A plain-English guide to AI standards

It looks like alphabet soup.
It's mostly one committee.

ISO/IEC JTC 1/SC 42 wrote nearly all of it. Once you know that, the landscape stops being a maze.

8183, 5259, 42001, 23894, 42005, 42006, 22989, 12792 — they look like a random pile of numbers, and organisations spend real money on consultants to be told which ones matter. They came out of one subcommittee. They reference each other on purpose. There is an order to read them in, and it takes about a minute to learn.

SC 42The subcommittee behind
nearly every AI standard
1Of them is certifiable.
The rest are not
22989The one to read first,
and almost nobody does
ViennaThe agreement that turns
ISO standards into EU law

Why bother

Standards are boring on purpose. That is the point.

Nobody wakes up wanting to read a standard. They are dry, expensive and slow to arrive. Here is why they matter anyway, and why your buyers are about to make them your problem whether you find them interesting or not.

They turn a principle into a thing you can do

“AI should be fair” is not actionable. Nobody can audit it, cost it, or tell you when you are finished. A standard is what happens when several hundred people argue for four years about what that sentence means in practice — and then write down something you can actually be assessed against.

Every ethics charter you have read is a wish. A standard is a specification.

They are how regulation becomes doable

Regulators write requirements. They do not write technical detail, because they cannot keep up and they know it. So they point at standards instead. Under Article 40 of the EU AI Act, a harmonised standard confers a presumption of conformity — follow it and you are treated as compliant.

That is not a footnote. It is the mechanism by which a committee document becomes the cheapest route through a law.

They are consensus, not opinion

This is what separates a standard from a vendor whitepaper or a think-tank framework. Every participating country votes through its national body. Objections must be resolved, not outvoted. It is why they take years, and it is exactly why a regulator will accept one and will not accept your internal policy.

They are the shared vocabulary

An astonishing share of AI governance disputes are definitional. What is an AI system? What counts as training data? Is that a provider or a deployer? ISO/IEC 22989 exists because those arguments were eating entire meetings.

Agreeing on words before agreeing on rules is unglamorous and saves months.

They are already in your procurement pack

The practical reason most organisations meet AI standards is not regulation. It is a questionnaire. A customer, an insurer or a public body asks whether you are certified to ISO/IEC 42001, and the honest answer decides whether you are on the shortlist.

By the time you are answering that question, it is too late to start.

They travel

An international standard means the same thing in Berlin, Toronto and Singapore. Your internal framework does not. If you sell across borders, a standard is the only governance artefact that does not need re-explaining in every jurisdiction you enter.

Who writes them

Not all standards bodies are the same kind of thing.

This is the distinction newcomers miss, and it matters, because it decides how much weight a document carries and whether a regulator will look at it. Six organisations you will meet, and what each one actually is.

A treaty-backed international standard, a professional body's standard and a government framework are three different animals. Only one of them a regulator can point at in law.

ISO

International Organization for Standardization

The catalogue

Everything that exists, and the order to read it in.

This is the whole working AI standards landscape from ISO/IEC. Not a reading list — a map. Start at the top: the first three are the foundations everything else normatively references, and almost nobody buys them, which is why so many implementations wobble.

