EU AI Act Art. 40 quality management systems: do you integrate ISO 42001 or build custom controls?

From an infrastructure perspective, the most pragmatic approach we've seen is extending ISO 27001 with AI-specific controls rather than building a standalone QMS. The reasoning: your notified body already knows how to audit 27001 — adding an Art. 40 gap analysis as an annex is significantly cheaper than training them on a custom framework from scratch. The 11 elements of Art. 40 map reasonably well to existing ISMS controls: - Elements 1-3 (risk management system, roles, resources) → 27001 A.5/A.6 - Elements 4-6 (data governance, technical documentation, record-keeping) → need custom add-ons (this is where most of the AI-specific work lives) - Elements 7-9 (human oversight, accuracy/robustness testing, post-market monitoring) → partially covered by 27001 A.8, but require quantitative metrics - Elements 10-11 (incident reporting, conformity assessment) → 27001 A.5.24/A.5.25 need AI-specific triggers ISO 42001 is interesting but feels premature — the certification bodies haven't standardized how they audit it against Art. 40 yet. If you're in the EU right now and need to demonstrate compliance within 12-18 months, the 27001 extension path is lower risk. 42001 makes sense as a parallel track for 2027+.