ISO 27001 Certified AI Providers: OpenAI, Anthropic, AWS, Azure, Google Cloud, Cohere, Mistral, and Hugging Face — Real Certificates, Real Scope, ISO 42001 Status (2026)

**ISO/IEC 27001:2022** is the foundation. It defines requirements for an Information Security Management System — the policies, risk treatment process, access controls, incident response procedures, and continuous improvement loop your organization uses to protect information assets. When an AI vendor says they are ISO 27001 certified, it means an accredited certification body audited their ISMS against Annex A controls and issued a three-year certificate with annual surveillance audits. It does not mean the AI models themselves are certified — that is a category mistake, and one that vendor marketing copy frequently encourages. Per the standard's text and the guidance at https://www.iso.org/standard/27001, the certification scope is whatever the organization defined, which is why reading the scope clause matters more than seeing the badge.

**ISO/IEC 27017** is the cloud services extension. It adds 7 cloud-specific controls and provides implementation guidance for 37 existing 27001 controls in a cloud context — things like virtual environment isolation, administrator operational security, and customer-cloud-provider responsibility split. When AWS, Azure, and Google publish 27017 alongside 27001 (see https://aws.amazon.com/compliance/iso-27001-faqs/), they are documenting how the hyperscaler's shared-responsibility model maps to internationally agreed-upon cloud controls. An AI API vendor that holds 27017 has signed up to specific cloud operational hygiene that goes beyond the generic ISMS.

**ISO/IEC 27018** is the PII-in-public-cloud extension. It is built on top of 27002 and adds controls for processing personally identifiable information in a public cloud environment as a PII processor. The control set covers consent, transparency, deletion timelines, and restrictions on PII use for advertising. For AI providers, 27018 matters because user prompts and uploads often contain PII — a provider holding 27018 has audited evidence that they treat that data as a regulated processor would. **OpenAI** at https://trust.openai.com/ and **Anthropic** at https://trust.anthropic.com/ both hold current 27018 attestations.

**ISO/IEC 27701** is the Privacy Information Management System (PIMS) extension. Where 27001 is about security, 27701 is about privacy as a discipline — data subject rights, lawful basis, cross-border transfer documentation, privacy impact assessment processes, and the GDPR/CCPA mapping appendices. An AI vendor with 27701 has built a privacy management system audited to an international standard. This is the certification your DPO actually cares about. Per Google's documentation at https://cloud.google.com/security/compliance/iso-27001 the 27701 scope inherits the underlying 27001 boundary.

**ISO/IEC 42001:2023** is the newest and most relevant. Published in December 2023 at https://www.iso.org/standard/81230.html, it is the world's first AI Management System standard. It defines requirements for an organization to establish, implement, maintain, and continually improve an AIMS — covering AI risk assessment, AI impact assessment (a distinct concept from privacy impact assessment), data governance for AI training and operation, AI system lifecycle management, third-party AI risk, and stakeholder communication. Where 27001 asks 'is your information secure?', 42001 asks 'is your AI development and deployment governed?'. This is the certification that maps most cleanly to EU AI Act obligations for high-risk systems.

The marketing copy to ignore: any vendor claiming their model is ISO certified, any vendor showing an ISO logo without a scope statement and effective date, and any vendor implying that 27001 alone is sufficient evidence of AI governance. It is not. 27001 covers the company's information security program. 42001 covers the AI program. They are complementary, not interchangeable, and in 2026 the gap between vendors who hold both versus only the former is the cleanest signal of AI-governance maturity available to procurement teams.

**OpenAI** publishes the broadest ISO portfolio of any frontier model lab at https://trust.openai.com/. The current trust portal documents ISO 27001, 27017, 27018, 27701, and notably ISO 42001:2023 — making OpenAI one of the first AI providers to certify against the AI Management System standard. The scope statement covers the OpenAI API platform, ChatGPT Enterprise, ChatGPT Team, and supporting infrastructure. Procurement teams should pull the current certificate PDF directly from the trust portal under NDA — the certificate states the audit firm, the certificate effective and expiration dates, and the exact scope clause. Treat anything you cannot find in that PDF as marketing.

