ISO 42001 Gap Assessment: How to Run One (2026)

A gap assessment against ISO/IEC 42001:2023 tells you exactly where your AI management system falls short of the standard — and what to fix first. This guide walks through the method clause by clause, explains how the output maps to your EU AI Act readiness, and clarifies what a gap assessment can and cannot do for you legally.

What ISO/IEC 42001 Is (and Is Not)

ISO/IEC 42001:2023 is the international standard for an AI management system (AIMS). It follows the ISO Harmonised Structure shared with ISO 27001 and ISO 9001: ten main clauses (4–10 constitute the requirements) plus Annex A, which contains 38 controls across nine control objectives (A.2–A.10). Certification is voluntary, not a statutory requirement.

That distinction matters. ISO 42001 certification supports your EU AI Act compliance — particularly the Article 17 quality management system (QMS) and the governance evidence useful for Articles 9, 10, 11, and 72 — but it is not a substitute for the Article 43 conformity assessment. The conformity assessment is the legal gate before a high-risk AI system reaches the market. Certification addresses management system maturity; conformity assessment addresses product legality. Running a gap assessment builds the governance backbone; it does not replace the regulatory compliance work.

What a Gap Assessment Produces

A gap assessment compares your current practice against two layers of the standard:

1. Clause requirements (4–10): the management system obligations — context, leadership commitment, planning, support, operations, performance evaluation, improvement.
2. Annex A controls: 38 controls across nine objectives covering AI policy (A.2), internal organisation and roles (A.3), resources and competence (A.4), impact assessments (A.5), AI system lifecycle (A.6), data for AI (A.7), information for interested parties (A.8), use of AI systems (A.9), and third-party and supplier management (A.10).

The outputs of a well-run gap assessment are two things:

• A prioritised remediation plan: ranked gaps with estimated effort and deadline, mapped to clauses and controls.
• A Statement of Applicability (SoA): a register of all 38 Annex A controls, each marked as applicable or excluded, with the justification for any exclusion. (The SoA is required by the standard itself, in clause 6.1.3(d).)

Defining Scope Before You Start

Scope definition comes before evidence gathering. ISO 42001 clause 4.3 requires you to determine the boundary of your AIMS — which AI systems fall within it, which organisational units are included, and which external interfaces (suppliers, deployers, regulators) are in scope.

In practice: start with your AI inventory. List every AI system your organisation develops or deploys. For each one, record its intended purpose, the business unit responsible, whether it is externally deployed or internal-only, and whether it touches personal data or high-stakes decisions. This inventory becomes the evidence base for your scope document and, later, for Annex A controls such as A.6 (AI system lifecycle) and A.9 (use of AI systems).

Scope that is too narrow understates risk and produces a gap assessment that will not satisfy a certification auditor. Scope that is too broad overwhelms the team and delays the remediation plan. A useful heuristic: include every AI system that could cause harm to individuals, affect regulatory compliance, or generate material business liability if it failed.

The Clause-by-Clause Method

Clause 4 — Context

Gather evidence that the organisation has identified: internal and external issues relevant to its AI objectives (4.1); interested parties and their requirements (4.2); and the AIMS boundary (4.3). Common gaps here are an AI inventory that exists informally rather than as a documented register, and stakeholder needs (regulators, deployers, end users) that have been noted in emails but never formalised.

Clause 5 — Leadership

Assess whether top management has issued an AI policy (5.2), assigned AIMS roles with documented accountability (5.3), and integrated AI governance into business planning. Leadership gaps are often the most consequential: without explicit policy and accountability, the Annex A controls never get funded or enforced.

Clause 6 — Planning

This is where ISO 42001 intersects most directly with the EU AI Act.

Clause 6.1 requires the organisation to plan for risks and opportunities. Clause 6.1.2 specifically mandates an AI risk assessment — identifying risks associated with your AI systems and their use, evaluating likelihood and severity, and determining treatment. This maps closely to the Article 9 risk management system required for high-risk AI under the EU AI Act.

Clause 6.1.4 requires an AI impact assessment for relevant AI systems — a structured evaluation of potential impacts on individuals and society. For high-risk deployers subject to Article 27 of the EU AI Act, the Fundamental Rights Impact Assessment (FRIA) can draw on and build from this ISO work. The two are not identical — the FRIA has a defined legal scope and applies to specific deployer categories — but evidence gathered for clause 6.1.4 is directly reusable.

Common gaps at clause 6: the risk assessment is a spreadsheet updated once at project launch, not a continuous cycle; impact assessments exist only for GDPR (Article 35 DPIA) and have not been extended to AI-specific harms; objectives (clause 6.2) are stated without measurable criteria or timelines.

