Introduction: AI Governance Moves from “Guidelines” to “Certification”
Since the publication of ISO/IEC 42001 (AI Management System) in December 2023 [1], the landscape of AI governance has evolved steadily. Now, entering 2026, we are witnessing a phase where major certification bodies worldwide have operationalized their audit services, and leading technology vendors are increasingly acquiring this certification. AI governance, which began as a collection of local guidelines and ethical codes, is now adopting a global benchmark: “certification (proof) by a third party.”
For SaaS/PaaS vendors like SAP, the questions we receive from customers have shifted. Beyond the traditional functional question of “What can this AI do?”, we are now asked non-functional and governance-related questions with equal weight, such as “Is this AI safe?” and “How is the training data managed?”
In this article, from a security and compliance perspective, I will explain the practical implications of the ISO 42001 certification that SAP has acquired and how it can help reduce AI adoption risks for user companies.
1. Why ISO 42001 is the “Common Language of Trust”
Since the widespread adoption of generative AI, companies have faced significant challenges in managing risks such as the “black box” nature of AI (lack of transparency in decision-making) and “hallucinations” (generation of incorrect information). While traditional security standards like ISO/IEC 27001 are essential for information security, they were not designed to fully cover the specific nuances of the AI lifecycle such as data bias, continuous learning, and ethical considerations.
This is why ISO/IEC 42001:2023 was introduced as the first international management system standard specifically for AI.
A key feature of this standard is that it does not certify the accuracy of a specific AI model at a single point in time. Instead, it validates whether an organization has established a “system to continuously identify, manage, and improve AI risks (Management System).” [2] Holding ISO 42001 certification serves as objective proof that a company has built and operates a responsible management structure for its AI systems.
2. SAP’s Certification and Scope of Application
SAP announced the acquisition of ISO 42001 certification for its key AI services in 2025.
What is important here is the scope of application. This certification covers core services such as Joule (our generative AI assistant) and SAP AI Core (our AI development and execution platform). This indicates that the applications and development environments utilizing these foundations are managed under a system based on international standards.
Understanding the Difference: “Self-Attestation” vs. “Third-Party Certification”
There are two primary approaches to demonstrating conformity to AI governance: “Self-attestation” by the supplier and “Third-party certification” by an independent body. SAP has chosen the path of “Third-party certification,” which involves rigorous audits by an independent organization, to ensure a higher level of objectivity.
For security and legal professionals, this distinction is significant. When adopting a service based solely on self-attestation, user companies often need to send detailed security checklists to vendors and scrutinize their responses—a process that consumes considerable time and resources. However, when a vendor holds ISO 42001 certification, the certification itself serves as objective evidence of governance, which can significantly streamline the Vendor Risk Management (VRM) process.
3. Practical Benefits for User Companies
What are the practical benefits for user companies utilizing SAP’s certified environment? I see two main advantages.
1. Clarifying Roles in Supply Chain Risk Management
If a user company were to build an AI service from scratch and aim for ISO 42001 compliance, the effort would be substantial, requiring resources for AI-specific risk assessments and continuous monitoring systems.
By adopting a certified platform (PaaS/SaaS) like SAP Business AI, companies can leverage the vendor’s established governance for the infrastructure layer. This concept is similar to the “Shared Responsibility Model” in cloud security.
Specifically, SAP maintains governance over the training environment and infrastructure (Security of the AI). This allows user companies to focus their resources on managing the upper layers directly linked to their specific business values and use cases, such as data quality and ethical decision-making (Security in the AI). This division of labor can help shorten the lead time for AI adoption while maintaining reliability across the supply chain.
2. Supporting Accountability to Stakeholders
In addition to shareholders and regulators, business partners are increasingly conducting strict due diligence regarding the safety and transparency of AI integrated into business operations.
In such scenarios, being able to demonstrate that “we utilize SAP’s platform, which complies with the international standard ISO 42001 and is audited by a third party,” provides a strong, objective basis for trust. This certification functions as valid evidence to help fulfill accountability requirements to stakeholders.
Furthermore, as legal frameworks like the EU AI Act are implemented globally, compliance is becoming a critical management issue. While ISO 42001 certification does not automatically guarantee legal compliance, it is widely recognized as a framework that supports alignment with these regulations. Leveraging a certified foundation can help streamline the complex process of proving compliance, allowing companies to direct limited resources toward creating business value rather than just defensive measures.
Conclusion: Criteria for Selecting AI in the Future
AI technology evolves daily, but the importance of the trust that underpins it remains constant. As technology advances, the value of transparency and governance only increases.
As a compliance professional, I want to emphasize that for SAP, acquiring ISO 42001 is not a final goal but a milestone. It is objective proof that we have established a robust governance structure to continuously provide an “environment where customers can integrate AI into the core of their business with confidence.”
I recommend incorporating “ISO 42001 certification status” into your functional comparison table when selecting AI solutions. This addition will serve as a definitive step toward realizing long-term, stable, and trustworthy AI utilization.
