensuring fairness, accountability, and transparency while promoting trust in AI systems. Performance and Monitoring, continuously evaluating AI systems Continuously evaluating AI systems to ensure they meet performance goals, detect issues and maintain optimal functionality over time. AI Security on ICT core systems and platforms Protecting the underlying ICT infrastructure and platforms against cyber threats to ensure the secure operation of AI systems. Control objective and control goals Defining clear objectives and measurable targets for AI system governance to ensure compliance, performance, and accountability. organization of independent firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved. Tailored service approach (cont.) KPMG’s services also cover deeper, organization-wide areas of AI governance, including:

Strategic risk management: Identifying and mitigating high-level risks associated with AI, such as data breaches, algorithmic bias, and unethical use. This includes proactive planning to protect sensitive information, ensure fairness in AI decisionmaking and maintain ethical use of AI.

Regulatory compliance: Ensuring that AI systems comply with industry-specific regulations and global standards. This includes staying abreast of evolving legal requirements, implementing compliance frameworks and conducting regular audits to avoid legal and reputational risks.

Operational risk management: Addressing day-today risks in AI implementation to maintain system integrity, reliability, and security. This includes streamlining operational processes, identifying vulnerabilities, and reducing potential disruptions.

Ethical Oversight: Establishing robust guidelines to ensure AI systems operate with transparency, fairness and accountability. This includes defining ethical principles, conducting bias audits and promoting responsible AI governance.

Performance monitoring: Continuously assessing AI models to ensure they remain accurate, efficient and aligned with business objectives. This involves regular evaluations, model retraining and performance benchmarks to enhance AI reliability.

Addressing algorithmic bias: Implementing strategies to detect, prevent and correct biases in AI models. This includes using diverse datasets, fairness-aware algorithms and bias-mitigation techniques to promote equitable outcomes. Whether your organization is preparing for certification, complying with the EU AI Act or building an internal AI governance model, KPMG’s tailored approach provides practical, scalable support at every step of your AI journey. Strategic & operational focus areas organization of independent firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved. ISO/IEC 42001:2023 certification in Europe and Switzerland ISO/IEC 42001 provides a management system framework for the governance, deployment and oversight of AI systems. Certification demonstrates that an organization has implemented formalized processes to:

Identify and mitigate AI-related risks.

Ensure transparency, security and ethical accountability.

Comply with legal and regulatory standards, including the upcoming EU AI Act.

Build stakeholder and customer trust.

Foster innovation in a controlled and auditable environment. For organizations operating in or trading with the EU, ISO/IEC 42001 certification can also serve as a practical basis for demonstrating compliance with the EU AI Act, which enters into force in February 2025. Strategic value of certification With the increasing integration of AI across industries, organizations in Europe and Switzerland are under increasing pressure to ensure that their AI systems are ethical, trustworthy and compliant. The ISO/IEC 42001 certification serves as a credible, globally recognized benchmark for achieving these goals. It not only signals an organization’s commitment to responsible AI but also strengthens operational resilience, stakeholder confidence and regulatory alignment. Interest in ISO/IEC 42001 is growing rapidly across Europe and Switzerland, especially in sectors where AI impacts critical infrastructure, financial systems, health, public administration or consumer safety. Key drivers in the region include:

Anticipation of strict regulatory enforcement under the EU AI Act.

Increasing focus on digital trust and AI ethics by both public institutions and private stakeholders.

The need for standardized internal controls to effectively manage the AI lifecycle effectively.

Pressure to demonstrate compliance across multiple jurisdictions using a unified framework. With a ISO/IEC 42001 certification, Swiss and European organizations gain a competitive edge, signaling operational maturity and regulatory readiness in an evolving AI ecosystem. Certification landscape in Europe and Switzerland Cost and Scope Considerations The cost of ISO/IEC 42001 certification depends on several factors:

Organization size and complexity.

Number of sites and AI use cases.

Maturity of existing governance systems.

Integration with other ISO management systems (e.g. ISO/IEC 27001, ISO 9001). Costs may include:

Initial gap assessments and pre-audits.

Technical consulting/coaching to build or adjust the AIMS framework.

Fees for external auditors and certification bodies.

