ISO 42001 Readiness Across Industries: 2026 Assessment

Abstract

This readiness assessment examines ISO 42001 preparedness across 280 organizations in 6 industries. Clause 6 (Planning) is the strongest area at 3.1/5 readiness, driven by growing AI risk assessment maturity. Clause 9 (Performance Evaluation) is the weakest at 1.9/5 — most organizations lack internal audit, performance evaluation, and conformity assessment capabilities. Only 8% of organizations are within 6 months of certification readiness. Organizations with existing ISO 27001 certifications show 1.4 points higher readiness.

Key findings

Executive Summary

ISO/IEC 42001:2023 is the first international standard for AI management systems, and its adoption is accelerating as regulators, customers, and boards increasingly require demonstrable AI governance. This report examines readiness for ISO 42001 certification across 280 organizations in 6 industries, assessing compliance maturity against each of the standard's 7 clauses (4–10) and Annex A controls. The findings reveal significant variance: Clause 6 (Planning) is the strongest area at 3.1 average readiness, reflecting that many organizations have begun AI risk assessment and objective-setting. Clause 9 (Performance Evaluation) is the weakest at 1.9, indicating that most organizations lack the monitoring, internal audit, and management review processes that ISO 42001 requires. Only 8% of organizations are estimated to be within 6 months of certification readiness. The majority (59%) need 12–24 months of structured governance development. Organizations with existing ISO 27001 or SOC 2 certifications show significantly higher readiness due to transferable management system skills and audit infrastructure. The data has direct implications for AI governance program prioritization: organizations should invest in performance evaluation infrastructure (monitoring, audit, management review) as the highest-leverage action for ISO 42001 readiness.

Methodology

Readiness assessment follows the ISO 42001:2023 clause structure (Clauses 4–10) and Annex A control categories. Each clause and control is scored on a 5-level readiness scale: (1) No activity, (2) Initial awareness, (3) Partial implementation, (4) Substantial implementation, (5) Full conformity with evidence. Data was compiled from readiness assessments, gap analyses, and pre-certification reviews across 280 organizations in 6 industries. Assessments followed the COMPEL ISO 42001 readiness methodology, which maps COMPEL's 20 domains to ISO 42001 requirements. All figures are illustrative and derived from composite analysis. No single organization's data is represented. Figures are intended to illustrate patterns in ISO 42001 readiness across industries to inform governance program design. Actual certification readiness depends on organization-specific factors including scope, complexity, and existing management system maturity.

Clause-by-Clause Readiness Overview

The seven auditable clauses of ISO 42001 show a clear pattern: organizations are better at planning than execution, and better at execution than evaluation. Clause 6 (Planning) leads at 3.1 average readiness. Risk assessment (3.4) and AI objectives (3.2) score highest within this clause, reflecting that most organizations have at least begun the process of identifying AI risks and defining strategic objectives for AI. This is likely driven by board-level attention to AI risk and the availability of risk assessment frameworks (NIST AI RMF, internal risk methodologies). Clause 4 (Context of the Organization) at 2.8 and Clause 8 (Operation) at 2.7 represent mid-range readiness. Organizations generally understand their AI landscape (context) and have some operational processes for AI development and deployment, but these are not consistently documented, measured, or improved. Clause 9 (Performance Evaluation) at 1.9 is the critical gap. Internal audit of AI management systems is virtually non-existent in most organizations (1.8 readiness), AI system performance evaluation processes are ad-hoc (1.6), and conformity assessment capabilities are the weakest sub-requirement at 1.5. Without these evaluation capabilities, organizations cannot demonstrate the "check" portion of the Plan-Do-Check-Act cycle that ISO management systems require. Clause 10 (Improvement) at 2.2 is the second-weakest, directly downstream of the Clause 9 gap: organizations that cannot evaluate cannot systematically improve.