**Anthropic** publishes ISO 27001, 27017, 27018, and 27701 at https://trust.anthropic.com/, and was among the first frontier AI labs to attain ISO 42001 certification — a fact that is unsurprising given Anthropic's safety-forward positioning. The trust portal scope covers the Claude API, Claude.ai, enterprise services, and the supporting infrastructure. The combination of 42001 plus Anthropic's Responsible Scaling Policy makes Claude one of the cleanest ISO-evidence stories for buyers who need to demonstrate AI governance maturity to regulators, boards, or large enterprise customers.

The strategic point for 2026 buyers: OpenAI and Anthropic are now roughly at parity on the underlying ISO 27001/27017/27018/27701 stack, with both publishing reports under NDA via their trust portals. The real differentiator at this layer is ISO 42001 evidence and the depth of the AI-specific risk management documentation. Both labs publish security pages, but the certificate PDF is the artifact you should be reading, not the marketing page.

Where OpenAI and Anthropic differ structurally is the hosting story. OpenAI offers its API directly and via Microsoft Azure (Azure OpenAI Service inherits Azure's compliance boundary). Anthropic offers its API directly, plus via AWS Bedrock and Google Cloud Vertex AI. If your procurement team requires that the AI workload sit inside an existing cloud compliance boundary you have already audited, the hosting matrix matters as much as the lab-level certificate.

On data handling, both vendors offer Zero Data Retention (ZDR) on enterprise tiers, meaning prompts and completions are not used for training and are not retained beyond the operational window required for abuse monitoring (typically 30 days, with longer retention available under specific contracts). ZDR is contractually separate from the ISO certification — get it explicitly in writing in the order form, not just in the marketing FAQ. We cover the trade-offs more deeply in the enterprise LLM compliance comparison.

On audit access, both OpenAI and Anthropic make the full ISO certificate, SOC 2 Type II report, and supporting documentation available via their trust portals under standard NDA. The friction is low and the documentation is current. Compare this to the older pattern where AI startups required a custom enterprise contract just to share a SOC 2 report — in 2026, both frontier labs treat self-service trust portals as table stakes.

**AWS** holds the broadest ISO portfolio of any cloud provider, documented at https://aws.amazon.com/compliance/iso-27001-faqs/. The current scope covers hundreds of AWS services including Amazon Bedrock, SageMaker, and the underlying compute, storage, and networking primitives. Customers access the full certificate and scope statement via AWS Artifact in the AWS Console under NDA. For AI workloads, the practical implication is that if you deploy Claude, Llama, Mistral, or Cohere models via Bedrock, the infrastructure layer inherits AWS's ISO 27001/27017/27018/27701 compliance — but the model-vendor's own AI governance posture is a separate question. AWS is rolling ISO 42001 attestation into its Responsible AI program incrementally; verify current scope in AWS Artifact before relying on it for high-risk-system documentation.

**Azure** publishes ISO 27001, 27017, 27018, and 27701 across the Azure platform at https://servicetrust.microsoft.com/, with the scope covering Azure OpenAI Service, Azure Machine Learning, and core Azure services. For enterprises already inside the Microsoft 365 compliance boundary, deploying OpenAI models via Azure OpenAI Service is the cleanest path to wrapping the AI workload in an existing audited environment. Microsoft is layering ISO 42001 attestation into its Responsible AI program for select services; the current scope is documented in the Service Trust Portal — pull the report rather than relying on marketing copy.

**Google Cloud** publishes ISO 27001, 27017, 27018, and 27701 at https://cloud.google.com/security/compliance/iso-27001, with Vertex AI (the model hosting layer for Gemini, Claude on GCP, and third-party models) inheriting the platform certification. Customers access the certificate via the Compliance Reports Manager in the Cloud Console. Google is bringing ISO 42001 into its Responsible AI roadmap; the current attestation scope is published in the compliance documentation — read the date stamp.

