SpeekiExperts

Insight · April 15, 2026

What actually happens on the way to ISO 42001 certification

The certification roadmap in practice: gap analysis, what auditors actually assess, and the nonconformities that trip most organisations up.

ISO 42001 AI governanceCertification

Most conversations about ISO 42001 start with why AI governance matters and skip the part people actually need: what the certification process looks like once you commit to it. It starts with a gap analysis against the standard's requirements, not a generic AI ethics checklist, mapping what you already have (policies, risk registers, accountability structures) against what the management system actually requires.

Auditors aren't there to grade your AI models. They're assessing whether your management system does what it says: is there a defined AI policy with real ownership, is risk assessment actually happening and being acted on, is there evidence of management review, and can you show a functioning corrective-action loop when something doesn't conform. The standard rewards organisations that can produce evidence over ones that can produce good intentions.

The most common nonconformities aren't dramatic. They're gaps between policy and practice: an AI risk register that exists but hasn't been updated since it was created, a management review that happened but wasn't documented, an accountability structure on paper that nobody in the business can actually describe. None of that is hard to fix once it's flagged, which is exactly why an honest gap analysis before the audit matters more than the audit itself.

Adapted from the full Speeki whitepaper

Written by Scott Lane, Founder & Chief Executive Officer, Speeki

Contact for media →

Cite this page

Lane, S. (2026). What actually happens on the way to ISO 42001 certification. Speeki Experts. Retrieved July 14, 2026, from https://experts.speeki.com/scott-lane/insights/iso-42001-certification-roadmap