Hael
Sign inRequest a demo
ISO/IEC 42001 · Implementation

Common ISO/IEC 42001 audit failures

Updated 12 July 2026 · 6 min read
Key takeaway
ISO/IEC 42001 audits fail in the same handful of places every time. An AI inventory missing shadow AI. A Statement of Applicability that omits exclusion rationales. Records that exist as templates but were never operated. A management review scheduled but never held with leadership. Human oversight designed on paper as a rubber stamp. None of these are difficult to correct if they are identified early; all of them are visible to a certification body immediately.
  • The five failures below account for most Stage 1 and Stage 2 findings we see.
  • Every one of them is detectable — and fixable — before you book the audit.
  • Records that exist but don't operate are the largest single category.
  • Rubber-stamp oversight fails on inspection every time; auditors interview operators, not just review documents.
  • Fix these five and most of the certification risk disappears.
  • General information, not legal advice. Current as of July 2026.

1. Incomplete AI inventory

The register is missing systems in genuine business use — a copilot in a spreadsheet, a chatbot in a support workflow, a marketing team's image generator. Auditors find these by asking teams what they use, not by reading the register. If the register does not reconcile against what the auditor hears, Stage 1 is a fail.

2. SoA without exclusion rationale

Every Annex A control needs an applicability decision, and every excluded control needs a defensible rationale. 'Not applicable' with no reason is not defensible. This is the single most-common SoA finding.

3. Records that exist but do not operate

Templates for impact assessments, supplier assessments, training records, incident logs — all present, all blank or all filled in the week before Stage 2. Auditors read date stamps and sample edit history. Records that only exist as documentation fail against the operating-evidence requirement.

4. No real management review

Management review recorded in minutes but not actually held with leadership. A compliance manager cannot substitute for the leadership team; the review's purpose is that leaders with resource authority take decisions on the AIMS. A meeting nobody with authority attended is not a management review.

5. Rubber-stamp human oversight

Oversight designed as a checkbox — the human approver approves 100% of outputs in the sample, and the interview reveals they cannot describe the criteria they applied. Auditors interview operators; the design collapses under one conversation.

How to catch all five before the audit

Run a mock Stage 1 four to six weeks before the real one, ideally with someone who has audited to the standard. Every one of the failures above shows up in a mock if the mock is honest. Then you have four to six weeks to fix them, not four to six days.

References

Related guides

Keep reading on ISO/IEC 42001.

Free check

See where you stand on ISO/IEC 42001, free.

Answer a few questions and get an indicative view of what ISO/IEC 42001 expects of your AI systems and where you stand today — no sign-up to see your result.

Indicative, not legal advice.
ISO/IEC 42001 · indicative readiness
HAEL FREE TOOLLIVE
Applicability
Applies to your AI use
MAPPED
What's expected
Risk classification · governance · documentation · oversight
4 PILLARS
Where you stand
Banded result · pointed to the gaps that matter most
SOURCED
Result
On-screen, free · optional PDF
FREE
Effort
Pre-scoped to ISO/IEC 42001
~ 5 MIN
INDICATIVE · NOT LEGAL ADVICE