StandardWhat it doesKind
ISO/IEC 22989 Artificial intelligence concepts and terminology The vocabulary. Read this first. Almost every other standard on this list normatively references it, which means you are already bound by its definitions whether or not you have read them. Foundation
ISO/IEC 23053 Framework for AI systems using machine learning The reference architecture. What the components of an ML system are and what they are called. Foundation
ISO/IEC 5338 AI system life cycle processes The system life cycle, as distinct from the data life cycle. The two are constantly confused. Foundation
ISO/IEC 42001 AI management system The certifiable one, and the only one on this list you can hold a certificate for. 38 Annex A controls selected through a Statement of Applicability. Full guide › Certifiable
ISO/IEC 42006 Requirements for bodies auditing and certifying AI management systems Additional requirements to ISO/IEC 17021-1. It governs your certifier, not you — which is exactly why you should read it before choosing one. Certification
ISO/IEC 42005 AI system impact assessment How to assess consequences for individuals, groups and societies. Clause 6.1.4 of 42001 requires the process; this is how you run it. Method
ISO/IEC 23894 Guidance on AI risk management The method behind 42001's risk requirement. Adapts ISO 31000 to AI-specific risk. Method
ISO/IEC 8183 Data life cycle framework Ten stages from idea conception to system decommissioning, with a data-processing boundary most teams cross without noticing. The 5259 series takes its life cycle from this document. Full guide › Framework
ISO/IEC 5259 Data quality for analytics and machine learning — six parts Overview, measures, requirements, process, governance and a Technical Report on visualisation. Only Part 3 carries requirements. Full guide › Series
ISO/IEC 12792 Transparency taxonomy of AI systems What information different stakeholders need about an AI system, and what each element means. Written jointly with the European committee under the Vienna Agreement. Taxonomy
ISO/IEC TS 6254 Explainability and interpretability of ML models and AI systems A Technical Specification — normative, but published while the subject is still developing, with the aim of becoming a full standard. Spec (TS)
ISO/IEC TS 12791 Treatment of unwanted bias in classification and regression ML tasks The document to reach for when somebody says "we should check for bias" and nobody knows what that means operationally. Spec (TS)
ISO/IEC TS 4213 Assessment of machine learning classification performance How to measure whether the thing actually works, in a way somebody else can reproduce. Spec (TS)
ISO/IEC TR 24028 Overview of trustworthiness in artificial intelligence A Technical Report — informative only, and it cannot contain requirements. Useful orientation; nothing to comply with. Report (TR)
ISO/IEC TR 24368 Overview of ethical and societal concerns Informative. The document to hand a board that wants to understand the debate rather than the obligations. Report (TR)
ISO/IEC TR 20226 Environmental sustainability aspects of AI systems Informative. The energy and carbon question, which Annex A of 42001 also reaches. Report (TR)
ISO/IEC 27090 Addressing security threats to AI systems Adversarial attacks, poisoning, model theft. At the time of writing it is still a Draft International Standard at enquiry stage — which means it is not yet a standard and cannot be cited as one. In progress

Alongside these sit the general standards the AI series leans on and does not restate: ISO 31000 for risk, ISO/IEC 27001 for information security, ISO/IEC 25012 and 25024 for data quality measurement, the ISO 8000 series for data, ISO/IEC 17021-1 and 17000 for conformity assessment, and ISO/IEC 38505-1 and 38507 for data and AI governance. If you are already certified to 27001, you own more of this than you think.

The mechanism

How a committee document becomes European law.

This is the part nobody explains, and it is the reason any of this matters commercially. There is a formal pipeline from a room in Geneva to an obligation on a British company, and it has a name.

“This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 42, Artificial intelligence, in collaboration with the European Committee for Standardization (CEN) Technical Committee CEN/CLC/JTC 21, Artificial Intelligence, in accordance with the Agreement on technical cooperation between ISO and CEN (Vienna Agreement).” Foreword, ISO/IEC 12792:2025 — Transparency taxonomy of AI systems
1. SC 42 writes it

The joint ISO and IEC subcommittee for AI drafts the text, national bodies comment and vote, and it is published as an International Standard. Voluntary, worldwide, no legal force of its own.

2. The Vienna Agreement carries it

A standing agreement between ISO and CEN lets European work be done at international level and adopted in parallel. It is why ISO/IEC standards appear as EN ISO/IEC with the text unchanged, rather than Europe writing a rival.

3. CEN-CENELEC adopts it as an EN

Once taken over as a European Standard, the national standards bodies of 34 countries are obliged to publish it as a national standard and withdraw anything that conflicts. That is how BS EN ISO/IEC 42001:2026 comes to exist on a BSI shelf in London.