The hyperscaler ISO inheritance pattern is powerful but easy to misuse. A common procurement mistake is treating 'Bedrock is on AWS, AWS is ISO 27001, therefore my AI deployment is ISO 27001' as sufficient evidence. It is not. The hyperscaler's certificate covers the platform layer — the customer is responsible for the application layer above it, including prompt logging, output filtering, access controls on the AI endpoints, and the AI risk management program. The shared-responsibility model documented at https://aws.amazon.com/compliance/shared-responsibility-model/ applies fully to AI workloads.

Where the hyperscaler story is strongest is for buyers who have already audited their hyperscaler relationship and want to add AI capability without standing up a new vendor security review. If your security team has already approved AWS for production workloads and you have an AWS Enterprise Agreement, deploying Anthropic Claude or Meta Llama via Bedrock adds materially less procurement overhead than spinning up a direct contract with the model vendor. The same logic applies to Azure OpenAI Service for Microsoft shops and Vertex AI for Google shops.

Where the hyperscaler story is weakest is at the ISO 42001 layer. As of June 2026, AWS, Azure, and Google are all at varying stages of bringing AI-specific management system certification online, with Microsoft generally ahead and Google generally behind. For buyers who need ISO 42001 evidence specifically — typically because they are documenting a high-risk system under the EU AI Act per the EU AI Act compliance checklist — going direct to OpenAI or Anthropic for the model layer and using the hyperscaler only for infrastructure may give you cleaner audit evidence.

**Cohere** publishes its security and compliance program at https://cohere.com/security, including SOC 2 Type II and ISO 27001 certification. The scope covers the Cohere API platform, Coral, and supporting infrastructure. Cohere's enterprise positioning — particularly its focus on RAG, embeddings, and private deployment options — makes the security story central to its sales motion. Buyers should pull the current certificate from the trust page and verify the audit firm, certificate date, and scope statement. ISO 27017/27018/27701 and ISO 42001 status are evolving; verify current state directly with Cohere's security team before relying on assumptions.

**Mistral** publishes its compliance program at https://mistral.ai/security and confirmed ISO 27001 certification in 2025. As Europe's leading frontier AI lab, Mistral is particularly relevant for EU buyers who want both frontier capability and sovereign hosting. The current scope covers La Plateforme (Mistral's hosted API) and Le Chat for enterprise. ISO 42001 work is in progress per industry reporting; for EU buyers documenting AI Act compliance, the combination of European hosting plus 27001 plus the in-flight 42001 makes Mistral one of the strongest sovereign-AI procurement stories in 2026.

**Hugging Face** holds SOC 2 Type II and has ISO 27001 work in progress as of mid-2026 per industry reporting. The Hugging Face Inference Endpoints product — the managed inference layer for open-weight models — is the relevant scope for enterprise buyers. For organizations using Hugging Face primarily as a model hub and registry rather than for production inference, the compliance story matters less; for organizations deploying production inference through Hugging Face Inference Endpoints, treat the certification status as a current evaluation question and verify directly with the Hugging Face security team.

The procurement reality for the newer entrants is that the ISO portfolio is materially narrower than the hyperscalers' or the top two frontier labs'. This is not necessarily disqualifying — for many use cases (developer tooling, internal experimentation, low-risk content generation) SOC 2 Type II plus an in-progress ISO 27001 program is sufficient. The mistake to avoid is treating these vendors as drop-in replacements for OpenAI or Anthropic on high-risk workloads without acknowledging the compliance delta.

A useful procurement pattern when working with smaller vendors: get the SOC 2 Type II report under NDA, ask explicitly when ISO 27001 will be issued (and which audit firm), ask what scope it will cover, and ask whether the vendor commits to ISO 42001 on a public timeline. The answers tell you whether you are buying from a vendor that is investing in audit maturity or one that is treating compliance as a sales obstacle. The former is worth a bet; the latter is a future incident waiting to happen.

