Resource · ISO/IEC 42001

ISO/IEC 42001 is the AI bar you can't backfill.

The new AI management system standard is already in enterprise RFPs and vendor security reviews. The operational evidence it asks for has to already exist. Vidai records it from day one and is precise about exactly which controls it covers.

What it is

ISO 27001, but for running AI responsibly.

ISO/IEC 42001:2023 is the international standard for an AI Management System: how an organisation governs, operates and is accountable for the AI it runs. Annex A defines 38 controls across nine groups. It is becoming the thing boards, auditors and enterprise procurement ask for, the way ISO 27001 did for information security.

01

It's a procurement reality

It is already appearing in enterprise RFPs and vendor security reviews. "How do you govern your AI?" is now a question with a standard behind it.

02

Evidence is operational

A large share of the controls are about what your AI systems actually did, logged, monitored, accountable. That evidence is a record, not a policy document.

03

You can't backfill it

You cannot manufacture a year of operational evidence the week before the audit. The record has to have been kept all along.

Where Vidai fits

We don't certify you. We make the evidence inevitable.

Vidai is not an ISO 42001 certification and does not make you "ISO 42001 compliant", by design, the product literally cannot express that. What it does is collapse the slowest, most manual part of readiness: for the controls where Vidai sits in the AI request path, the evidence is produced continuously, automatically, as a queryable record.

System of record for 4 controls. The assessor's evidence is Vidai's data, live and queryable.
Evidence engine for 5 more. Vidai supplies the runtime primitive; you run the surrounding process. We say which is which.
29 are your process, and we say so. No inflated coverage score. The boundary is stated precisely, because precision is what an assessor trusts.
Continuous, not point-in-time. The control catalogue is verified against the published standard; the evidence is whatever actually happened.

The mapping, exactly

Four controls where Vidai is the record.

For these, you do not assemble evidence. You point the assessor at Vidai.

A.6.2.8
AI system recording of event logsEvery model call is a frozen, per-request record. The log is Vidai's data, not a screenshot.
A.6.2.6
AI system operation and monitoringLive operational telemetry of what Vidai actually did, continuously, not point-in-time.
A.9.4
Intended use of the AI systemRouting and access rules encode and enforce who may use which model, for what.
A.8.4
Communication of incidentsGuardrail blocks, circuit trips and policy breaches are signed events your SIEM receives.
Vidai · ISO/IEC 42001 audit evidence
ISO/IEC 42001 control mapping in Vidai: four controls where it is the authoritative system of record, five where it enables your evidence

Plus five controls where Vidai supplies the evidence primitive: A.4.3, Data resources · A.4.5, System and computing resources · A.6.2.5, AI system deployment · A.7.5, Data provenance · A.10.3, Suppliers. The remaining 29 Annex A controls are organisational process, your scope, not ours, and the product shows it that way rather than claiming false coverage.

Honest about the export

Real evidence today. We won't dress it up.

The data is real and exportable now. Request Logs, the Audit log and Reports give you the per-control evidence as queryable, exportable records.
The one-click assessor pack is on the roadmap. A tamper-evident, per-control export is in build. We will not present a manual extract as an attested one, and we will tell you which is which.
That candour is the point. A vendor that is precise about what it does and doesn't do is the one an assessor, and your own risk team, can actually rely on.

Speed up your ISO 42001 readiness.

A 20-minute walkthrough: the control mapping, the operational evidence, and exactly where the boundary is.