4. The regulator points at it

Where the Commission has asked for harmonised standards, citation in the Official Journal confers a presumption of conformity under Article 40 of the AI Act. At that point a voluntary document has become the cheapest lawful route to market.

Two cautions, because this is where marketing gets loose. Being adopted as a European Standard is not the same as being a harmonised standard cited in the Official Journal — only the latter gives presumption of conformity, and ISO/IEC 42001 does not have it. And the obligation to adopt falls on national standards bodies, not on companies. Nobody is legally required to buy a standard. They are required to satisfy a regulator, and the standard is simply the shortest path. More on the EU AI Act ›

Where to start

You do not need all of them.

The series costs thousands to buy in full and most organisations need a fraction of it. Four guides, free, on the documents that carry the most weight.

If you have five minutes

Work out your role. Are you providing an AI system, or using someone else's? Almost every obligation in both the standards and the law hangs off that answer, and organisations routinely get it wrong in both directions.

If you have an afternoon

Read ISO/IEC 22989. It is the vocabulary the rest are written in, it is the shortest, and every hour spent on it saves a day of arguing about what a word meant. Then skim 42001's clauses 4 to 10 — not Annex A.

If you have a quarter

Scope an AI management system, run a real risk assessment and an impact assessment, and find out what your Statement of Applicability actually supports. That is the work. Everything else is reading.

Matthew Blakemore, AI standards practitioner and member of the BSI and ISO artificial intelligence committees, speaking on stage at an AI summit

BSI and ISO AI committees

Matthew Blakemore

Most people meet AI standards as finished documents. Matthew meets them as drafts. He is a member of the BSI and ISO committees producing this series, contributing through BSI's ART/1 — the UK national mirror committee for ISO/IEC JTC 1/SC 42 — and he was sub-editor of ISO/IEC 8183, the data life cycle framework several of the others are built on.

That vantage point is the difference between knowing what a clause says and knowing why it says it, what it nearly said, and which of the sixteen documents on this page actually answers the question in front of you.

  • StandardSub-editor, ISO/IEC 8183 — Data life cycle framework
  • CommitteesMember, BSI and ISO artificial intelligence committees, including BSI ART/1
  • AdvisoryInnovate UK BridgeAI programme
  • CompanyChief Executive, AI Caramba!
  • FrameworkOriginator of the Snakes and Ladders AI Framework™
  • BookSnakes and Ladders: A Leader's Playbook for AI Strategy, Governance and Risk (forthcoming)

Questions

AI standards, answered.

What are AI standards?

Documents that set out agreed ways of building, managing and assessing AI systems, produced by consensus among national standards bodies rather than by any one company or government. They cover vocabulary, risk management, data quality, transparency, impact assessment, bias treatment and management systems.

Nearly all of the international ones come from a single body: ISO/IEC JTC 1/SC 42, the joint ISO and IEC subcommittee for artificial intelligence. That is why they agree with each other and cross-reference so heavily.

Which AI standard should I start with?

ISO/IEC 22989, the concepts and terminology standard. It is the vocabulary almost every other AI standard normatively references, which means its definitions already bind you whether or not you have read them. It is also the shortest and cheapest way to stop your governance meetings turning into arguments about what a word means.

After that it depends on your problem. Need a certificate or a procurement answer: ISO/IEC 42001. Your issue is data: ISO/IEC 8183, then the 5259 series. Selling into the EU: start with the AI Act and work backwards.

Which AI standard can you actually be certified against?

ISO/IEC 42001, and at present only ISO/IEC 42001. It is a management system standard, which means it contains auditable requirements and supports accredited third-party certification — and ISO/IEC 42006 sets out what a certification body must do to be credible.

The others are frameworks, guidance, taxonomies, measures or technical reports. If somebody offers to certify you against ISO/IEC 8183 or ISO/IEC 5259, ask precisely what they are accredited to do.

Are AI standards mandatory?

No. Standards are voluntary by definition, and nobody is legally obliged to buy or follow one. Two things make that answer less comfortable than it sounds.