Clause 9 Deep Dive: The Performance Evaluation Gap

Clause 9 is the most critical gap because it is the foundation for demonstrating that an AI management system actually works — not just that it exists on paper. ISO auditors assess Clause 9 with particular rigor because it provides the evidence that other clauses are being implemented effectively. Monitoring and measurement (2.1): Most organizations monitor individual AI model performance (accuracy, latency) but do not monitor governance process effectiveness — whether risk assessments are being completed on time, whether policies are being followed, whether training requirements are being met. ISO 42001 requires both. Internal audit (1.8): Fewer than 15% of organizations have conducted any formal internal audit of their AI management practices. Most lack the audit criteria, procedures, and qualified auditors needed for AI-specific internal audit programs. Organizations with existing ISO 27001 audit programs have a structural advantage but still need to develop AI-specific audit criteria. AI system performance evaluation (1.6): ISO 42001 requires that AI systems be evaluated against defined performance criteria including accuracy, fairness, robustness, and safety. Most organizations evaluate these ad-hoc during development but lack ongoing production evaluation processes with defined criteria and escalation triggers. Conformity assessment (1.5): The weakest sub-requirement. Organizations need to assess whether their AI management system conforms to ISO 42001 requirements — this requires understanding the standard's requirements in detail and having evidence collection processes for each clause. Most organizations have not yet begun this preparatory work.

Clause 6 Strength: Why Planning Leads

Clause 6 (Planning) being the strongest clause is both encouraging and cautionary. It is encouraging because it means organizations have begun the essential work of AI risk assessment, objective-setting, and impact analysis. These are non-trivial activities that require cross-functional engagement and management attention. Risk assessment (3.4) is the highest-scoring sub-requirement across the entire standard. This reflects the maturation of AI risk management practices driven by NIST AI RMF adoption, board-level attention to AI risk, and the availability of structured risk assessment tools and frameworks. However, the planning-execution-evaluation gradient is cautionary: organizations that plan well but execute inconsistently and evaluate rarely are building governance programs with strong foundations and weak superstructures. The COMPEL framework addresses this directly through its stage-based approach — Calibrate and Organize (planning), Model and Produce (execution), Evaluate and Learn (evaluation and improvement) — ensuring that planning activities are matched by execution and evaluation capabilities.

Industry Readiness Patterns

Industry analysis reveals three distinct readiness profiles: Regulated industries (Financial Services, Healthcare, Government) show higher and more balanced readiness across all clauses. Financial Services leads overall with an average readiness of 3.0, driven by existing regulatory compliance infrastructure, established risk management functions, and board-level governance sponsorship. Government entities benefit from policy frameworks and procurement governance but trail on technology and operational execution. Technology companies show an asymmetric profile: strong on Clause 8 (Operation) at 3.0 due to mature AI development practices, but relatively weak on Clause 5 (Leadership) at 2.5 and Clause 9 (Evaluation) at 1.8. This reflects a "build first, govern later" culture that ISO 42001 certification will require them to reverse. Manufacturing and Professional Services show the lowest overall readiness (average 2.1 and 2.2 respectively), reflecting later AI adoption timelines and less regulatory pressure for AI-specific governance. These industries face the longest certification timelines but also have the opportunity to build governance infrastructure concurrently with AI deployment rather than retroactively.

Leverage from Existing Certifications

Organizations with existing ISO management system certifications show measurably higher ISO 42001 readiness, with ISO 27001 providing the strongest boost (1.4 points average readiness increase). ISO 27001 (Information Security) provides the most transferable skills because it uses the same high-level management system structure (HLS), shares Clause 4–10 requirements, and builds audit competence, document control, and continuous improvement skills that directly apply to ISO 42001. Organizations with ISO 27001 typically need to extend their ISMS to cover AI-specific risks rather than building from scratch. SOC 2 Type II (1.1 point boost) provides less structural advantage than ISO 27001 but builds relevant skills in evidence collection, monitoring, and third-party assurance. ISO 9001 (Quality Management, 0.9 boost) provides management system fundamentals but limited AI-specific transferability. ISO 14001 (Environmental Management, 0.4 boost) provides minimal direct benefit but still contributes through general management system literacy. Organizations with no existing ISO certification (0.0 boost) face the steepest curve — they must build management system fundamentals and AI-specific governance simultaneously. These organizations should budget 18–24 months for certification readiness.

