Original Research · Cianaa Insights

The State of ISO/IEC 42001 Adoption in New Zealand & Australia

AI adoption is accelerating on both sides of the Tasman while both governments have stepped back from hard AI regulation — leaving independent certification as the region’s only verifiable AI-governance trust signal. Here’s where ISO/IEC 42001 actually stands in 2026, from the audit team behind one of the region’s first certifications.

Last updated: 17 July 2026 · Updated as new certifications are announced
By Dr Rizwan Ahmad — PCI QSA · MSECB Auditor of the Year 2024 (Asia-Pacific) · NZ Govt-listed independent evaluator
~350Organisations certified worldwide by mid-2026, per industry compilations — there is no official global register [1]
Dec 2023ISO/IEC 42001 published — the world’s first certifiable AI management system standard [2]
0AI-specific statutes in force in either NZ or Australia — both governments chose light-touch approaches [3][4]
<1%Of the world’s ISO 42001 certificates are publicly attributable to NZ or Australian organisations
Key findings

Five things the data shows in 2026

  1. Certification is globally scarce and regionally rare. Roughly 350 organisations worldwide hold ISO/IEC 42001 certificates by mid-2026 [1] — and only a handful are publicly attributable to New Zealand or Australia. Regional early movers gain an uncontested trust signal.
  2. Both governments have deliberately left the field to voluntary assurance. Australia shelved its proposed mandatory AI guardrails in favour of a technology-neutral National AI Plan [3]; New Zealand’s first National AI Strategy (July 2025) positions the country as a light-touch “adopter nation” [4]. Neither has an AI Act — so independent certification is currently the strongest governance evidence an organisation can hold.
  3. The demand signal is procurement, not regulation. Enterprise and government buyers are writing AI-governance requirements into tenders and supplier questionnaires ahead of any law — the same pattern that drove ISO 27001 adoption a decade earlier.
  4. The EU AI Act reaches into ANZ supply chains. ANZ organisations selling AI-enabled products or services into Europe face extraterritorial obligations, and ISO/IEC 42001 is emerging as the practical framework for demonstrating readiness [5].
  5. Assessment capacity is the bottleneck. Accredited certification against ISO/IEC 42001 (under ISO/IEC 42006, published 2025) is still building out globally — organisations report that finding experienced, accredited audit teams is harder than implementing the standard itself.
The global picture

~350 certificates worldwide — and no official register

ISO/IEC 42001 was published in December 2023 and the first certificates were issued in 2024. Unlike mature standards, there is no official global register of ISO 42001 certificates: the ISO Survey does not yet report the standard, so global counts are assembled from certification-body and company announcements. The most-cited industry compilations put the worldwide total at roughly 350 organisations by mid-2026 [1] — for comparison, more than a million organisations hold ISO 9001.

Early adopters skew heavily toward technology firms — cloud platforms, AI vendors and IT service providers — for whom AI governance is a direct sales enabler. Professional services, healthcare and financial services are the emerging second wave.

Methodology note: every figure on this page is either cited to a public source (see Sources) or drawn from Cianaa’s first-hand audit work, and we deliberately round where precision isn’t defensible. Counts of certified organisations are minimums — private certifications that were never announced can’t be counted by anyone.
The regulatory landscape

New Zealand vs Australia: two flavours of light-touch

Neither country has AI-specific legislation in force — but they arrived there by different routes, and the difference matters for what buyers will ask of you.

🇳🇿 New Zealand🇦🇺 Australia
Headline posture“Adopter nation” — accelerate AI uptake with principles-based guidance [4]Technology-neutral — rely on existing laws plus voluntary guidance [3]
Key instrumentNational AI Strategy (July 2025), grounded in the OECD AI PrinciplesNational AI Plan; earlier proposal for 10 mandatory guardrails in high-risk settings was not proceeded with
AI-specific statuteNoneNone
Institutional capabilityPublic-service AI framework and sector guidanceAustralian AI Safety Institute (AISI) — operational from early 2026 [6]
What fills the trust gapVoluntary standards and independent certification — with ISO/IEC 42001 the only certifiable AI management system standard available in either market

Both positions remain politically live: Australia’s guardrails were shelved, not rejected forever, and EU-style pressure keeps rising through trade. Organisations betting on “no regulation ever” are really betting on election cycles.

Regional tracker

Publicly announced ISO/IEC 42001 certifications in ANZ

This tracker lists certifications of New Zealand and Australian organisations that have been publicly announced and verified. It is maintained by Cianaa and updated as announcements appear.

OrganisationScopeCountryCertification bodyAudit teamAnnounced
Datacom — Datascape
AI-enabled platform for local government (90+ councils); Datacom describes it as the first New Zealand-based recipient
AI Management System (ISO/IEC 42001:2023)New ZealandMSECBCianaa Technologies2026 — announcement ↗
Further ANZ certifications exist that have not been publicly announced, and global vendors serving ANZ hold certificates counted in the worldwide total. Know of a publicly announced ANZ certification we’ve missed? Tell us and we’ll verify and add it — with a link to your announcement.
Why organisations certify

Three forces driving ANZ demand in 2026

Procurement pressure

Government and enterprise tenders increasingly ask “how is your AI governed?” — a certificate answers in one line what a questionnaire takes weeks to argue.