First, regulators point at them: under Article 40 of the EU AI Act a harmonised standard confers a presumption of conformity, which makes it the cheapest lawful route rather than an optional extra. Second, your customers ask. Most organisations meet AI standards through a procurement questionnaire, not a statute.

What is the difference between ISO, IEC, CEN, BSI, IEEE and NIST?

They are different kinds of organisation, and the difference decides how much weight their documents carry. ISO and IEC are international bodies whose members are national standards bodies — one per country — and they produce International Standards by consensus. CEN and CENELEC are their European counterparts, and they are the route by which international standards become European ones and, sometimes, part of EU law.

BSI is the UK's national standards body and the UK's member of all of the above; its ART/1 committee is where British input to AI standards is formed. IEEE is a professional membership association, not a treaty organisation — its standards are respected and technically strong but follow a different process. NIST is a US federal agency; its AI Risk Management Framework is genuinely useful and widely used, but it is a framework rather than a standard, and no regulator will accept it as a presumption of conformity in Europe.

What is ISO/IEC JTC 1/SC 42?

The joint subcommittee of ISO and IEC responsible for artificial intelligence, established in 2017. It is the source of 22989, 23053, 5338, 8183, the 5259 series, 23894, 42001, 42005, 42006, 12792 and most of the rest of the landscape.

Knowing that one fact makes the field navigable. The documents are not a random pile — they are one programme, written by overlapping groups of people, deliberately referencing each other.

What is the difference between a standard, a TS and a TR?

An International Standard is the full article: consensus, international ballot, and it can contain requirements. A Technical Specification is published where a subject is still under technical development, or where agreement on a full standard is a future but not immediate possibility — it is for use now and for feedback, with the aim of eventually being republished as an International Standard.

A Technical Report is a different animal entirely: informative by design, and under the drafting rules it cannot contain requirements at all. It is not queued behind a standard and never was. TS means not yet; TR means never intended to be.

How do international standards become European law?

Through the Vienna Agreement, a standing agreement on technical cooperation between ISO and CEN that allows European standardisation work to be carried out at international level and adopted in parallel. It is why you see ISO/IEC standards republished as EN ISO/IEC with the text unchanged rather than Europe writing a competing document.

Once taken over as a European Standard, the national standards bodies of 34 countries are obliged to give it national-standard status and withdraw conflicting national standards. Where the Commission has requested harmonised standards, citation in the Official Journal then confers a presumption of conformity. Be precise about that last step: adoption as an EN is not the same as being cited as harmonised.

Do AI standards apply to small organisations?

Yes. ISO/IEC 42001, ISO/IEC 8183 and ISO/IEC 5259-3 all state that they apply to organisations regardless of type, size or nature. There is no SME carve-out and no risk tier to sit below.

What varies is proportionality, not applicability. A ten-person company implementing 42001 does the same clauses with far less machinery. The standard expects that; auditors expect that. Small is not exempt, it is lighter.

How much do AI standards cost?

Individually, tens to a few hundred pounds or francs each; collectively, the full series runs into thousands, and the parts are sold separately. That is a real barrier and it is worth being strategic rather than completist.

Two things soften it. National standards bodies often offer subscription access, and UK organisations can reach BSI's catalogue through membership. And the foundations are cheap relative to their leverage: 22989 is a small spend that makes every other document easier to read.

Who writes AI standards?

Experts nominated through their national standards bodies, serving in a personal and expert capacity rather than as company representatives. They sit in working groups, draft text, and every participating country then votes through its own mirror committee — ART/1 in the United Kingdom.

Nobody can honestly claim to have written an international standard single-handed. What people can claim is participation, and participation is what tells you how a text is meant to be read and where the committee argued.

Next

Reading the standards is the cheap part.

Sixteen documents will tell you what good looks like. They will not tell you which ones your organisation needs, what your Statement of Applicability can defend, what evidence an auditor accepts, or how to answer the procurement questionnaire sitting in your inbox. That is judgement, and it is what these three do.