The Cyber Academy take
AI governance is the discipline of running AI systems under control: risk, transparency, bias, validation, security and regulatory exposure. The reference management system is ISO/IEC 42001, published December 2023, the AI equivalent of ISO 27001's ISMS. The credential landscape splits in two: ISO 42001 (PECB) for the management-system layer, and the ISACA Advanced in AI certifications (AAIA for audit, AAIR for risk, AAISM for security) for the professional-discipline layer. Both map onto the EU AI Act and the NIST AI RMF.
TL;DR
- 1ISO/IEC 42001 is the management-system standard for AI (an AI management system, or AIMS), published December 2023. It is the AIMS equivalent of ISO 27001's ISMS. PECB issues the Foundation, Lead Implementer and Lead Auditor pathway.
- 2ISACA's Advanced in AI track is the professional-discipline layer: AAIA (audit), AAIR (risk), AAISM (security management). Each assumes an existing ISACA certification (CISA, CRISC, CISM).
- 3The EU AI Act tells you what to demonstrate for a high-risk system. ISO 42001 tells you how to organise the proof. The NIST AI RMF is the operational risk method that populates it.
- 4Pick by role: build the system, ISO 42001 Lead Implementer. Audit AI, AAIA. Run AI risk, AAIR or PECB AI Risk Manager. Secure models, AAISM. Lead AI delivery, CAIP.
- 5There is no single 'AI governance certification'. A senior practitioner pairs the ISO 42001 management-system credential with one discipline credential.
Ask five vendors about AI governance certification and you get five different answers, because the market has not settled. There is no single AI governance certificate the way there is a single CISM or a single CISA. There are two distinct layers, issued by two different bodies, answering two different questions: how do you govern AI as an organisation, and how do you audit, risk-assess or secure it as a practitioner.
This page maps the two layers onto the standard (ISO/IEC 42001), the regulation (the EU AI Act) and the US framework (NIST AI RMF), then tells you which credential fits which role and how to train a team without sending everyone on the same five-day course. It is written for the CISO, GRC lead or auditor who has to make the call.
The two layers of AI governance credentials
Every AI governance credential on the market sits in one of two layers.
- The management-system layer answers "how does the organisation govern its AI?". The reference is ISO/IEC 42001, the international AI management system standard. PECB issues a Foundation, Lead Implementer and Lead Auditor pathway against it, exactly as it does for ISO 27001.
- The professional-discipline layer answers "what does this practitioner do with AI?". The reference is ISACA’s Advanced in AI track: AAIA for auditors, AAIR for risk managers, AAISM for security managers. Each is advanced and assumes you already hold the matching ISACA certification.
The two layers are complementary. A mature AI governance function holds both: an ISO 42001 management-system credential to build and run the system, and one ISACA discipline credential per function that operates inside it.
ISO/IEC 42001: the AI management system
ISO/IEC 42001:2023, published in December 2023, is the first international standard for an AI management system (AIMS). It is the AI equivalent of ISO 27001’s ISMS: a policy, defined roles, an AI risk-assessment process, controls over the AI system lifecycle, an Annex A of AI-specific controls, and a management-review cycle that keeps the whole thing honest.
The PECB certification pathway against it mirrors ISO 27001:
- ISO 42001 Foundation (2 days) gives the vocabulary and the management-system model. It is the prerequisite for the senior credentials.
- ISO 42001 Lead Implementer (5 days) teaches you to build the AIMS: scope, AI risk assessment, the Statement of Applicability, the controls, the operating cycle. This is the credential for whoever owns AI governance.
- ISO 42001 Lead Auditor (5 days) teaches you to audit an AIMS: evidence, sampling, interview technique, findings. This is the credential for internal audit and for certification-body auditors.
The ISACA Advanced in AI track: AAIA, AAIR, AAISM
ISACA’s Advanced in AI credentials are the professional-discipline layer. They are advanced by design: each assumes you already hold the foundational ISACA certification for that discipline, and each is mapped onto ISO 42001 and the EU AI Act high-risk obligations rather than taught in a vacuum.
| Credential | Discipline | Assumes | Built for |
|---|---|---|---|
| AAIA — Advanced in AI Audit | Auditing AI systems, models and governance | CISA | Senior IT auditors, compliance officers |
| AAIR — Advanced in AI Risk | AI risk assessment, quantification, treatment, monitoring | CRISC | IT risk managers, CROs |
| AAISM — Advanced in AI Security Management | AI threat modelling, secure model lifecycle, AI security operations | CISM | CISOs, security architects |
The three courses at Cyber Academy are AAIA, AAIR and AAISM. Pick by what you do, not by which is newest.
Where PECB AI Risk Manager and CAIP fit
Two more PECB credentials sit alongside the ISO 42001 pathway. AI Risk Manager is a focused risk credential for practitioners running AI-specific risk programmes (model risk, bias, drift, third-party model risk) without the full management-system scope of Lead Implementer. Certified Artificial Intelligence Professional (CAIP) is the broader practitioner credential for people who build and deploy AI responsibly across the lifecycle, useful for technical leads who need the governance vocabulary without owning the AIMS.
