- Policy-as-Code expresses controls as testable rules
- Agent IAM assigns ownership and accountability
- Risk register supports the AI risk assessment
- Golden policy tests guard planned changes
An AI management system your agents already run inside.
ISO/IEC 42001 is the first certifiable AI management system (AIMS) standard. Like ISO 27001 for security, it specifies a management system — policies, objectives, roles, controls, records, and continual improvement — for organizations that develop or use AI. It is auditable and certifiable by an accredited body. Cortex provides the operational substance an AIMS needs: the enforced controls and the tamper-evident records that auditors sample.
Built for ISO/IEC 42001:2023 · AIMS · Annex A controls
ISO/IEC 42001:2023 — AI Management System, in plain language.
ISO/IEC 42001:2023 follows the Annex-SL high-level structure shared by ISO 27001 and ISO 9001: context, leadership, planning, support, operation, performance evaluation, and improvement (Clauses 4-10), plus a normative Annex A of AI-specific controls covering data, model lifecycle, transparency, human oversight, and impact assessment. A management system is mostly about evidence — documented policies, records of operation, and proof of continual improvement. Cortex doesn't replace the management system, but it supplies the operational layer: Policy-as-Code is the documented control, the Trust Ledger is the record of operation, and the reliability score and evaluations are the performance evaluation feeding continual improvement.
applies to ▸ International · organizations operating AI systems
Each requirement becomes an enforced, recorded control.
An AIMS auditor samples records: do your documented controls actually operate, and can you prove it? Cortex makes the Annex A controls executable and keeps the records sealed so sampling finds substance, not slideware.
- Every run sealed into the hash-chained Trust Ledger
- Signed receipts as durable records of operation
- verifyChain proves records were not altered
- Lineage records the operational context of decisions
- Reliability score measures agent performance over time
- Evaluation suites benchmark quality and safety
- Observability streams metrics for management review
- Simulation lab supports internal audit of changes
- Reliability score gates which versions may publish
- Improvement loop feeds evals back into policy
- Versioned ontology with draft / publish / rollback
- Nonconformities surface as denied gates in the ledger
- Five Oversight Modes set the autonomy of each agent
- Approval gate enforces human-in-the-loop control
- Audited break-glass with a mandatory recorded reason
- Risk floor cannot be loosened by autonomy settings
- Ontology object / property / action permissions
- DLP screens data in and out of tool calls
- Datapoint provenance documents data sources
- Tenant isolation enforced on every query
From a written obligation to provable evidence.
Every obligation reduces to a fail-closed runtime gate whose verdict lands in a tamper-evident ledger you can hand an examiner. This is the table a Compliance Pack exports for this framework.
| Obligation | Enforced Cortex control | Ledger evidence |
|---|---|---|
| Clause 6 — AI risk assessment & treatment | Risk register + Policy-as-Code | risk tier · golden tests |
| Clause 8 — operational records of the AIMS | Trust Ledger (hash-chained) | verifyChain ▸ ok:true |
| Clause 9 — monitoring & management review | Observability + reliability score | quality { overall: 100 } |
| Clause 10 — continual improvement | Evals → reliability gate → publish | version gated on score |
| Annex A — human oversight of AI | Oversight Modes + approval gate | 409 hold · approver receipt |
| Records are complete & tamper-evident | Signed receipts, sealed chain | hashOk:false flags edits |
One-click evidence export, straight from the Trust Ledger.
An ISO 42001 audit is an evidence exercise: the auditor samples records of operation and looks for continual improvement. A Compliance Pack maps the clauses and Annex A controls to their Cortex enforcement and bundles the sealed records and reliability trends an assessor will sample.
- The ISO/IEC 42001 control map, generated — not assembled by hand
- Sealed run records you can verifyChain offline
- Datapoint provenance: every fact threads back to its source
- Honest by construction — evidence is generated, never asserted
The ISO/IEC 42001 verdicts you'll see in the demo.
These are not slideware promises — they are the literal codes and receipts the runtime returns when you challenge it against this framework's controls.
Three steps from ISO/IEC 42001 on paper to provable.
- 01
Map
Pick ISO/IEC 42001. Cortex lines each obligation up against the runtime gate that enforces it — no spreadsheet archaeology.
- 02
Enforce
Every agent run passes the same fail-closed gates. A denied control returns a real code (402 / 403 / 409) — never a silent pass.
- 03
Prove
Export a Compliance Pack: the mapping table plus the sealed ledger records that show each control fired, verifiable offline.
Aligned with — never certified-claimed
ISO/IEC 42001 is certified by an accredited body, not by a vendor. Cortex is built for and aligned with the standard and provides the operational controls and records an AIMS needs; the certification is awarded to your organization, not to Cortex.
The Cortex capabilities that satisfy this framework.
Each obligation above is enforced by a real capability in the runtime. Explore the ones that do the work for this framework.
Trust Ledger
Hash-chained records and signed receipts are the records of operation an AIMS audit samples.
Observability
Reliability scoring and evaluations feed performance evaluation and continual improvement.
Policy-as-Code
Controls expressed as testable rules with golden tests are documented, operable controls.
Map the rest of your regulatory surface.
The same enforced controls and one-click evidence export cover the other frameworks your auditors cite.
NIST AI RMF
Aligned with the NIST AI Risk Management Framework: Govern, Map, Measure, and Manage — with documented, exportable evidence..
EU AI Act
Aligned with the EU AI Act: human oversight, logging and traceability, risk management, and audit-ready evidence packs..
SOC 2
Aligned with SOC 2 Trust Services Criteria: access controls, change management, audit logging, and tamper-evident evidence..
All frameworks
The full compliance hub — every framework Cortex maps to, with the shared control-to-evidence model.
Built for the frameworks your auditors already cite.
The sealed ledger, signed receipts, and lineage graph map to the obligations across every regime you report against — aligned with, never claiming a certification you don't hold.
Turn ISO/IEC 42001 from a burden into a button.
See how Cortex maps ISO/IEC 42001 to enforced controls and exports auditor-grade evidence on demand.