Six months ago ISO 42001 was a curiosity. Now it appears in three out of five enterprise RFPs. Here's what it actually requires, the OSP five-step path, and the bridge to KVKK and EU AI Act.
What ISO/IEC 42001 Actually Covers
ISO/IEC 42001 — published December 2023 — is the first international management-system standard built specifically for artificial intelligence. The structure mirrors ISO 27001 for anyone who has lived through that certification. Scope definition, leadership commitment, risk assessment, operational controls, performance evaluation, continual improvement. The novelty is the AI-specific control set in Annex A: data quality, transparency, human oversight, lifecycle management, third-party AI procurement. It does not certify that a model is accurate. It certifies that the organization has a defensible system for managing the AI it builds and buys. The distinction matters when an auditor walks in.
Why It Became RFP Boilerplate in 2026
Three forces converged. EU AI Act enforcement woke procurement teams up — they need a way to ask 'are you serious about AI governance' that does not require them to design the question themselves. ISO 42001 gave them a checkbox. The Brussels effect did the rest. Turkish enterprises serving European customers started inserting ISO 42001 language into vendor questionnaires by Q4 2025. Defense primes followed. By Q1 2026 we counted 31 of 50 sampled enterprise AI RFPs in Turkey requiring 'ISO 42001 certified or active certification roadmap'. The phrase 'active certification roadmap' is doing a lot of work — it means a credible plan, an auditor engaged, and a target date inside the contract term.
The OSP Five-Step Path
Step one — inventory. Catalog every AI system in scope: in-house models, third-party APIs, embedded vendor AI features. Most clients underestimate this by half. Step two — gap analysis against the ISO 42001 Annex A controls, scored honestly. Step three — policy and procedure documentation, anchored on a small set of master documents rather than a forest of overlapping artifacts. Step four — internal audit and remediation, run by someone who did not write the policies, because self-audit theatre is worse than no audit. Step five — certification body matching. The Turkish certification market for ISO 42001 is still thin; we maintain a shortlist of bodies whose AI auditor competence has been validated. End-to-end, six to twelve weeks for a mid-market company, longer for regulated sectors.
Bridge to KVKK and the EU AI Act
ISO 42001 is not a substitute for KVKK compliance or EU AI Act readiness — but it is a force multiplier for both. The data inventory built for 42001 doubles as a KVKK-required processing register. The risk assessment maps cleanly onto EU AI Act high-risk classification logic. The transparency controls feed directly into the AI Act's user-facing disclosure obligations. Build once, satisfy three frameworks. The alternative — three parallel compliance programs run by three different teams — burns money that mid-market clients do not have. We design the 42001 program with KVKK and AI Act overlaps marked from the first artifact, which is the only way the math works.
Concrete Numbers and What the Engagement Looks Like
Mid-market client, 50 to 500 employees, two to five AI systems in scope: six to eight weeks total, $35K to $60K all-in including OSP fees and certification body costs. Add a sectoral overlay — finance, health, defense — and the timeline stretches to ten or twelve weeks, mostly because of evidence collection rather than policy work. Larger enterprises with global operations should budget twelve to sixteen weeks and treat the engagement as a program rather than a project. Either way, the certification itself is valid for three years with annual surveillance audits, which is when the operating discipline pays for itself — the surveillance is painless if the system is alive, painful if it is paperwork.
When to Start
Yesterday is the obvious answer; the realistic answer is now. The 2026 RFP cycle is already filtering on 42001 status. The 2027 cycle will treat its absence as disqualifying for any tender involving public-sector data, regulated industries, or EU-facing customers. A six-week window between 'we should look into this' and 'we have a certified ISMS' is short enough that it does not derail a roadmap and long enough that delaying past Q3 2026 risks losing a tender to a competitor who started in Q2. The math is unsentimental. The standard is here, the procurement language is locked in, and the certification work itself is the easiest part of the whole compliance landscape.