A plain-English guide to AI standards
ISO/IEC JTC 1/SC 42 wrote nearly all of it. Once you know that, the landscape stops being a maze.
8183, 5259, 42001, 23894, 42005, 42006, 22989, 12792 — they look like a random pile of numbers, and organisations spend real money on consultants to be told which ones matter. They came out of one subcommittee. They reference each other on purpose. There is an order to read them in, and it takes about a minute to learn.
Why bother
Nobody wakes up wanting to read a standard. They are dry, expensive and slow to arrive. Here is why they matter anyway, and why your buyers are about to make them your problem whether you find them interesting or not.
“AI should be fair” is not actionable. Nobody can audit it, cost it, or tell you when you are finished. A standard is what happens when several hundred people argue for four years about what that sentence means in practice — and then write down something you can actually be assessed against.
Every ethics charter you have read is a wish. A standard is a specification.
Regulators write requirements. They do not write technical detail, because they cannot keep up and they know it. So they point at standards instead. Under Article 40 of the EU AI Act, a harmonised standard confers a presumption of conformity — follow it and you are treated as compliant.
That is not a footnote. It is the mechanism by which a committee document becomes the cheapest route through a law.
This is what separates a standard from a vendor whitepaper or a think-tank framework. Every participating country votes through its national body. Objections must be resolved, not outvoted. It is why they take years, and it is exactly why a regulator will accept one and will not accept your internal policy.
An astonishing share of AI governance disputes are definitional. What is an AI system? What counts as training data? Is that a provider or a deployer? ISO/IEC 22989 exists because those arguments were eating entire meetings.
Agreeing on words before agreeing on rules is unglamorous and saves months.
The practical reason most organisations meet AI standards is not regulation. It is a questionnaire. A customer, an insurer or a public body asks whether you are certified to ISO/IEC 42001, and the honest answer decides whether you are on the shortlist.
By the time you are answering that question, it is too late to start.
An international standard means the same thing in Berlin, Toronto and Singapore. Your internal framework does not. If you sell across borders, a standard is the only governance artefact that does not need re-explaining in every jurisdiction you enter.
Who writes them
This is the distinction newcomers miss, and it matters, because it decides how much weight a document carries and whether a regulator will look at it. Six organisations you will meet, and what each one actually is.
ISO
The catalogue
This is the whole working AI standards landscape from ISO/IEC. Not a reading list — a map. Start at the top: the first three are the foundations everything else normatively references, and almost nobody buys them, which is why so many implementations wobble.
Alongside these sit the general standards the AI series leans on and does not restate: ISO 31000 for risk, ISO/IEC 27001 for information security, ISO/IEC 25012 and 25024 for data quality measurement, the ISO 8000 series for data, ISO/IEC 17021-1 and 17000 for conformity assessment, and ISO/IEC 38505-1 and 38507 for data and AI governance. If you are already certified to 27001, you own more of this than you think.
The mechanism
This is the part nobody explains, and it is the reason any of this matters commercially. There is a formal pipeline from a room in Geneva to an obligation on a British company, and it has a name.
The joint ISO and IEC subcommittee for AI drafts the text, national bodies comment and vote, and it is published as an International Standard. Voluntary, worldwide, no legal force of its own.
A standing agreement between ISO and CEN lets European work be done at international level and adopted in parallel. It is why ISO/IEC standards appear as EN ISO/IEC with the text unchanged, rather than Europe writing a rival.
Once taken over as a European Standard, the national standards bodies of 34 countries are obliged to publish it as a national standard and withdraw anything that conflicts. That is how BS EN ISO/IEC 42001:2026 comes to exist on a BSI shelf in London.
Where the Commission has asked for harmonised standards, citation in the Official Journal confers a presumption of conformity under Article 40 of the AI Act. At that point a voluntary document has become the cheapest lawful route to market.
Two cautions, because this is where marketing gets loose. Being adopted as a European Standard is not the same as being a harmonised standard cited in the Official Journal — only the latter gives presumption of conformity, and ISO/IEC 42001 does not have it. And the obligation to adopt falls on national standards bodies, not on companies. Nobody is legally required to buy a standard. They are required to satisfy a regulator, and the standard is simply the shortest path. More on the EU AI Act ›
Where to start
The series costs thousands to buy in full and most organisations need a fraction of it. Four guides, free, on the documents that carry the most weight.
Work out your role. Are you providing an AI system, or using someone else's? Almost every obligation in both the standards and the law hangs off that answer, and organisations routinely get it wrong in both directions.
Read ISO/IEC 22989. It is the vocabulary the rest are written in, it is the shortest, and every hour spent on it saves a day of arguing about what a word meant. Then skim 42001's clauses 4 to 10 — not Annex A.
Scope an AI management system, run a real risk assessment and an impact assessment, and find out what your Statement of Applicability actually supports. That is the work. Everything else is reading.
BSI and ISO AI committees
Most people meet AI standards as finished documents. Matthew meets them as drafts. He is a member of the BSI and ISO committees producing this series, contributing through BSI's ART/1 — the UK national mirror committee for ISO/IEC JTC 1/SC 42 — and he was sub-editor of ISO/IEC 8183, the data life cycle framework several of the others are built on.
