ISO 42001 vs SOC 2 vs ISO 27001 — AI Vendor Compliance Comparison (2026)

If your AI vendor only has SOC 2, you have a gap.

SOC 2 tells you that the vendor's security controls are working. It says nothing about how the vendor governs its AI systems, manages AI-specific risks, ensures its models are used responsibly, or maintains the documentation required by the EU AI Act. For the previous generation of SaaS — CRM, helpdesk, storage — SOC 2 was sufficient. For AI systems that make or influence consequential decisions about people, it is necessary but not sufficient.

This guide breaks down what ISO 42001, SOC 2, and ISO 27001 each cover, where they overlap, and how an enterprise AI buyer should use them together when evaluating vendor compliance posture in 2026.

TL;DR Comparison Table

ISO 42001: The AI Management Standard

ISO/IEC 42001:2023 is the first international standard specifically designed for AI management systems. Published in December 2023, it gives organizations a structured, certifiable framework for establishing how they develop, deploy, and govern AI systems — analogous to what ISO 9001 is for quality management.

The full definition and scope of ISO 42001 is covered in the ISO 42001 glossary entry. What matters for vendor evaluation is what ISO 42001 requires that other standards do not.

What ISO 42001 adds that SOC 2 and ISO 27001 don't:

• An explicit AI policy and executive accountability structure for AI governance
• A formal AI system inventory with risk classification for each system
• AI impact assessment procedures applied to new deployments
• Data governance requirements specifically for AI training data (Article 10 EU AI Act overlap)
• Operational controls covering the full AI lifecycle: design, data management, deployment, monitoring
• Mechanisms for addressing AI-specific nonconformities (not just security incidents)
• Continual improvement obligations for the AI management system itself

ISO 42001 certification requires a third-party audit by an accredited certification body and is valid for three years, with mandatory annual surveillance audits. An organization that claims ISO 42001 compliance without third-party certification has conducted a self-assessment — useful, but unverified.

How it maps to the EU AI Act: ISO 42001 does not guarantee EU AI Act compliance — the Act has specific requirements that go beyond what any single standard covers. However, an organization with ISO 42001 in place has most of the governance infrastructure that high-risk AI system obligations require: risk management documentation (Article 9), data governance practices (Article 10), technical documentation (Article 11), and an incident monitoring process (Article 26). For implementation specifics, see the ISO 42001 implementation guide and the ISO 42001 checklist.

When to require ISO 42001 from an AI vendor: Any vendor whose AI system makes or materially influences consequential decisions — hiring, credit, insurance, healthcare, access to services, law enforcement — should be required to demonstrate ISO 42001 alignment or certification. Vendors whose AI is purely assistive (content drafting, document summarization where humans review all outputs) may be held to a lighter standard.

SOC 2: The Security Controls Baseline

SOC 2 for AI systems is the gold standard security attestation for enterprise software vendors. A SOC 2 Type 2 report — covering the Trust Service Criteria of Security, Availability, Processing Integrity, Confidentiality, and Privacy — demonstrates that a vendor's security controls operated effectively over a sustained audit period (typically six to twelve months).

What SOC 2 covers well:

• Access controls and user authentication
• Encryption at rest and in transit
• Vulnerability management and penetration testing
• Change management and release controls
• Incident detection and response
• Availability monitoring and SLA adherence
• Subservice organization controls (cloud provider, hosting)

What SOC 2 does not cover:

SOC 2 is a controls audit, not a governance framework. It verifies that specific controls exist and operated effectively — it does not assess whether the vendor has a coherent AI risk management approach, whether AI models are governed responsibly, or whether the vendor's data practices satisfy the EU AI Act's specific data governance obligations.

Critically, SOC 2 does not assess:

• Whether AI training data was collected lawfully and representatively
• Whether the vendor maintains an AI system inventory with risk classification
• Whether AI-specific impact assessments have been conducted
• Whether model outputs are logged in a way that satisfies AI Act audit trail requirements
• Whether AI governance accountability reaches the executive level

A vendor with SOC 2 Type 2 but no ISO 42001 has verified security. It has not verified AI governance.

Type 1 vs. Type 2: Require Type 2 from any vendor handling sensitive data. A Type 1 report is a point-in-time design assessment; Type 2 confirms the controls actually worked over time. The difference matters when you are relying on the attestation as evidence in a regulatory context.

ISO 27001: The Information Security Management System

ISO/IEC 27001:2022 is the international standard for information security management systems (ISMS). It provides a risk-based framework for managing information security across the organization — covering people, processes, and technology.

