12

Immagine creata con IAAI-generated image

Certifying Artificial Intelligence: how an AIMS scheme works and what it does not promise

With ISO/IEC 42001 came the first certifiable standard on Artificial Intelligence management systems; with ISO/IEC 42006:2025 came the requirements for the bodies issuing the certifications. But how does an AIMS scheme actually work? And why is the certificate not — and cannot be — a “conformity licence” for the AI Act?

The distinction between the voluntary management-system standard and the harmonised standards intended to ground the presumption of conformity with the AI Act is the premise of any serious discussion on AI certification. It is useful to look at the certification scheme from the side of those who operate it: the certification bodies and their personnel — terrain on which the author works in the qualification paths as a trainer and auditor.

The three levels of the scheme

An AIMS (Artificial Intelligence Management System) certification scheme rests on three distinct normative levels, which it is well to keep separate. The first level is the certifiable standard: ISO/IEC 42001, which specifies the requirements for establishing, implementing, maintaining and continually improving an AI management system, transposed in Italy as UNI CEI ISO/IEC 42001:2024. It is the standard the organisation adopts and against which it is verified. The second level concerns who verifies: ISO/IEC 17021-1:2015 sets out principles and requirements of competence, consistency and impartiality for bodies certifying management systems, and ISO/IEC 42006:2025 adds the specific requirements for auditing and certifying AIMS. Here is the point that deserves attention: certifying an AI management system requires skills that do not coincide with those of the traditional auditor, because the object of the verification includes impact assessments on AI systems, model-lifecycle management and data oversight. The third level is accreditation: the certifying body is itself assessed, under the same standards, by the national accreditation body, which safeguards the reliability of the whole system.

What the AIMS auditor verifies

The AI management system follows the harmonised structure common to management-system standards: context, leadership, planning, support, operation, performance evaluation, improvement. What distinguishes it is the object: the organisation must, among other things, map the AI systems it develops or uses, define roles and responsibilities, assess their risks and impacts on individuals and communities, and oversee data quality, transparency and human oversight throughout the lifecycle. For the auditor, the challenge is twofold. Technically, one must be able to read a model’s documentation, understand its limits and assess the coherence between what the organisation declares and what the processes actually oversee. Methodologically, one must resist the temptation of the documentary audit: an AI management system that lives only in the procedures is, by definition, a system that manages nothing.

What the certificate does not promise

Finally there is the level of communication, on which vigilance must be maximal. ISO/IEC 42001 certification attests the conformity of the management system to the voluntary standard: it does not attest the conformity of the AI systems to the AI Act, does not replace the quality-management system required of high-risk-system providers by Article 17, and does not confer the presumption of conformity under Article 40, reserved to harmonised standards cited in the Official Journal of the EU and not yet available to date. Keeping these levels separate is not an academic exercise: it is what allows the certification body not to generate — and not to let its clients generate — the misunderstanding whereby a system certificate would count as a licence of conformity with the law.

Conclusions

The AIMS scheme is a precious tool: it structures AI governance, makes it verifiable by an independent third party and prepares organisations for the regulatory framework to come. But its value is preserved only in the clarity of boundaries: the voluntary standard on one side, binding law on the other, and in between an ecosystem of skills — those of auditors and certification-body personnel — still under construction. In the light of the above, one wonders whether the certification market will manage to grow at the speed demand requires without sacrificing the substance of the checks: an AIMS certificate is worth only as much as the audit that precedes it, and the trust an accredited scheme promises holds only where behind the document there is an AI governance that the organisation truly oversees.