Why "guardrails" alone aren't a system yet
"We've built in guardrails" has become a standard line in almost every conversation about AI projects – usually meaning individual technical tricks: a prompt filter here, an output check there. The problem isn't that these measures are wrong. The problem is that, without an overarching structure, they're hard to communicate, hard to audit, and hard to demonstrate in a customer or investor conversation. That's exactly the gap two frameworks fill, both published almost simultaneously in 2023: the NIST AI Risk Management Framework (US, government agency) and ISO/IEC 42001 (international, certification standard). Both are usually framed as a preliminary step toward EU AI Act obligations. As the research shows, that's only half the truth – and not the more urgent half.
The two frameworks, briefly
The NIST AI RMF (version 1.0, January 2023) is a free, voluntary guide from the US standards agency NIST, built around four functions: Govern (organisation, accountability, approval processes), Map (understanding the context and possible harms of a specific AI system), Measure (making risks measurable via metrics and testing) and Manage (allocating resources to address measured risks, prioritised). It isn't certifiable – you don't "pass" the NIST AI RMF, you apply it. In July 2024, NIST AI 600-1 added a dedicated profile for generative AI, sharpening the four functions around topics like hallucination, misuse and training data.
ISO/IEC 42001 (December 2023), by contrast, is a genuine certification standard – the first international standard for an "AI Management System" (AIMS). It follows the same "High-Level Structure" underlying ISO 27001 (information security) and ISO 9001 (quality management). That's more than a formal footnote: it means an AIMS can plug into an existing management system rather than needing to be built entirely from scratch – more on that below.
The myth that won't die: ISO 42001 as legal protection
In a lot of advisory content, it sounds as though an ISO 42001 certification would automatically satisfy EU AI Act obligations. As things stand today, that isn't correct. Article 40 of the EU AI Act provides for a "presumption of conformity": companies working to a recognised standard may treat certain obligations as fulfilled. The catch sits in the word "recognised": legally, only a standard that has gone through the full European harmonisation process and made it into the EU Official Journal counts. For AI standards, that hasn't happened for a single framework yet – ISO 42001 doesn't have that status either. A bridging standard purpose-built for this (EN 18286) is still in draft.
That doesn't mean ISO 42001 is useless. It means the most commonly cited reason for pursuing it – "so we're covered under the AI Act" – simply doesn't hold up right now. The real value sits elsewhere, as the next section shows.
Who's actually getting certified – and what that reveals
Publicly traceable figures from certification bodies and press releases suggest that, by April 2026, roughly 350 organisations worldwide hold an ISO 42001 certificate – rising sharply, but from a very small base. What's notable isn't the number itself so much as the pattern behind it: among the earliest certified are almost exclusively companies that sell AI products TO other companies – Automation Anywhere, Talkdesk, Miro, Perforce, KnowBe4, Microsoft. These are vendors who need to give their own customers a credible trust signal, not mid-market companies using AI for internal processes.
That's an important distinction for your own prioritisation: a full certificate pays off first for companies whose business model directly depends on customers trusting them with an AI system. For most other companies, certification is currently the wrong first investment – not because the underlying practice doesn't matter, but because the certificate itself (audit, ongoing cost, maintenance) arrives too early relative to the benefit.
The real finding: the gatekeeper is procurement, not the legislator
Here's the finding missing from most articles on this topic, because it joins two normally separate research threads: market data on AI purchasing, and the evolution of vendor questionnaires. Per Menlo Ventures' "State of Generative AI in the Enterprise 2025" report, enterprises already bought 76% of their AI use cases ready-made in 2025 rather than building them in-house – up from 53% the year before. AI is increasingly being purchased, not built.
That's exactly what's changing how procurement teams operate. Regulated enterprises now explicitly distinguish, in their vendor questionnaires, between two answers: "we have an AI policy" (weak) and "we operate an AI management system" (what NIST AI RMF and ISO 42001 formalise). That distinction isn't accidental – it now follows a de-facto market standard: the CSA AI Controls Matrix (AICM), published in July 2025 by the Cloud Security Alliance. It covers 243 control objectives across 18 domains and is explicitly pre-mapped to ISO 42001, NIST AI 600-1 and Germany's BSI AIC4 catalogue. Any AI vendor, or any company with its own AI features, trying to get into a larger tender is increasingly handed exactly this structure as a questionnaire – regardless of whether any law requires it.