EU AI Act spillover

ANZ firms in European supply chains inherit obligations regardless of local law — ISO/IEC 42001 is the emerging lingua franca for demonstrating readiness [5].

Board-level AI risk

Directors are personally accountable for AI harms under existing law even without an AI Act — a certified management system is tangible evidence of governance.

Outlook

What we expect through 2027 — Cianaa’s analysis

The following are Cianaa’s professional predictions based on our audit work and enquiry patterns — labelled as analysis, not measured fact.

Certification volume doubles, then doubles again

Global counts roughly tripled across 2025; with accredited capacity expanding under ISO/IEC 42006, we expect ANZ announcements to shift from “first mover” news to steady flow by late 2027.

Government procurement becomes the de facto regulator

Expect AI-governance clauses in public-sector tenders in both countries well before any statute — certification will be the cheapest way to answer them.

Integrated audits become the norm

Most ANZ candidates already hold ISO 27001. Expect 42001 to be scoped into integrated audits with information security and privacy (27701) rather than run standalone.

The scarce resource stays scarce

Experienced AI-management-system auditors remain the constraint. Organisations that book assessment windows early will certify months ahead of those that don’t.

Use this research

Citing this page

Journalists, analysts and researchers are welcome to cite this page with attribution. We update it as the landscape changes, so link to the page rather than screenshotting figures.

Suggested citation

Copy-paste, adapt to your style guide:

Cianaa Technologies, "The State of ISO/IEC 42001 Adoption in New Zealand & Australia", July 2026. https://cianaatech.com/iso-42001-adoption-new-zealand-australia/
Sources
  1. [1] Atoro, “How many companies are ISO 42001 certified?” — industry compilation of announced certificates (atoro.io/how-many-companies-are-iso-42001-certified/). No official register exists; the ISO Survey does not yet report ISO/IEC 42001.
  2. [2] ISO, ISO/IEC 42001:2023 — Artificial intelligence management system (iso.org/standard/42001).
  3. [3] Department of Industry, Science and Resources (AU), “Introducing mandatory guardrails for AI in high-risk settings” proposals paper (consult.industry.gov.au/ai-mandatory-guardrails); subsequently not proceeded with under the National AI Plan.
  4. [4] New Zealand Government, National AI Strategy (July 2025) — OECD-aligned, adoption-first approach.
  5. [5] Regulation (EU) 2024/1689 (EU AI Act) — extraterritorial application to providers placing AI systems on the EU market.
  6. [6] Australian AI Safety Institute — announced to be operational from early 2026.
  7. [7] Cianaa Technologies audit records; MSECB-issued certification of Datacom’s Datascape (2026) — publicly announced by Datacom on LinkedIn, describing Datascape as the first New Zealand-based recipient.
Common questions

ISO/IEC 42001 in ANZ, answered

How many organisations are ISO 42001 certified in New Zealand and Australia?
Only a handful of certifications have been publicly announced for ANZ organisations as of mid-2026 — our tracker above lists the verified ones. Some certifications are never announced, so the true number is somewhat higher, but it remains a tiny fraction of the roughly 350 certificates worldwide.
Is ISO 42001 certification mandatory in either country?
No. Neither New Zealand nor Australia has AI-specific legislation in force. Australia shelved its proposed mandatory guardrails in favour of a technology-neutral approach, and New Zealand’s National AI Strategy is deliberately light-touch. Certification is voluntary — which is exactly why it works as a differentiator.
Who can certify an organisation against ISO 42001?
An accredited certification body issues the certificate after an independent audit. ISO/IEC 42006 (published 2025) sets the requirements for bodies auditing and certifying AI management systems. Cianaa’s role is the independent audit: our assessors conducted the certification audit behind one of the region’s first ISO 42001 certifications, with the certificate issued by the certification body.
How long does ISO 42001 certification take?
Comparable to ISO 27001: typically 3–9 months from a standing start depending on the maturity of your AI governance, followed by a two-stage certification audit and a three-year cycle with annual surveillance. Organisations that already hold ISO 27001 usually move faster by integrating the two.
Does ISO 42001 help with the EU AI Act?
It doesn’t grant presumption of conformity by itself, but it is the most practical framework available for building the risk management, transparency, human-oversight and documentation practices the Act expects — and it’s independently verifiable, which self-assessment is not.
How is this page kept up to date?
We review it as new certifications are announced and when either government’s position changes, and we date-stamp every revision at the top. Spotted something out of date? Tell us.
Ready to be on this list?

Talk to the audit team behind one of the region’s first ISO 42001 certifications

Cianaa’s independent auditors assess AI management systems against ISO/IEC 42001 — conflict-free, across New Zealand, Australia and Asia-Pacific.