The regulatory landscape for AI shifted permanently in 2024, and it moved faster than most US companies planned for. The EU AI Act (Regulation EU 2024/1689) entered into force in August 2024, its first prohibitions took effect February 2, 2025, and its most consequential obligations for high-risk AI apply starting August 2, 2026. Meanwhile, ISO 42001:2023 — the first international standard for AI management systems — is quietly becoming the governance framework that serious organizations are building around. US companies that assume they're out of scope because they're not headquartered in Europe are making the same mistake importers made when GDPR arrived.
The question I hear most often from clients is some version of: "Do we need both?" The answer depends on your exposure, but the more useful reframe is that these two frameworks serve different purposes, and for most US organizations with any global market presence, the smart approach is to use one to strengthen your position for the other.
What ISO 42001 Is — and Isn't
ISO 42001:2023, published in December 2023, is a management system standard. It belongs to the same family as ISO 9001 for quality management and ISO 27001 for information security. The standard gives organizations a structured, auditable framework for establishing, implementing, maintaining, and continuously improving how they govern AI — and it's certifiable by accredited third-party certification bodies.
The standard's architecture is worth understanding specifically, because this is where ISO 42001 does real work. Clause 4 requires organizations to understand their context, including stakeholder expectations around AI. Clause 6.1 is the risk and opportunity assessment — what could go wrong with your AI systems, and what governance measures address those risks. Clause 8.4 requires an AI system impact assessment before deployment: a documented analysis of how an AI system will affect individuals, groups, and the organization itself. Clause 8.6 addresses supplier and third-party AI, which matters enormously given how many organizations today consume AI through APIs, SaaS platforms, and embedded tools rather than building it themselves. Clause 9.1 closes the loop with ongoing monitoring and measurement requirements.
What ISO 42001 doesn't do is impose specific technical requirements on the AI systems themselves. It governs the organizational management layer — the policies, roles, processes, and documentation — not the algorithmic choices. That distinction becomes important when you look at what the EU AI Act actually requires.
What the EU AI Act Actually Requires
The EU AI Act is categorically different from ISO 42001. It's law — binding, enforceable, with fines that scale to global revenue. Violations involving prohibited AI systems can draw fines of up to €35 million or 7% of global annual turnover, whichever is greater. High-risk AI violations run up to €15 million or 3%.
The Act organizes AI systems into four risk tiers:
Prohibited AI — systems posing unacceptable risks, including social scoring operated by public authorities, real-time remote biometric identification in public spaces, and AI that manipulates behavior through subliminal techniques. These were banned as of February 2, 2025.
High-risk AI — systems in sectors where failures could cause serious harm: hiring and workforce management, credit scoring, critical infrastructure, medical devices, education, law enforcement, border control, and the administration of justice. Annex III of the Act lists the specific use cases. These face the heaviest compliance obligations, with most requirements applying August 2, 2026.
Limited-risk AI — systems like chatbots and AI-generated content, where transparency obligations apply. Users must be informed they're interacting with AI.
Minimal-risk AI — the majority of AI applications, carrying no specific obligations.
For high-risk AI, compliance requirements under Articles 9 through 17 include: a lifecycle risk management system (Article 9), data governance covering training data quality and bias monitoring (Article 10), technical documentation and logging (Articles 11–12), transparency and user information requirements (Article 13), human oversight measures (Article 14), and a quality management system covering the entire development and deployment chain (Article 17).
The General Purpose AI (GPAI) provisions take effect August 2, 2025, and apply to providers of large language models and foundation models placed on the EU market. Organizations that use GPAI models also have obligations depending on how those models are deployed and classified.
The Extraterritorial Scope US Companies Underestimate
This is the single most common misunderstanding I see from US-based organizations: the EU AI Act applies to you if your AI system affects EU residents or is placed on the EU market — regardless of where your company is incorporated or headquartered.
This is the same extraterritorial logic that drove GDPR compliance across the US starting in 2018. According to McKinsey's 2024 Global AI Survey, 72% of organizations have adopted AI in at least one business function, and a meaningful share of those organizations serve EU customers without having mapped that exposure.
US companies with probable EU AI Act obligations include:
- SaaS providers whose AI-powered features are used by EU customers
- HR technology vendors whose hiring or performance management tools are used in EU subsidiaries
- Financial technology firms whose AI-assisted credit, fraud, or underwriting decisions affect EU residents
- Healthcare and medical device companies with any EU market presence
- Any organization using AI in customer-facing applications that reach EU users
The GPAI obligations applying August 2, 2025 deserve immediate attention. Organizations that use or deploy large language models in products reaching EU users have active obligations right now — transparency measures, copyright policy compliance, technical documentation — that aren't waiting for the 2026 high-risk deadline.
ISO 42001 vs. EU AI Act: Side-by-Side
| Dimension | ISO 42001:2023 | EU AI Act (Reg. EU 2024/1689) |
|---|---|---|
| Nature | Voluntary standard, certifiable | Binding law, enforceable |
| Scope | Any organization developing or deploying AI | Organizations placing AI in EU market or affecting EU residents |
| Geographic reach | Global, self-selected | Extraterritorial (mirrors GDPR logic) |
| Risk approach | Management system (plan-do-check-act) | Tiered risk classification: prohibited → high → limited → minimal |
| Core obligation | Build and maintain an AI management system | Comply with tier-specific technical and organizational requirements |
| Enforcement | Third-party certification, market differentiation | National competent authorities; fines up to €35M or 7% global turnover |
| Primary timeline | Implement at your pace | Phased: Feb 2025, Aug 2025, Aug 2026, Aug 2027 |
| Verification | Accredited certification bodies | EU conformity assessments, notified bodies for certain high-risk AI |
| Technical requirements | Organizational governance layer | System-level: data governance, logging, human oversight, accuracy metrics |
These two frameworks address different layers of the same problem. ISO 42001 governs how your organization thinks about and manages AI risk. The EU AI Act prescribes specific outcomes those governance systems must produce for regulated use cases. They're complementary, not substitutes for each other.