ISO 27001 is not an AI-specific standard. It predates AI systems by two decades. However, it remains highly relevant for AI vendor assessment because it governs the broader information security environment in which AI systems operate.

What ISO 27001 covers:

• Information security risk assessment and treatment
• Security controls across 93 categories (Annex A of ISO 27001:2022), covering organizational controls, people controls, physical controls, and technology controls
• Asset management, including data assets and software assets
• Supplier relationship security — directly relevant to AI sub-processor management
• Incident management
• Business continuity and disaster recovery
• Compliance with legal and contractual requirements

The 2022 update and AI: ISO 27001:2022 introduced several Annex A controls that have direct AI relevance: secure development practices (A.8.25–8.34 series), threat intelligence management, and configuration management for cloud services. These controls, while not AI-specific, cover the infrastructure on which AI systems run.

How ISO 27001 and ISO 42001 complement each other: ISO 27001 secures the organization's information environment. ISO 42001 governs how AI is used within that environment. A vendor with both standards has addressed both the general security baseline (ISO 27001) and the AI-specific governance layer (ISO 42001). A vendor with ISO 27001 only has addressed security infrastructure but not AI governance.

Overlap Analysis: What Each Combination Covers

ISO 27001 + SOC 2 (without ISO 42001):

This combination — common among pre-2024 enterprise SaaS vendors — provides comprehensive security and operational controls coverage. It verifies that data is protected, systems are available, and security practices are mature. It provides no assurance about AI governance, AI risk management, or EU AI Act preparedness. For AI vendors in 2026, this combination is insufficient for high-risk AI system procurement.

ISO 42001 + ISO 27001:

This is the benchmark combination for a mature AI vendor. ISO 27001 secures the information environment; ISO 42001 governs AI use within it. Together they cover: security controls (27001), AI-specific governance and risk management (42001), data governance for both general data assets and AI training data, incident management for both security incidents and AI-specific nonconformities, and supply chain controls for both IT suppliers and AI sub-processors.

ISO 42001 + SOC 2 (without ISO 27001):

This combination is increasingly common among AI-native vendors who began with SOC 2 (required for US enterprise sales) and added ISO 42001 as EU AI Act requirements became clear. It provides AI governance evidence and security controls attestation, but lacks the formalized ISMS structure of ISO 27001. For most procurement purposes in 2026, ISO 42001 + SOC 2 is acceptable. ISO 27001 adds rigor in the security management system layer that matters most for financial services, healthcare, and public sector buyers.

All three (ISO 42001 + ISO 27001 + SOC 2):

This represents the maximum credible compliance posture for an enterprise AI vendor in 2026. The combination provides: AI management governance (42001), information security management (27001), and independently attested operational controls (SOC 2 Type 2). For regulated industries, critical infrastructure operators, and public sector procurement, all three should be expected.

The AI Buyer Checklist: 10 Questions to Ask Your Vendor

Use these questions in procurement conversations and vendor security questionnaires. The expected answers for a compliant vendor are indicated.

1. Does your organization hold ISO 42001 certification or have a documented alignment program? Expected: Certification by accredited body, or a documented roadmap to certification with current self-assessment against all clauses.

2. Can you provide your current SOC 2 Type 2 report under NDA? Expected: Yes — a current report (within 12 months), covering the services and data environments relevant to our use case.

3. Does your SOC 2 report cover AI-specific controls — model access management, training data security, and output logging? Expected: Yes — or a commitment that the next audit cycle will add these controls.

4. Do you hold ISO 27001 certification? Expected: Yes (certification), or ISO 27001 compliance with a documented audit timeline.

5. Do you maintain a published list of AI sub-processors? How are we notified of changes? Expected: Published list in the DPA with 30-day advance notification of changes and a contractual right of objection. See sub-processor obligations for AI vendors.

6. Is our data used for AI model training or improvement? Expected: No — unless separately and explicitly authorized. This should be stated unambiguously in the Data Processing Agreement (DPA).

7. Where is our data processed? Do you have EU data residency commitments? Expected: EU-hosted infrastructure for EU customers, or Standard Contractual Clauses (Module 2) with Transfer Impact Assessments for any out-of-EEE processing. See data residency for AI systems.

8. Have you conducted an AI impact assessment for the AI systems you will deploy in our environment? Expected: Yes — a documented AI impact assessment aligned with ISO 42001 Annex B or equivalent methodology.

9. What is your AI incident response process? Who is notified if an AI system produces materially incorrect outputs? Expected: A documented AI incident classification and response process, with contractual SLAs for customer notification of AI-specific incidents.

