ISO 42001: Do You Need It If You Only Use AI APIs?
Do you need ISO 42001 if you only use AI APIs? Learn the key differences between AI developers and AI consumers for compliance.
TL;DR
| Key Point | Summary |
|---|---|
| What is ISO 42001 | International standard for AI Management Systems (AIMS), published December 2023 |
| AI Developers | Companies that train models, curate datasets, design AI architectures. Full ISO 42001 scope applies |
| AI Consumers | Companies that only use AI via APIs (e.g. OpenAI, Anthropic, Google). Reduced control scope via Statement of Applicability |
| Key distinction | The standard applies to all roles; control applicability varies based on risk assessment |
| Our recommendation | All AI users should understand ISO 42001; prioritize ISO 27001 first, then assess your AI-specific control needs |
If your company only uses AI through third-party APIs without training models or curating datasets, ISO 42001 certification may have a significantly reduced scope. The standard applies to organizations that "provide or use" AI systems, but consumers can exclude many controls via the Statement of Applicability based on risk assessment. Understanding the framework helps you make informed decisions about your compliance roadmap.
What is ISO 42001?
ISO/IEC 42001:2023 is the first international standard specifically designed for AI Management Systems (AIMS). Published in December 2023, it provides a framework for organizations to establish, implement, maintain, and continuously improve how they manage AI systems.
The standard covers:
- AI governance and policies - Establishing organizational frameworks for responsible AI
- Risk assessment - Identifying and treating AI-specific risks
- AI system lifecycle - Managing AI from conception to decommissioning
- Data quality management - Ensuring training and operational data integrity
- Third-party relationships - Managing AI providers, partners, and customers
- Transparency and explainability - Documenting AI system behavior
Key Roles Defined in ISO 42001
The standard defines different roles in the AI ecosystem (Section 4.1, Note 1). Note that organizations can hold multiple roles simultaneously, and this list is non-exhaustive:
| Role | Definition (per ISO 42001) | Examples |
|---|---|---|
| AI Provider | AI platform providers, AI product or service providers | OpenAI, Anthropic, Mistral, Google |
| AI Producer | AI developers, designers, operators, testers, evaluators, deployers, governance professionals | Your ML engineers, data scientists, AI ops teams |
| AI Customer | Organizations that use AI products/services (including AI users) | Companies using ChatGPT API, Claude API |
| AI Partner | AI system integrators and data providers | Data labeling services, MLOps platforms |
| AI Subject | Data subjects and other individuals affected by AI systems | End users, individuals whose data trains models |
| Relevant Authorities | Policymakers and regulators | Data protection authorities, sector regulators |
For detailed role definitions, the standard references ISO/IEC 22989. Understanding your organization's roles is critical for determining control applicability.
AI Developers vs. AI Consumers: A Critical Distinction
Who is an AI Developer?
An AI Developer is an organization that:
- Trains machine learning models from scratch or fine-tunes existing models
- Curates and processes training datasets for AI systems
- Designs AI architectures and algorithms
- Deploys AI models as products or services to customers
- Has direct control over model behavior and outputs
Examples:
- A company building a proprietary recommendation engine
- A startup training a custom LLM for legal document analysis
- A healthcare company developing diagnostic AI from medical imaging data
- A fintech building fraud detection models on transaction data
For these organizations, ISO 42001 is highly relevant. The standard's controls around data quality, model testing, bias detection, and system lifecycle management directly apply.
Who is an AI Consumer?
An AI Consumer is an organization that:
- Uses AI through APIs from third-party providers
- Does not train models and only sends prompts/data and receives outputs
- Has no control over the underlying AI system's architecture or training
- Integrates AI capabilities into products without developing the AI itself
Examples:
- A SaaS company using OpenAI's GPT-4 API for customer support automation
- A marketing agency using Claude for content generation
- A developer tool using Mistral for code completion features
- An e-commerce platform using AI APIs for product recommendations
For these organizations, ISO 42001 certification may have significantly reduced control requirements. While the AI provider bears primary responsibility for model development and training, consumers still have obligations around vendor management, output monitoring, and impact assessment. They can exclude inapplicable controls via the Statement of Applicability.
