Why customers will soon require ISO 42001 from AI vendors
ISO/IEC 42001 is becoming a selection criterion for AI providers. What that means for your procurement and supply chain, and how to audit AI vendors against the standard before your own customers demand the evidence from you.
In short
ISO/IEC 42001 is becoming the de facto selection criterion for AI providers: large vendors are getting certified, buyers are making it a requirement. If you buy AI into products or processes, you carry part of the responsibility. So it pays to audit AI vendors against ISO 42001 early, via a second-party audit, instead of waiting until your own customer asks for the evidence.
Auf Deutsch lesen: deutsche Fassung
ISO/IEC 42001 is shifting from a nice-to-have to a buying criterion. Large providers are getting certified, and tenders increasingly carry the question: do you have an AI management system to ISO 42001? If you have nothing to show, you drop off the shortlist faster than you would like.
From certificate to buying criterion
Once the first large providers are certified, the standard becomes the benchmark everyone else is measured against. You know this from quality: when ISO 9001 became the norm, the question was no longer whether but when. With AI the same mechanism is starting, only faster, because the pressure comes from the EU AI Act, customers and liability at the same time.
Why you are on the hook for your vendors' AI
If you deploy bought-in AI, in a product, in a hiring process, in quality inspection, you carry responsibility and evidence duties as the deployer, regardless of where the model comes from. A bought-in part that is not under control is your problem, not the supplier's. That is exactly why relying on the vendor's marketing slide is not enough.
Auditing AI vendors against ISO 42001
A second-party audit against ISO 42001 turns trust into evidence. What is checked is not the model itself, but whether the supplier has it under control:
| Question for the AI vendor | What matters |
|---|---|
| Is there an AI management system (AIMS)? | Lived processes, not just a folder |
| Are AI risks assessed and treated? | Impact assessment, clear owners |
| How are data and models governed? | Provenance, quality, traceable changes |
| Is operation monitored? | Drift, misbehaviour, audit trail |
| Is there an incident process? | Who reacts how when the AI goes wrong |
Act now, before the customer asks
The topic has two sides, and both are yours: build your own AIMS, because you will be asked for it, and audit your AI vendors, because you are on the hook. Tackle both early and you negotiate from strength instead of scrambling to produce evidence under time pressure. How a supplier audit against ISO 42001 looks for you, we clarify in a free initial call.
Frequently asked questions
Why do customers require ISO 42001 from AI vendors?+
Because as deployers they are co-responsible for bought-in AI and need solid evidence that it is under control. ISO/IEC 42001 is the emerging standard for that, and large providers are already certifying, which turns the standard into a selection criterion.
How do I audit an AI vendor?+
Through a second-party audit against ISO/IEC 42001: is there an AI management system, are risks assessed, are data and models governed, is operation monitored, and is there an incident process. This can be done on site or remotely.
Do I need ISO 42001 myself if I only buy AI?+
You need at least evidence that you have the bought-in AI under control. Your own AI management system helps with that and is increasingly expected by your own customers.
Author & expert review: Lars Zimmermann · ISO/IEC 42001 Senior Lead Auditor & ISO/IEC 27001 Lead Auditor (PECB)
Last updated: 16 June 2026. Researched and reviewed to the best of our knowledge; not a substitute for individual legal advice.
Sources & further reading
Questions about your own case?
In a free 15-minute intro call we assess where you stand on ISO 42001, ISO 27001 and the EU AI Act, honestly and without a sales pitch.