ISO/IEC 42001 Self-Assessment

Self-assessment cross-reference of your governance to ISO/IEC 42001:2023 clauses 4, 5, 6, 8, 9, 10. NOT a certified audit; Annex A's 39 informative controls are NOT modelled.

This is a self-assessment tool, not a certified audit. It cross-references your in-process governance configuration against ISO/IEC 42001:2023 normative clauses. Consult a chartered ISO 42001 auditor before relying on this output for certification evidence.

ISO/IEC 42001:2023 is the world's first management-system standard for AI. governance-sdk cross-references clauses 4, 5, 6, 8, 9, and 10 against SDK features, letting you self-assess your governance posture programmatically.

Scope

Modelled: clauses 4–10 (normative), 13 requirements total.
NOT modelled: the 39 informative controls in Annex A — those cover operational practices (information security, supply chain risk, model documentation, transparency, human oversight) that require process-level evidence outside the SDK's visibility. For those, consult your information-security function.

6 Tracked Clauses

Clause 4 — Context of the Organisation

Understanding the organisation, needs of interested parties, and scope of the AI management system. SDK mapping: agent registration (owner, description), governance instance scope (policies + agents).

Clause 5 — Leadership

AI policy, roles, and responsibilities. SDK mapping: policy rules (named with reasons), agent owner assignment.

Clause 6 — Planning

Actions to address risks and opportunities. AI objectives. SDK mapping: 7-dimension risk scoring, governance levels (L0–L4) as progression model.

Clause 8 — Operation

Operational planning and control. Risk assessment, risk treatment, AI system impact assessment. SDK mapping: gov.enforce() with graduated outcomes (block / warn / require_approval), dry-run simulation for impact assessment, audit trail.

Clause 9 — Performance Evaluation

Monitoring, measurement, analysis, internal audit. SDK mapping: audit trail (queryable), tamper-evident audit via integrityAudit config for verifiable internal audits.

Clause 10 — Improvement

Nonconformity, corrective action, continual improvement. SDK mapping: kill switch (priority 999, unbeatable by user rules), behavioural drift tracking via behavioral-scorer.

Run a Self-Assessment

import { createGovernance } from 'governance-sdk';
import { mapToIso42001 } from 'governance-sdk/iso-42001'; // or assessIso42001 — same function

const gov = createGovernance({ rules: [...] });
const agents = await gov.storage.listAgents();

const report = await mapToIso42001({
  governance: gov,
  agents,
  auditIntegrity: true,   // Using integrityAudit?
  policiesTested: true,   // Tested via fleetDryRun() or equivalent?
});

// report:
// {
//   overallScore: 72,
//   status: "partial",
//   clauses: [...],
//   agentsAssessed: 8,
//   criticalGaps: [...],
//   recommendations: [...],
//   generatedAt: "2026-03-10T14:00:00Z",
//   standardVersion: "ISO/IEC 42001:2023",
//   scope: "Covers clauses 4, 5, 6, 8, 9, 10 … Annex A NOT modelled …"
// }

The report's scope field restates the coverage caveat in every emitted JSON so downstream consumers see it alongside the numbers.