Most consultants have one of those. I have both.
Having both shows me what others overlook:
ISO 42001 certification is not the same as EU AI Act compliance.
They overlap here
Risk management frameworks
→ Documentation requirements
Principles of human oversight
Transparency obligations
This is where companies fall into the trap:
1. high-risk classification
ISO 42001 does not classify your AI systems.
The EU AI Act already has.
Anyone who overlooks this is building governance for the wrong risk level.
2. conformity assessment
ISO 42001 is a voluntary self-certification.
The EU AI Regulation requires a third-party audit for high-risk systems.
Other auditors. Other standards. Other consequences.
3. prohibited practices
ISO 42001 does not recognise a prohibition list.
The EU AI Act already has.
Social scoring. Emotion recognition in the workplace. Biometric real-time identification.
Your management system does not recognise what is illegal.
4. Sanctions
ISO 42001 deviation? You lose a certificate.
EU AI Regulation offence? Up to 35 million euros or 7 % of global annual turnover.
The inconvenient truth:
ISO 42001 is a foundation, not a destination.
25+ years in audit and audit-related services have taught me:
Compliance frameworks do not automatically complement each other.
Each gap must be checked separately.
This also applies here.
Your ISO certificate proves that you have a management system.
It doesn't prove that you are compliant with the law.
Certified ≠ compliant. Note the difference.
Author: Achim Korten, February 2026