Clause 7 — Support

Assess competence (7.2), awareness (7.3), and communication (7.4). Check whether roles with AI responsibilities have documented competence requirements and records of training. This is also where AI literacy obligations under EU AI Act Article 4 — in force since 2 February 2025 — become relevant. Article 4 requires providers and deployers to ensure sufficient AI literacy among their staff and users. A gap in ISO 42001 clause 7.2 competence evidence is likely also an Article 4 exposure.

Clause 7.5 covers documented information — the management system's record-keeping spine. Check that you have a document control procedure and that the records required by other clauses (risk assessments, impact assessments, training records) are actually being kept.

Clause 8 — Operation

Clause 8 governs AI system lifecycle planning (8.1), AI risk assessment and treatment (8.2 and 8.3), and the outputs of impact assessments (8.4). In practice this is where the rubber meets the road: do your development and procurement processes implement the controls planned in clause 6?

Check whether your organisation applies consistent governance gates across the AI lifecycle — requirements analysis, design review, testing and validation before deployment, post-deployment monitoring. Check also for gaps in data governance at the design stage, which will surface in Annex A controls A.7 (data for AI) as well.

Clause 9 — Performance Evaluation

Assess monitoring and measurement (9.1), internal audit (9.2), and management review (9.3). A common gap: organisations monitor individual AI systems (performance metrics, error rates) but do not have a programme that measures the AIMS as a system and feeds findings to management. An internal audit programme against the standard's requirements, separate from any external certification audit, is required.

Clause 10 — Improvement

Clause 10 requires nonconformity and corrective action (10.1) and continual improvement (10.2). Check whether incidents, near-misses, and audit findings are logged, root-caused, and corrected with verified effectiveness. Post-market monitoring evidence (relevant to EU AI Act Article 72 for providers of high-risk systems) feeds naturally into this clause.

Assessing Annex A Controls

After the clause-by-clause review, work through all 38 controls. For each control:

1. Applicability determination: is this control relevant to the scope you defined? If not, document the justified exclusion.
2. Evidence check: what documentation or practice exists that implements the control? Rate the evidence: absent, partial, or present.
3. Maturity rating: a five-point maturity scale works well — initial/ad hoc (1), repeatable (2), defined (3), managed/measured (4), optimising (5). Controls that are absent score 1; controls with strong documented evidence and measurement score 4–5.

The nine Annex A objectives and their EU AI Act relevance:

Rating Maturity and Prioritising Gaps

Once every clause and control has a maturity score, sort the gaps by two factors: severity (what happens if the gap persists) and effort (how hard is it to close). Plot them on a 2×2: high-severity, low-effort gaps go first; high-severity, high-effort gaps need a project plan and a named owner; low-severity, low-effort gaps can follow.

For companies facing the EU AI Act high-risk deadline of 2 December 2027 (for stand-alone Annex III systems, per the Digital Omnibus agreed May 2026), the prioritisation should weight gaps that block Article 43 conformity assessment readiness most heavily. Those are typically: the Article 9 risk management system (ISO 42001 clause 6.1.2 / A.5.1), the Article 11 technical documentation (clause 8 / A.6), and the Article 17 QMS elements (clause 5–7).

How an ISO 42001 Gap Assessment Supports EU AI Act Readiness

The governance backbone built through an ISO 42001 gap assessment produces evidence that maps directly to the EU AI Act's high-risk obligations:

• Article 9 (risk management system): the AI risk assessment and treatment records from ISO 42001 clauses 6.1.2 and 8.2–8.3 are the operational core of the Article 9 RMS. The cycle is the same — identify, assess, treat, monitor. The ISO work should not be duplicated; it should be designed to satisfy both.
• Article 10 (data and data governance): Annex A controls A.7.1–A.7.5 address data quality, provenance, and bias testing. These produce the evidence required under Article 10 for high-risk systems' training, validation, and testing datasets.
• Article 11 (technical documentation): Annex A.6 covers the AI system lifecycle documentation. The records produced under A.6.1–A.6.2 feed directly into the Annex IV technical documentation required by Article 11.
• Article 17 (quality management system): the ISO 42001 AIMS is the Article 17 QMS instantiated in a certification-ready framework. An organisation that has run a gap assessment and begun remediation against ISO 42001 is building the Article 17 QMS at the same time.
• Article 72 (post-market monitoring): clause 9 performance evaluation and clause 10 improvement records are the raw material for the provider's post-market monitoring system.