If you already run an ISO 27001 risk programme and want to extend it to AI, AI Risk Manager is the shortest bridge. If you lead AI delivery and need the governance literacy the AI Act now requires of you, CAIP is the better fit.
How the credentials map to the AI Act and NIST AI RMF
None of these credentials exists in isolation. They are taught against the regulation and the frameworks an AI governance function actually has to satisfy.
| Instrument | What it is | Certifiable? | Role in your programme |
|---|---|---|---|
| EU AI Act | Regulation (EU) 2024/1689 | No — conformity assessment, not certification | What to demonstrate for a high-risk system |
| ISO/IEC 42001 | AI management system standard | Yes — AIMS certification + PECB credentials | How to organise the proof |
| NIST AI RMF | US voluntary risk framework (Govern, Map, Measure, Manage) | No | Operational risk method that populates the system |
| ISO/IEC 23894 | AI risk-management guidance | No | Risk methodology, ISO-aligned, inside the AIMS |
The canonical path for a European organisation: build the AIMS with ISO 42001 Lead Implementer, map the AI Act high-risk obligations onto the AIMS controls, and use the NIST AI RMF or ISO 23894 as the risk methodology. The ISACA Advanced credential then equips whichever function (audit, risk or security) has to operate inside that system.
How to train a team on AI governance
The mistake is sending everyone on the same course. AI governance is cross-functional, and the functions need different depth.
- Start with a shared baseline. ISO 42001 Foundation, or an AI Act literacy briefing that satisfies the Act’s Article 4 AI-literacy obligation, gives everyone the same vocabulary before they specialise.
- Send the governance and compliance owners to ISO 42001 Lead Implementer. They build and run the AIMS.
- Send internal audit to AAIA, the risk function to AAIR, and the security function to AAISM. Each operates inside the AIMS from its own angle.
- Add ISO 42001 Lead Auditor only if you run an internal audit programme against the AIMS or sit on a certification body.
The decision, in one line
Build the system: ISO 42001 Lead Implementer. Audit AI: AAIA. Run AI risk: AAIR or PECB AI Risk Manager. Secure models: AAISM. Lead AI delivery and need governance literacy: CAIP. There is no single AI governance certificate, and anyone selling you one is selling you a slice.
Frequently asked questions
01Is there an AI governance certification, and which one should I take?
There is no single AI governance certification. The space splits into two layers. The management-system layer is ISO/IEC 42001: PECB issues Foundation (2 days), Lead Implementer (5 days, build the AIMS) and Lead Auditor (5 days, audit one). The professional-discipline layer is ISACA’s Advanced in AI track: AAIA for auditing AI, AAIR for AI risk, AAISM for AI security management.
For someone who governs AI organisationally, ISO 42001 Lead Implementer is the cornerstone. For someone who audits, assesses risk or secures AI within an existing GRC role, the matching ISACA Advanced credential is the stronger signal. Most senior practitioners hold one of each.
02What is ISO/IEC 42001 and how does it relate to the EU AI Act?
ISO/IEC 42001:2023 is the international standard for AI management systems, published December 2023. It defines how an organisation establishes, operates and improves the governance of its AI systems: policy, roles, AI risk assessment, the AI system lifecycle, an Annex A of AI-specific controls and the management-review cycle. It is the AIMS equivalent of ISO 27001's ISMS.
The standard does not satisfy the EU AI Act on its own. The Act has product-specific technical requirements for high-risk systems. But ISO 42001 provides the management-system foundation auditors and notified bodies recognise. The canonical path is ISO 42001 to build the AIMS, then map the AI Act high-risk obligations onto the AIMS controls.
03AAIA vs AAIR vs AAISM: which ISACA AI certification?
Three lenses on AI, all assuming an existing ISACA credential. AAIA (Advanced in AI Audit) is for auditors: auditing AI systems, models and governance, mapped onto ISO 42001 and the AI Act. Typically held with CISA.
AAIR (Advanced in AI Risk) is for risk practitioners: AI risk assessment, quantification, treatment and monitoring. Typically held with CRISC. AAISM (Advanced in AI Security Management) is for security leaders: AI threat modelling, the secure model lifecycle and AI security operations. Typically held with CISM.
04How do I train a whole team on AI governance?
Sequence it by function. Start with a shared baseline (ISO 42001 Foundation or an AI Act literacy briefing satisfying Article 4). Send governance and compliance owners to ISO 42001 Lead Implementer; internal audit to AAIA; the risk function to AAIR; the security function to AAISM.
For a rollout across teams, an in-house cohort prices per cohort and maps the exercises to your AI estate. The discovery call scopes which roles need which credential first. Most teams over-buy Lead Implementer seats and under-buy the discipline credentials.
05Where does the NIST AI RMF fit alongside ISO 42001?
The NIST AI Risk Management Framework (AI RMF 1.0, January 2023) is the US voluntary framework structured around Govern, Map, Measure and Manage. It is not certifiable and not a management-system standard. It is a risk-function playbook.
ISO 42001 and the NIST AI RMF are complementary. ISO 42001 gives the certifiable management system; the NIST AI RMF gives the operational risk method that populates it. Organisations exposed to both EU and US contexts run an ISO 42001 AIMS with the NIST AI RMF, and the related ISO/IEC 23894 guidance, as the risk methodology inside it.