That vantage point is the difference between knowing what a clause says and knowing why it says it, what it nearly said, and which of the sixteen documents on this page actually answers the question in front of you.
Questions
Documents that set out agreed ways of building, managing and assessing AI systems, produced by consensus among national standards bodies rather than by any one company or government. They cover vocabulary, risk management, data quality, transparency, impact assessment, bias treatment and management systems.
Nearly all of the international ones come from a single body: ISO/IEC JTC 1/SC 42, the joint ISO and IEC subcommittee for artificial intelligence. That is why they agree with each other and cross-reference so heavily.
ISO/IEC 22989, the concepts and terminology standard. It is the vocabulary almost every other AI standard normatively references, which means its definitions already bind you whether or not you have read them. It is also the shortest and cheapest way to stop your governance meetings turning into arguments about what a word means.
After that it depends on your problem. Need a certificate or a procurement answer: ISO/IEC 42001. Your issue is data: ISO/IEC 8183, then the 5259 series. Selling into the EU: start with the AI Act and work backwards.
ISO/IEC 42001, and at present only ISO/IEC 42001. It is a management system standard, which means it contains auditable requirements and supports accredited third-party certification — and ISO/IEC 42006 sets out what a certification body must do to be credible.
The others are frameworks, guidance, taxonomies, measures or technical reports. If somebody offers to certify you against ISO/IEC 8183 or ISO/IEC 5259, ask precisely what they are accredited to do.
No. Standards are voluntary by definition, and nobody is legally obliged to buy or follow one. Two things make that answer less comfortable than it sounds.
First, regulators point at them: under Article 40 of the EU AI Act a harmonised standard confers a presumption of conformity, which makes it the cheapest lawful route rather than an optional extra. Second, your customers ask. Most organisations meet AI standards through a procurement questionnaire, not a statute.
They are different kinds of organisation, and the difference decides how much weight their documents carry. ISO and IEC are international bodies whose members are national standards bodies — one per country — and they produce International Standards by consensus. CEN and CENELEC are their European counterparts, and they are the route by which international standards become European ones and, sometimes, part of EU law.
BSI is the UK's national standards body and the UK's member of all of the above; its ART/1 committee is where British input to AI standards is formed. IEEE is a professional membership association, not a treaty organisation — its standards are respected and technically strong but follow a different process. NIST is a US federal agency; its AI Risk Management Framework is genuinely useful and widely used, but it is a framework rather than a standard, and no regulator will accept it as a presumption of conformity in Europe.
The joint subcommittee of ISO and IEC responsible for artificial intelligence, established in 2017. It is the source of 22989, 23053, 5338, 8183, the 5259 series, 23894, 42001, 42005, 42006, 12792 and most of the rest of the landscape.
Knowing that one fact makes the field navigable. The documents are not a random pile — they are one programme, written by overlapping groups of people, deliberately referencing each other.
An International Standard is the full article: consensus, international ballot, and it can contain requirements. A Technical Specification is published where a subject is still under technical development, or where agreement on a full standard is a future but not immediate possibility — it is for use now and for feedback, with the aim of eventually being republished as an International Standard.
A Technical Report is a different animal entirely: informative by design, and under the drafting rules it cannot contain requirements at all. It is not queued behind a standard and never was. TS means not yet; TR means never intended to be.
Through the Vienna Agreement, a standing agreement on technical cooperation between ISO and CEN that allows European standardisation work to be carried out at international level and adopted in parallel. It is why you see ISO/IEC standards republished as EN ISO/IEC with the text unchanged rather than Europe writing a competing document.
Once taken over as a European Standard, the national standards bodies of 34 countries are obliged to give it national-standard status and withdraw conflicting national standards. Where the Commission has requested harmonised standards, citation in the Official Journal then confers a presumption of conformity. Be precise about that last step: adoption as an EN is not the same as being cited as harmonised.
Yes. ISO/IEC 42001, ISO/IEC 8183 and ISO/IEC 5259-3 all state that they apply to organisations regardless of type, size or nature. There is no SME carve-out and no risk tier to sit below.
What varies is proportionality, not applicability. A ten-person company implementing 42001 does the same clauses with far less machinery. The standard expects that; auditors expect that. Small is not exempt, it is lighter.
Individually, tens to a few hundred pounds or francs each; collectively, the full series runs into thousands, and the parts are sold separately. That is a real barrier and it is worth being strategic rather than completist.
Two things soften it. National standards bodies often offer subscription access, and UK organisations can reach BSI's catalogue through membership. And the foundations are cheap relative to their leverage: 22989 is a small spend that makes every other document easier to read.
Experts nominated through their national standards bodies, serving in a personal and expert capacity rather than as company representatives. They sit in working groups, draft text, and every participating country then votes through its own mirror committee — ART/1 in the United Kingdom.
Nobody can honestly claim to have written an international standard single-handed. What people can claim is participation, and participation is what tells you how a text is meant to be read and where the committee argued.
Next
Sixteen documents will tell you what good looks like. They will not tell you which ones your organisation needs, what your Statement of Applicability can defend, what evidence an auditor accepts, or how to answer the procurement questionnaire sitting in your inbox. That is judgement, and it is what these three do.