References
SAP Trust Center: Certifications and Compliance
Introduction: AI Governance Moves from “Guidelines” to “Certification”Since the publication of ISO/IEC 42001 (AI Management System) in December 2023 [1], the landscape of AI governance has evolved steadily. Now, entering 2026, we are witnessing a phase where major certification bodies worldwide have operationalized their audit services, and leading technology vendors are increasingly acquiring this certification. AI governance, which began as a collection of local guidelines and ethical codes, is now adopting a global benchmark: “certification (proof) by a third party.”For SaaS/PaaS vendors like SAP, the questions we receive from customers have shifted. Beyond the traditional functional question of “What can this AI do?”, we are now asked non-functional and governance-related questions with equal weight, such as “Is this AI safe?” and “How is the training data managed?”In this article, from a security and compliance perspective, I will explain the practical implications of the ISO 42001 certification that SAP has acquired and how it can help reduce AI adoption risks for user companies.1. Why ISO 42001 is the “Common Language of Trust”Since the widespread adoption of generative AI, companies have faced significant challenges in managing risks such as the “black box” nature of AI (lack of transparency in decision-making) and “hallucinations” (generation of incorrect information). While traditional security standards like ISO/IEC 27001 are essential for information security, they were not designed to fully cover the specific nuances of the AI lifecycle such as data bias, continuous learning, and ethical considerations.This is why ISO/IEC 42001:2023 was introduced as the first international management system standard specifically for AI.A key feature of this standard is that it does not certify the accuracy of a specific AI model at a single point in time. Instead, it validates whether an organization has established a “system to continuously identify, manage, and improve AI risks (Management System).” [2] Holding ISO 42001 certification serves as objective proof that a company has built and operates a responsible management structure for its AI systems.2. SAP’s Certification and Scope of ApplicationSAP announced the acquisition of ISO 42001 certification for its key AI services in 2025.What is important here is the scope of application. This certification covers core services such as Joule (our generative AI assistant) and SAP AI Core (our AI development and execution platform). This indicates that the applications and development environments utilizing these foundations are managed under a system based on international standards.Understanding the Difference: “Self-Attestation” vs. “Third-Party Certification”There are two primary approaches to demonstrating conformity to AI governance: “Self-attestation” by the supplier and “Third-party certification” by an independent body. SAP has chosen the path of “Third-party certification,” which involves rigorous audits by an independent organization, to ensure a higher level of objectivity.For security and legal professionals, this distinction is significant. When adopting a service based solely on self-attestation, user companies often need to send detailed security checklists to vendors and scrutinize their responses—a process that consumes considerable time and resources. However, when a vendor holds ISO 42001 certification, the certification itself serves as objective evidence of governance, which can significantly streamline the Vendor Risk Management (VRM) process.3. Practical Benefits for User CompaniesWhat are the practical benefits for user companies utilizing SAP’s certified environment? I see two main advantages.1. Clarifying Roles in Supply Chain Risk ManagementIf a user company were to build an AI service from scratch and aim for ISO 42001 compliance, the effort would be substantial, requiring resources for AI-specific risk assessments and continuous monitoring systems.By adopting a certified platform (PaaS/SaaS) like SAP Business AI, companies can leverage the vendor’s established governance for the infrastructure layer. This concept is similar to the “Shared Responsibility Model” in cloud security.Specifically, SAP maintains governance over the training environment and infrastructure (Security of the AI). This allows user companies to focus their resources on managing the upper layers directly linked to their specific business values and use cases, such as data quality and ethical decision-making (Security in the AI). This division of labor can help shorten the lead time for AI adoption while maintaining reliability across the supply chain.2. Supporting Accountability to StakeholdersIn addition to shareholders and regulators, business partners are increasingly conducting strict due diligence regarding the safety and transparency of AI integrated into business operations.In such scenarios, being able to demonstrate that “we utilize SAP’s platform, which complies with the international standard ISO 42001 and is audited by a third party,” provides a strong, objective basis for trust. This certification functions as valid evidence to help fulfill accountability requirements to stakeholders.Furthermore, as legal frameworks like the EU AI Act are implemented globally, compliance is becoming a critical management issue. While ISO 42001 certification does not automatically guarantee legal compliance, it is widely recognized as a framework that supports alignment with these regulations. Leveraging a certified foundation can help streamline the complex process of proving compliance, allowing companies to direct limited resources toward creating business value rather than just defensive measures.Conclusion: Criteria for Selecting AI in the FutureAI technology evolves daily, but the importance of the trust that underpins it remains constant. As technology advances, the value of transparency and governance only increases.As a compliance professional, I want to emphasize that for SAP, acquiring ISO 42001 is not a final goal but a milestone. It is objective proof that we have established a robust governance structure to continuously provide an “environment where customers can integrate AI into the core of their business with confidence.”I recommend incorporating “ISO 42001 certification status” into your functional comparison table when selecting AI solutions. This addition will serve as a definitive step toward realizing long-term, stable, and trustworthy AI utilization.ReferencesSAP Trust Center: Certifications and Compliance Read More Technology Blog Posts by SAP articles
#SAP
#SAPTechnologyblog