10. Can you provide documentation that satisfies our EU AI Act Article 26 deployer obligations — technical documentation, conformity assessment records, and audit logs? Expected: Yes — the vendor maintains Article 11 technical documentation and provides it to deployers as part of the commercial agreement.

Knowlee's Compliance Posture

Knowlee's current compliance posture is documented in TrustBadges and relevant to this comparison:

ISO 42001: ALIGNED. Knowlee's platform architecture is designed against ISO 42001 requirements — AI system inventory, risk classification, human-in-the-loop design, audit trail generation, and documented data governance. The AI management system covers 80%+ technical alignment with ISO 42001 Sections 5.3, 6.1, 7.5, and 8.4. Formal third-party ISO 42001 certification is a documented roadmap milestone.

ISO 27001: COMPLIANT. Knowlee operates with ISO 27001-compliant information security controls. Formal third-party audit is scheduled for Q1 2027.

SOC 2: COMPLIANT. Knowlee is SOC 2 compliant. Type II attestation is targeted for Q4 2026. The current report covers Security, Availability, Confidentiality, and Privacy Trust Service Criteria, including AI-specific controls for model access management and output logging. The report is available to enterprise customers and prospects under NDA.

GDPR: COMPLIANT. All data processing on behalf of customers is governed by a DPA meeting Article 28 requirements. Per-tenant Supabase isolation ensures data segregation. Sub-processor list is maintained and updated with customer notification.

EU AI Act: READY. Knowlee's human-in-the-loop architecture, audit trail functionality, and AI risk classification framework are designed to satisfy the EU AI Act's Article 14 (human oversight), Article 12 (logging), and Article 9 (risk management) requirements for deployers.

This posture is the target benchmark — not a claim of full certification where formal audit has not yet occurred. Procurement teams should request the current SOC 2 report and the compliance documentation package under NDA.

FAQ

Q: Can ISO 42001 certification replace SOC 2?

No. They cover different domains. ISO 42001 governs AI management practices; SOC 2 verifies operational security controls. Enterprise procurement should require both from AI vendors handling sensitive data. ISO 42001 alone does not tell you whether the vendor's security infrastructure is sound.

Q: Is ISO 42001 required by the EU AI Act?

ISO 42001 is not mandated by name in the AI Act. However, the Act's requirements for high-risk AI systems — documented risk management systems (Article 9), data governance (Article 10), technical documentation (Article 11), and monitoring (Article 26) — map closely to ISO 42001's structure. A vendor with ISO 42001 certification has substantial evidence toward demonstrating compliance with these obligations.

Q: SOC 2 is a US standard. Is it relevant for EU procurement?

SOC 2 originated in the US but is widely accepted in EU enterprise procurement as evidence of security controls maturity. It is not a regulatory requirement under the EU AI Act or GDPR, but it provides third-party verified security controls evidence that satisfies GDPR Article 32 security obligations. ISO 27001 is the ISO/IEC equivalent for security management systems and is more familiar in some EU procurement contexts, but SOC 2 Type 2 and ISO 27001 are generally treated as equivalent evidence in EU B2B contracts.

Q: What's the difference between ISO 27001 certification and SOC 2 Type 2?

ISO 27001 is a certifiable management system standard — the vendor has implemented an ISMS and been certified by an accredited body. SOC 2 Type 2 is an audit report — an independent auditor reviewed whether specific controls operated effectively over a period. ISO 27001 is more process-oriented; SOC 2 is more controls-oriented. A vendor can have both. Neither is strictly superior — they provide complementary evidence.

Q: If a vendor has all three certifications, do I still need to review the DPA?

Yes. Certifications verify the vendor's internal practices but do not establish the contractual obligations that govern your specific relationship. The DPA is the legal instrument that creates binding commitments on data handling, sub-processor controls, audit rights, and data residency. Always review and negotiate the DPA separately from the compliance posture review.

Q: How quickly is the compliance landscape changing for AI vendors?

Rapidly. The EU AI Act's August 2, 2026 deadline is driving significant activity among both vendors and buyers. ISO 42001 was only published in December 2023 — the certification ecosystem is still maturing. Expect the market to move from "ISO 42001 aligned" to "ISO 42001 certified" as the dominant buyer expectation within 18–24 months. Vendors who complete certification early will have a meaningful procurement differentiation advantage.

Next Steps

For a practical procurement checklist aligned with these three standards, see the AI Vendor Risk Assessment Checklist.

For EU AI Act-specific vendor obligations, see the AI Act glossary entry and data governance requirements.

For a consultation on evaluating your organization's AI vendor compliance posture, book a 20-minute strategy call.