Does ISO 42001 Apply to AI Consumers?
The Short Answer: It Applies, But With Reduced Scope
ISO 42001 explicitly applies to organizations that "provide or use products or services that utilize AI systems" (Section 1 - Scope). This means AI consumers are technically in scope, but the practical control applicability is often reduced.
Here's why AI consumers typically have fewer controls to implement:
1. Limited Control = Reduced Control Applicability
When you use an API, you don't control:
- How the model was trained
- What data was used
- The model's internal architecture
- Bias mitigation strategies applied
- The model's update and versioning
You can exclude many ISO 42001 controls via the Statement of Applicability for things outside your control. However, you do still have responsibilities for areas you control, such as how you use the AI outputs, what data you send to the API, and how you assess the impact on your users.
2. Provider Responsibility
Major AI providers (OpenAI, Anthropic, Google, Mistral) are implementing their own AI governance frameworks. Many are pursuing or have achieved ISO 42001 certification. However, a provider's certification does not exempt you from your own obligations. Per Annex A.10.3, you must still ensure that your usage of AI services aligns with responsible AI practices.
3. Statement of Applicability
ISO 42001 uses a Statement of Applicability (SoA) concept (similar to ISO 27001). The SoA requires justification for both inclusion and exclusion of controls. If you're only consuming AI, you can legitimately exclude many controls, but this requires documented risk-based justification, not simply checking "N/A."
Key controls that typically apply to both developers AND consumers:
| Control Area | Annex A Reference | Applies to Consumers? |
|---|---|---|
| AI system impact assessment | A.5 | Yes: explicitly applies to organizations "using" AI |
| Production data quality | A.7.4 | Partial: quality of data you send to APIs |
| Third-party AI provider management | A.10.3 | Yes: supplier management is critical |
| Intended use documentation | A.8.2 | Yes: how you intend to use the AI |
| AI output monitoring | A.9.3 | Yes: monitoring outputs for appropriateness |
| Model training and validation | A.6 | No: can be excluded via SoA |
| Data acquisition for development | A.7.2 | No: can be excluded via SoA |
What AI Consumers Should Focus On Instead
If you're consuming AI, prioritize:
- Vendor due diligence - Verify your AI provider's security and compliance posture
- Data handling - Ensure you're not sending sensitive data inappropriately
- Output validation - Monitor AI outputs for accuracy and appropriateness
- User transparency - Disclose AI use to end users where appropriate
- ISO 27001 - Strengthen your information security foundation first
When AI Consumers MIGHT Need ISO 42001
There are edge cases where AI consumers should consider ISO 42001:
1. High-Risk Applications
If you use AI for decisions significantly impacting individuals:
- Credit scoring or lending decisions
- Employment screening
- Healthcare recommendations
- Legal or judicial support
Even as a consumer, you may need to demonstrate AI governance.
2. Regulatory Requirements
Certain industries or jurisdictions may mandate AI management systems regardless of whether you develop or consume AI:
- EU AI Act: Notably, the EU AI Act imposes obligations on deployers (users) of AI systems, not just providers. This reinforces that "consumers" have real compliance responsibilities
- Sector-specific regulations (healthcare, finance)
3. Enterprise Customer Demands
Some large customers may require ISO 42001 as part of vendor assessments, even if your AI use is limited.
4. Significant Customization
If you fine-tune models, use RAG (Retrieval-Augmented Generation) with proprietary data, or significantly customize AI behavior, you're moving toward the "developer" end of the spectrum.