The consequence is uncomfortable but clear: the commercial requirement arrives faster than the legal one. A mid-market company building or offering AI-powered software for larger customers is more likely to be asked about this structure through a procurement questionnaire than to be audited by a regulator. Anyone waiting for the EU AI Act to recognise a harmonised standard may find that the real bouncer at the door was someone else entirely.
The gap nobody inside the company closes
A second, often-overlooked finding from procurement research fits neatly here: per a 2026 procurement-industry study (ProcureAbility), 96% of procurement and IT teams collaborate to some degree in general – but for 54%, that collaboration specifically breaks down on AI governance. That's not a technology problem, it's an ownership problem: AI tools depend on data infrastructure and security protocols that IT owns, while procurement runs the vendor relationship – and without explicit ownership, AI governance falls between the two. For a company that itself supplies AI applications to other businesses, the flip side is this: whoever clarifies internally, early, who answers these questionnaires and who maintains the underlying practice has a real edge in the sales process over competitors where that question stays unresolved.
From framework to real guardrails – an original translation table
The four NIST functions are deliberately kept abstract so they fit any kind of AI system. That makes them valuable as a communication framework, but useless as a build guide. For a concrete project – say, a custom AI-powered application – each function can be translated into a category of technical and organisational guardrails. This mapping isn't a quote from either standard; it's our own translation, derived from practical implementation:
- Govern → organisational guardrails: who's allowed to approve a new AI feature or a model swap? Who's accountable if something goes wrong, with a clear escalation path? Which categories of data are even allowed to reach an AI model? This is exactly the layer a procurement questionnaire asks about first.
- Map → context guardrails: for every individual AI feature, explicitly document which user group is affected, what data flows in and out, what the worst-case harm could be (prompt injection, false answers, data leakage) – and where the line sits between automated action and human review.
- Measure → technical guardrails: concrete, measurable controls – schema validation of every AI output before it's processed further, a test suite covering known attack patterns, complete logging of every request and response for traceability, ongoing monitoring of error rate and drift over time.
- Manage → response guardrails: the ability to quickly restore prior behaviour (rollback), a defined escalation path when misbehaviour is discovered, a fixed review cadence instead of a one-off setup, and a kill switch for critical automated processes.
These four lines don't replace full governance documentation. But they provide exactly what's missing from most client conversations: a shared, structured language for talking about guardrails – instead of a loose list of individual technical measures with no visible connection between them.
If you already have ISO 27001, the jump is smaller than you'd think
Because ISO 42001 uses the same High-Level Structure as ISO 27001 (information security) and ISO 9001 (quality), building an AI management system is considerably smaller work for companies that already operate one of those systems than for a company starting from zero. Roles, documentation logic, internal audits, management reviews – the mechanics already exist and only need extending with AI-specific risks, not reinventing from scratch. For companies handling sensitive customer data (finance, healthcare, where ISO 27001 is already common), that's a good reason to consider the full jump to ISO 42001 certification earlier than a company with no management-system experience at all.
What this means for your company
Taken together, this points to a clear order of operations that differs from the usual advice:
- Don't certify first: with roughly 350 certificates worldwide, almost entirely at AI product vendors, ISO 42001 is currently the wrong first investment for most mid-market companies – and no legal shield against the EU AI Act as long as no harmonised standard has been recognised.
- Practice before paperwork: the Govern/Map/Measure/Manage structure (and the guardrail categories derived from it above) can be implemented within an ongoing project without waiting for an audit – and it's exactly what a procurement questionnaire wants to see.
- Clarify internal ownership before the first questionnaire arrives: given the documented gap between procurement and IT on AI governance, early, clear ownership is a standalone competitive advantage in sales.
- Check ISO 27001 as a lever: if you already operate an information security management system, you should consider ISO 42001 certification considerably earlier than a company without that groundwork – the marginal effort is manageable.
Building exactly this guardrail structure into a custom application from the start – rather than bolting it on once the first procurement questionnaire arrives – is both cheaper and more honest toward customers than a compliance document assembled after the fact.