What the gap assessment does not do: it does not satisfy the Article 43 conformity assessment, which is a product-level legal determination, not a management-system audit. Certification to ISO 42001 may be accepted as evidence supporting the Article 43 technical file, but the conformity assessment procedure itself (internal self-assessment under Annex VI for most Annex III categories, or a notified-body assessment under Annex VII for the biometrics category at Annex III point 1) is a separate step your legal and compliance team must complete.

How Confir Helps

Confir cross-maps its assessment questions and findings to both the EU AI Act and ISO/IEC 42001 controls — using deterministic, rule-based logic, not AI inference. When you complete the structured assessment for a system, Confir flags which Annex A controls are implicated and which Articles 9, 10, 11, and 72 obligations apply. It also generates the Article 11 / Annex IV technical documentation pack and the Article 27 FRIA for qualifying deployers.

The output is not a substitute for a formal ISO 42001 gap assessment conducted by a qualified auditor. It is a starting point: a structured evidence baseline that tells you where your largest gaps are before you engage an external reviewer. For companies at an early stage of governance maturity, that baseline shortens the ISO 42001 pre-assessment engagement significantly.

Frequently Asked Questions

What is an ISO 42001 gap assessment?

A gap assessment compares your current AI governance practices against the requirements in ISO/IEC 42001:2023 — the management system standard for AI — clause by clause and control by control. It identifies where your practices are absent, partial, or non-conforming, and produces a prioritised remediation plan and a Statement of Applicability. It is typically the first step before pursuing ISO 42001 certification.

How many controls does ISO/IEC 42001 have, and what do they cover?

ISO/IEC 42001:2023 Annex A contains 38 controls across nine control objectives, labelled A.2 through A.10. The objectives cover AI policies, internal organisation and roles, resources and competence, impact assessments, AI system lifecycle governance, data for AI, information for interested parties, use of AI systems, and third-party and supplier management. All 38 must be reviewed for applicability; justified exclusions are recorded in the Statement of Applicability.

Does ISO 42001 certification satisfy the EU AI Act conformity assessment?

No. ISO/IEC 42001 certification is voluntary and addresses management system maturity, not product legality. The EU AI Act conformity assessment under Article 43 is a mandatory legal step before a high-risk AI system reaches the market. ISO 42001 evidence supports the Article 17 QMS and the Article 9 risk management system and contributes to the Article 11 technical documentation file — but it does not replace the conformity assessment procedure.

When does the EU AI Act high-risk deadline apply?

Under the Digital Omnibus agreed by the European Parliament and Council in May 2026, the high-risk obligation deadline for stand-alone Annex III systems (recruitment, credit scoring, biometrics, and others) is 2 December 2027. For high-risk AI embedded in regulated products covered by Annex I (such as medical devices or machinery), the deadline is 2 August 2028. The earlier date of 2 August 2026 has been deferred and now marks general application of the Act including Article 50 limited-risk transparency obligations.

What is the Statement of Applicability in ISO 42001?

The Statement of Applicability (SoA) is a document required by ISO/IEC 42001 clause 6.1.3(d). It lists all 38 Annex A controls and records, for each one: whether it is applicable to your AIMS scope, whether it is currently implemented, and — for any excluded control — the justification for excluding it. The SoA is a key evidence document in a certification audit and a useful governance record in its own right.

How does ISO 42001 relate to the Article 17 QMS requirement?

Article 17 of the EU AI Act requires providers of high-risk AI systems to implement a quality management system covering documented policies, technical documentation, record-keeping, incident reporting, post-market monitoring, and more. ISO/IEC 42001 provides a structured, internationally recognised framework that operationalises most of these requirements. An organisation that implements ISO 42001 is building the Article 17 QMS. The standard is not mandated by the Act, but it is the most practical way to structure the required system.

Can a gap assessment be done internally, or does it require an external auditor?

An internal team can run the gap assessment using the standard's clause requirements and Annex A controls as the assessment criteria. Internal assessments are useful for baselining and planning. However, for certification purposes, a third-party certification body conducts its own conformity audit. An independent external pre-assessment — before that audit — is valuable if your team lacks ISO 42001 expertise or if objectivity on sensitive governance gaps is important. At minimum, whoever leads the internal gap assessment should have read ISO/IEC 42001:2023 in full and understand the Harmonised Structure shared with ISO 27001 and ISO 9001.

Related guides

• ISO 42001 management system processes
• EU AI Act Article 2
• ISO 42001 and EU AI Act alignment
• EU AI Act Compliance Checklist template
• Checklist template
• EU AI Act Article 3
• EU AI Act Explained Simply: 2026 Compliance
• Decision Tree template
• ISO 42001 certification process