What Bastion Does for AI Compliance
At Bastion, we specialize in helping companies achieve compliance certifications. Whether you develop AI systems or consume them, we can help you determine the right compliance approach:
Our AI Compliance Approach
1. AI Risk Assessment
- Identify AI-specific risks in your development pipeline
- Map data flows from collection to model deployment
- Assess bias and fairness risks in your models
- Evaluate third-party AI components and dependencies
2. AIMS Implementation
- Develop AI policies aligned with ISO 42001 requirements
- Establish data quality management procedures
- Create model lifecycle documentation
- Implement AI incident response processes
3. Control Mapping
- Map existing ISO 27001 controls to ISO 42001 requirements
- Identify gaps specific to AI management
- Prioritize implementation based on risk
4. Audit Preparation
- Internal audit of your AI management system
- Evidence collection and documentation review
- Mock audits with experienced assessors
- Remediation support for identified gaps
5. Ongoing Compliance
- Surveillance audit preparation
- Continuous monitoring setup
- Policy updates as the AI landscape evolves
For AI Consumers
If you primarily consume AI through APIs, we help you:
- Assess whether ISO 42001 certification makes sense for your use case
- Document your Statement of Applicability with proper justifications
- Conduct AI impact assessments for your specific applications
- Establish vendor management processes for AI providers
- Prepare for EU AI Act deployer obligations
Integration with ISO 27001
For companies with existing ISO 27001 certification, ISO 42001 can be integrated as an extension. The standards share common management system requirements, making combined certification efficient.
Our Recommendation
If You Only Consume AI (APIs from OpenAI, Anthropic, Mistral AI, etc.):
- Understand that ISO 42001 technically applies to you, but with reduced control scope
- Prioritize ISO 27001 to strengthen your overall security posture first
- Document your AI use by maintaining records of what AI services you use and how
- Conduct impact assessments, because even as a consumer, you need to assess how AI affects your users
- Verify provider compliance by requesting SOC 2 reports and security documentation from AI providers
- Monitor regulatory developments since the EU AI Act imposes obligations on deployers, not just developers
If You Develop AI Systems:
- Start planning for ISO 42001 because the market will increasingly demand it
- Begin with a gap assessment to understand where you stand today
- Integrate with existing certifications to leverage ISO 27001 overlap
- Contact Bastion and we'll help you navigate the certification process efficiently
Conclusion
ISO 42001 applies to any organization that provides or uses AI systems, but the scope of applicable controls varies significantly based on your role. The key question isn't "do you develop or consume AI?" but rather "what controls apply to your specific use case?"
If you're building models, training on data, and deploying AI systems, the full scope of ISO 42001 applies. If you're using AI through third-party APIs without significant customization, many controls can be excluded via your Statement of Applicability, but you'll still need to address impact assessment, vendor management, and output monitoring.
Not sure where your organization falls on the spectrum? Contact Bastion for a free assessment. We'll help you determine the right compliance path for your specific AI use case.
Ready to start your compliance journey? Get started with Bastion today.
Sources
Share this article
Related Articles
SOC 2 vs. ISO 27001 vs. GDPR: Which Compliance Framework Does Your Business Need?
B2B SaaS startups often consider three major compliance frameworks: SOC 2, ISO 27001, and GDPR. Which one should your business prioritize? Let's break it down.
Robin CosteEverything SaaS Startups Need to Know About ISO 27001
Discover the ISO 27001 standard and its importance for your Startup. Learn its objectives, principles and the steps to certification in order to protect your sensitive data and that of your partners.
Robin CosteDORA Compliance: What You Need to Know Now That the Deadline Has Passed
The DORA compliance deadline passed on January 17, 2025. Learn about ongoing requirements, enforcement risks for non-compliant organizations, and how to achieve compliance if you haven't already.
Robin CosteLearn More About Compliance
Explore our guides for deeper insights into compliance frameworks.
Maintaining SOC 2 Compliance Year Over Year
Achieving SOC 2 is just the beginning. Maintaining compliance year after year requires ongoing effort, but it doesn't have to be painful. This guide covers how to sustain your SOC 2 program efficiently.
Who Needs GDPR Compliance? Understanding Applicability
One of the most frequent questions growing companies face is whether GDPR applies to their operations. The regulation has broad reach, and understanding where your organization fits helps determine the right compliance approach.
GDPR Cookie Compliance: Beyond the Banner
Cookies and similar tracking technologies represent a significant area of GDPR enforcement activity. A cookie banner alone isn't sufficient. Proper compliance requires valid consent mechanisms, clear explanations, and technical implementation that genuinely respects user choices.
Other platforms check the box
We secure the box
Get in touch and learn why hundreds of companies trust Bastion to manage their security and fast-track their compliance.
Get Started