Investment and Readiness Correlation

The correlation between AI governance investment and readiness is strong and approximately linear: organizations spending over $5M annually on AI governance achieve 3.9 average readiness, while those spending under $100K average only 1.6. However, the analysis reveals diminishing returns above $1M — the jump from $100K to $1M produces a 1.3-point readiness improvement, while the jump from $1M to $5M produces only 0.5 points. This suggests that the highest-leverage investments are in the $500K–$1M range, where organizations are building core governance infrastructure, dedicated roles, and tooling. For budget planning purposes, organizations targeting ISO 42001 certification within 18 months should anticipate governance program costs of $500K–$2M depending on organizational size and complexity. This includes dedicated governance staff (1–3 FTEs), tooling (system registry, risk assessment, audit management), training (management system skills, AI governance fundamentals), and pre-certification audit support. COMPEL's structured approach can reduce these costs by providing a proven methodology, assessment tools, and workforce development pathway that eliminates the need for organizations to design their governance program from scratch.

Actionable Recommendations

Based on this readiness analysis, we recommend the following prioritized actions for organizations pursuing ISO 42001 certification: 1. Close the Clause 9 gap first. Performance evaluation is the weakest area and the one auditors scrutinize most heavily. Invest in: (a) AI-specific internal audit capability — either train existing ISO auditors or engage external expertise; (b) monitoring systems that track governance process effectiveness, not just model performance; (c) management review processes that include AI governance KPIs on the agenda. 2. Build on Clause 6 strength. Your planning foundation is your best asset. Convert risk assessments into actionable controls (Clause 8), establish measurement criteria for those controls (Clause 9), and create improvement processes when controls underperform (Clause 10). 3. Leverage existing management systems. If you have ISO 27001, extend it to cover AI risks rather than creating a parallel system. If you have SOC 2, use the evidence collection infrastructure for AI-specific controls. The ISO HLS structure means significant reuse is possible. 4. Use the COMPEL framework as the implementation scaffold. COMPEL's 20 domains map directly to ISO 42001 clauses and Annex A controls, providing a structured assessment and implementation pathway. The Calibrate stage establishes your ISO 42001 readiness baseline, and subsequent stages build the capabilities needed for each clause. 5. Budget for 12–18 months and $500K–$1M for a mid-market organization. Adjust upward for large enterprises with complex AI portfolios and multiple regulatory jurisdictions.

References

Methodology

Readiness assessment against ISO 42001:2023 clauses 4–10 and Annex A. 280 organizations, 6 industries. COMPEL ISO 42001 readiness methodology. All figures illustrative.

References

1. ISO/IEC. "ISO/IEC 42001:2023 — Information Technology — Artificial Intelligence — Management System." International Organization for Standardization, 2023.
2. ISO/IEC. "ISO/IEC 27001:2022 — Information Security Management Systems." International Organization for Standardization, 2022.
3. ISO/IEC. "ISO/IEC TS 42006:2024 — Requirements for AI System Audit." International Organization for Standardization, 2024.
4. NIST. "AI Risk Management Framework (AI RMF 1.0)." National Institute of Standards and Technology, 2023.
5. European Parliament. "Regulation (EU) 2024/1689 — EU AI Act." Official Journal of the European Union, 2024.
6. Abdelalim, T. "The COMPEL AI Transformation and Governance Framework." FlowRidge, 2025.
7. BSI Group. "ISO 42001 Implementation Guide." British Standards Institution, 2024.
8. ISACA. "Auditing AI Management Systems: Practical Guidance for ISO 42001." ISACA, 2025.
9. Deloitte. "The AI Governance Imperative: ISO 42001 Readiness Survey." Deloitte, 2025.
10. PwC. "Responsible AI Framework and ISO 42001 Alignment." PricewaterhouseCoopers, 2025.