How ISO 42001 Builds Your EU AI Act Foundation
In my view, this is the most actionable frame for US companies doing serious compliance work. ISO 42001 won't achieve full EU AI Act compliance on its own — but it builds the organizational foundation that makes EU AI Act compliance achievable.
The overlap is substantial. ISO 42001's clause 6.1 risk assessment directly supports the lifecycle risk management system required under EU AI Act Article 9. The impact assessment under clause 8.4 generates documentation that high-risk AI operators need for Article 13 transparency requirements. The quality management orientation throughout ISO 42001 aligns with the Article 17 quality management system requirement. The supplier management provisions under clause 8.6 feed the third-party AI governance obligations that surface throughout the EU AI Act.
Where the EU AI Act goes beyond ISO 42001 is at the system level: the specific data governance rules under Article 10, the logging and traceability architecture under Article 12, the human oversight measures that must be technically built into high-risk systems under Article 14, and the conformity assessment required before a high-risk AI system can enter the EU market. These require decisions at the AI engineering level that a management system standard won't prescribe.
The practical upshot is that organizations building ISO 42001-compliant governance are in a meaningfully better position to implement the EU AI Act's technical requirements, because the organizational infrastructure — the roles, the risk processes, the documentation practices, the supplier management — is already in place. IBM's 2024 AI governance study found that 77% of CEOs identify AI governance as a top organizational priority, yet most have not implemented a structured governance framework. That gap between intention and operational infrastructure is where organizations get hurt when regulators start looking.
The Timeline US Companies Are Actually Working With
The EU AI Act is not a future concern for most US companies with EU exposure — parts of it are already in force.
- February 2, 2025: Prohibitions on unacceptable-risk AI systems apply
- August 2, 2025: GPAI model obligations apply (7 weeks from today)
- August 2, 2026: High-risk AI compliance for Annex III categories — the primary deadline for most US companies
- August 2, 2027: High-risk AI compliance for Annex I systems (AI embedded in regulated products like medical devices and machinery)
An ISO 42001 implementation typically takes 6–12 months to reach a certification-ready state, depending on organizational size and existing governance maturity. Adding EU AI Act-specific requirements for high-risk AI — the technical documentation, the conformity assessment, the EU database registration — extends that timeline further.
Organizations that start now have a workable path to August 2026. Organizations that defer another six months will be building documentation under time pressure, and the shortcuts that time pressure produces are exactly what creates audit exposure later.
What US Companies Should Do Now
Map your AI inventory first. Document every AI system you develop, deploy, or consume through vendor tools — including AI features embedded in SaaS platforms. For each, determine: Does it affect EU residents or EU markets? What risk tier applies under the EU AI Act?
Run a gap assessment against ISO 42001. Even where EU AI Act compliance isn't immediately required, ISO 42001 is the right governance foundation. A structured gap assessment identifies where current practices fall short and creates an implementation roadmap you can execute against.
Clarify whether you're a provider or deployer. The EU AI Act distinguishes between organizations that develop AI systems (providers) and organizations that use them in professional contexts (deployers). Providers face more extensive obligations, but deployers of high-risk AI have real obligations too. Most US organizations are both simultaneously, depending on the AI system.
Build documentation in real time. One of the most consistent patterns across compliance engagements is that organizations have done reasonable things but cannot demonstrate them because documentation wasn't built contemporaneously. Under both ISO 42001 and the EU AI Act, the documentation is the compliance — an auditor or regulator cannot verify undocumented governance.
Address your GPAI exposure now. If your organization uses or deploys large language models in products or services reaching EU users, the August 2, 2025 GPAI obligations are your most immediate deadline. Understand what transparency and copyright compliance requirements apply to your specific use case before that date arrives.
For organizations that want to understand their specific gap profile before committing to a full implementation, a readiness assessment through Certify Consulting provides a structured, actionable picture of where you stand and what comes next.
The Competitive Dimension
There's a version of this work that's purely defensive — avoid fines, check regulatory boxes. But in my experience, organizations that treat AI governance as a competitive differentiator end up better positioned across almost every dimension: customer trust, enterprise sales cycles, partnership eligibility in regulated industries.
ISO 42001 certification is still uncommon enough that it functions as a genuine market differentiator. A Certify Consulting client in the medical device space recently secured a contract specifically because they could point to a documented AI governance program that competitors couldn't match. That window won't stay open indefinitely — as the EU AI Act matures and enforcement begins, ISO 42001-level governance will shift from differentiator to baseline expectation.
Organizations building the governance infrastructure now will be the ones that can credibly demonstrate it when customers start requiring it. The EU AI Act is going to drive that shift whether organizations are ready or not — and ISO 42001 is the framework best positioned to get US companies there efficiently on a timeline that actually holds.
For more on how Certify Consulting supports AI governance readiness and ISO 42001 implementation, visit certify.consulting.
Last updated: 2026-06-13
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.