Potential IT upgrades, especially around data governance, risk management, and monitoring systems. While large organizations with multiple AI applications and platforms may incur higher costs, small and mid-sized enterprises can implement a scalable version of the AIMS, focusing on high-risk areas and expanding over time. Certification is not only about compliance — it's about building AI governance as a strategic capability. In Europe and Switzerland, this is becoming a critical differentiator in both public trust and market leadership. organization of independent firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved. Certification Audit approach to attain the ISO/IEC 42001:2023 certification Achieving certification to ISO/IEC 42001 requires organizations to undergo a structured, multi-phase audit process, designed to assess the design, implementation, and continuous improvement of the AI Management System (AIMS). This process ensures that all AI governance elements meet the standard’s requirements and are applied effectively in practice. KPMG, as an accredited certification body, follows a clearly defined methodology in line with international auditing practices and ISO certification principles. Beginning of 1st year 1st year for the initial certification audit AIMS 1st year corrective actions 2nd year for the surveilance audit 3rd year for the surveilance audit 1st PostAudit AI Platform and applications within the data centre Pre-Audit on IA Management Systems (AIMS) 1st Surveillance Audit AIMS ISO/IEC 42001 2nd Surveillance Audit AIMS ISO/IEC 42001 Initial Certification Audit ISO/IEC 42001 Stage I: Documentation Audit Stage II: Implementation Audit ISO/IEC TR 24027 ISO/IEC TR 24028 ISO/IEC TR 24029-1 Certification ReportReportReport Report Report Report ISO/IEC 42001 Trusted AI organization of independent firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved. Audit phase 1: Scope definition Audit phase 2: Risk assessment The first step is to define the scope of the AIMS, including:

AI systems, services and processes covered

Geographic locations or organizational units involved

Relevant legal and regulatory contexts (e.g. EU AI Act). This scope provides the basis for audit planning and ensures alignment with organizational objectives. Senior management responsibility is critical at this stage to ensure strategic alignment and cross-functional coordination. A comprehensive AI risk assessment helps to:

Identify potential risks to individuals, society and the organization

Evaluate the ethical, legal, operational and technical implications

Define mitigation measures and controls aligned with ISO/IEC 42001. This includes an AI impact assessment that evaluates broader implications such as fairness, transparency and unintended consequences. During the Audit Stage I, the KPMG certification body will assess the organization’s documentation and internal controls to ensure:

Availability and suitability of information

The AIMS aligns with ISO/IEC 42001 requirements

Regulatory and legal compliance measures are appropriately addressed

Confidentiality, integrity, and accountability controls are defined. This stage identifies any gaps or weaknesses that must be addressed prior to full certification. Audit phase 3: Proper documentation The Audit Stage II focuses on evaluating the practical implementation of the AIMS, including:

Interviews with stakeholders and system owners.

Validation of AI control execution and implementation through technical environments.

Verification of performance monitoring, data governance and ethical oversight.

Internal audit results and management review processes. Auditors assess whether the organization not only has the right processes in place but is also actively operating and improving them. Following the Post-Audit on Stage II, any non-conformities or improvement areas are documented. The organization is required to:

Improve corrective actions within a defined timeframe.

Re-validate the corrective measures and ensure correct implementation.

Provide evidence of remediation.

Engage in follow-up validation, if needed. Once all requirements are met, KPMG finalizes the certification decision. Audit phase 4: Implementation and operational audit Audit phase 5: Post-Audit for the countermeasures and improvements Upon successful completion of all audit phases, KPMG issues the globally recognized ISO/IEC 42001 certificate. The certification is valid for three years, with annual surveillance audits to verify ongoing compliance, followed by a recertification audit in the third year. Surveillance audits ensure that:

Continuous improvement is being applied.

Pre-selected control objectives on mission critical processes and coreapplications are implemented securely and effectively.

AI risks are being reassessed and controlled.

The AIMS remains effective, relevant, and aligned with evolving expectations. ISO/IEC 42001 certification is not a onetime event – it’s an ongoing commitment to responsible, trustworthy AI governance . Audit phase 6: Notification of the decision and certification kpmg.ch/certification Some or all of the services described herein may not be permissible for KPMG audited entities and their affiliates or related entities. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. The scope of any potential collaboration with audit clients is defined by regulatory requirements governing auditor independence. If you would like to know more about how KPMG AG processes personal data, please read our Privacy Notice, which you can find on our homepage at www.kpmg.ch. © 2025 KPMG AG, a Swiss corporation, is a group company of KPMG Holding LLP, which is a member of the KPMG global organization of independent firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved. The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global organization. Document Classification: KPMG Confidential CREATE: CRT161287A | May 2025 Contact at KPMG Reto P. GrubenmannDirector, Head of Certification Bodies KPMG AG E: retogrubenmann@kpmg.com T: +41 58 249 42 46 Badenerstrasse 172 PO Box CH-8036 Zurich Switzerland