Executive Summary

There are two QMS standards for AI governance. One is designed specifically for EU AI Act conformity. One is not.

The one designed for conformity is still in draft. prEN 18286 completed its public enquiry period on January 22, 2026 and is working through the CEN-CENELEC process toward harmonization. Unless you purchased access through a national standards body, you have not seen what it contains.

The one not designed for conformity is everywhere. ISO 42001 certification programs proliferate. Consultants sell readiness packages. Organizations pursue badges. The market has invested heavily in this standard.

The investment is misplaced. Here’s why.

prEN 18286 contains Annex ZA — a clause-by-clause mapping to Article 17 that will carry presumption of conformity when harmonized. ISO 42001 has no such mapping. It was never designed to. The JRC already found it structurally incompatible with high-risk AI requirements.

But here is what neither standard addresses: the upstream risk classification decision that determines whether Article 17 applies to your systems at all.

This piece shows what prEN 18286 contains, why ISO 42001 falls short, and why the choice between them is premature if you haven’t classified your AI systems first.

The Access Asymmetry

The EU AI Act requires high-risk AI providers to implement a quality management system under Article 17. This QMS must cover risk management, data governance, technical documentation, record-keeping, and post-market monitoring across the entire AI lifecycle.

Two standards claim to address this requirement.

ISO/IEC 42001:2023 is available globally. You can purchase it from any national standards body. Certification programs exist. Training courses exist. A cottage industry of consultants will help you implement it. The market has invested heavily in this standard.

prEN 18286:2025 is a European draft standard titled “Artificial intelligence — Quality management system for EU AI Act regulatory purposes.” It was released for CEN Enquiry in October 2025. The public comment period closed January 22, 2026. Unless you purchased access through a national standards body, you have never seen it.

Here is the asymmetry that will cost organizations money: the visible standard lacks what the invisible standard contains.

ISO 42001 provides a management system framework. It certifies that governance processes exist. It does not map to Article 17 requirements. It does not address EU-specific obligations. It provides no presumption of conformity.

prEN 18286 was commissioned by the European Commission under standardization request M/613 C(2023) 3215 specifically to provide a voluntary means of conforming to Regulation (EU) 2024/1689. When finalized and cited in the Official Journal, compliance with its normative clauses will confer presumption of conformity with the corresponding essential requirements.

One standard was built for the regulation. One was built for the global market. The market seeking EU AI Act compliance is buying the wrong one.

What the JRC Already Found

The Joint Research Centre — the Commission’s science and knowledge service — published gap analysis JRC 139430 examining ISO 42001 against EU AI Act requirements.

The finding was unambiguous: ISO 42001 lacks the specific safety-by-design mandates required for high-risk AI systems under Annex III.

This is not a minor gap. It is structural incompatibility. ISO 42001 was designed for organizational governance across jurisdictions. It addresses management system requirements. It does not address the product safety requirements embedded in the EU AI Act.

The AI Act is product safety law. It treats AI systems as products subject to conformity assessment. The QMS requirements under Article 17 are not generic governance requirements — they are specific obligations tied to the essential requirements in Chapter III, Section 2.

ISO 42001 does not address these obligations because it was not designed to. It predates the final AI Act text. It serves a different purpose. Certification bodies audit it as a management system standard because that is what it is.

prEN 18286 exists because the Commission recognized this gap and requested a European standard that would actually address Article 17. The standard is being developed by CEN-CENELEC JTC 21 — the Technical Committee on Artificial Intelligence — under explicit mandate to provide presumption of conformity.

The JRC finding is not a criticism of ISO 42001. The standard does what it was designed to do. The problem is that what it was designed to do is not what Article 17 requires.

The Annex ZA Mapping