If you need to weigh open-weight self-hosting against managed inference at any of these vendors, the cost math matters as much as the compliance math. The GPT-5 cost calculator and Claude API cost calculator help quantify the inference-cost trade-off you are accepting in exchange for the audit inheritance the managed vendors provide.

ISO/IEC 42001:2023 was published in December 2023 and is documented at https://www.iso.org/standard/81230.html. It is the first international management system standard specifically for artificial intelligence, structured around the same Plan-Do-Check-Act framework as 27001 and 9001, but with AI-specific clauses. The certification scope is an organization's AI Management System — its policies, processes, and controls for developing, deploying, and operating AI systems responsibly. Crucially, 42001 is a management system certification, not a model certification: it is auditing how the organization governs AI, not whether any particular model is 'safe'.

The core 42001 clauses cover AI policy (Clause 5), AI roles and responsibilities (Clause 5.3), AI risk assessment (Clause 6.1.2), AI impact assessment (Clause 6.1.4) — a distinct concept from privacy impact assessment that focuses on impact to individuals, groups, and society — AI objectives and planning (Clause 6.2), competence and awareness for AI roles (Clause 7), AI system lifecycle (Annex A controls), data quality and governance for AI (Annex A), and continual improvement of the AIMS. An organization being audited against 42001 must demonstrate documented evidence for each of these areas, with an internal audit program and management review cycle on top.

For AI providers, 42001 certification means an external auditor has reviewed the organization's AI risk management framework, lifecycle processes, data governance practices, third-party AI risk procedures, and continual improvement mechanisms — and issued a three-year certificate with annual surveillance audits. The certificate scope statement tells you which AI products and services are covered. As with 27001, scope clauses matter: a certificate covering 'AI development and operations' is materially different from one covering 'a specific named product.' Read the PDF.

Where 42001 maps cleanly to regulation is the EU AI Act. The Act's high-risk-system obligations around risk management systems, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy and robustness, and post-market monitoring are substantially aligned with 42001 clauses. Per the EU AI Office's published guidance, organizations certified to 42001 will have a significant head start on demonstrating compliance with the Act's high-risk-system requirements, though 42001 alone is not a substitute for the Act's specific conformity assessment process. We map the full picture in the EU AI Act compliance checklist.

For procurement teams in 2026, ISO 42001 is the cleanest external signal of AI-governance maturity available. Asking a vendor 'are you ISO 42001 certified, and can I have the current certificate?' separates organizations that have invested in an audited AI program from those that have not. OpenAI and Anthropic are among the first frontier labs to clear the bar. AWS, Azure, and Google Cloud are bringing it online incrementally. Smaller vendors are largely in the planning stage. This gap will close over the next 18 months, but in June 2026 it remains the single most useful procurement question for high-stakes AI workloads.

A common misunderstanding: 42001 is not about model safety in the technical sense. It does not certify that a model is non-toxic, non-biased, non-hallucinatory, or aligned. It certifies that the organization has a documented, audited management system for governing how AI is built and operated. Model-level safety is a different evidence stack — red-team reports, evaluation benchmarks, system card disclosures — covered separately in the responsible AI platforms for enterprise comparison.

The single biggest procurement mistake is accepting a marketing-page screenshot as compliance evidence. ISO certificates are time-bounded documents with effective dates, expiration dates, and scope statements. A certificate that was current in 2024 may not be current in 2026, and a certificate covering one product line may not cover the one you are buying. Always pull the current PDF directly from the vendor's trust portal under NDA — https://trust.openai.com/, https://trust.anthropic.com/, AWS Artifact, https://servicetrust.microsoft.com/, the GCP Compliance Reports Manager, https://cohere.com/security, https://mistral.ai/security, or vendor security teams for vendors without self-service portals.

Read the scope clause on the certificate. If it says 'the API platform and supporting infrastructure', confirm that the specific service you are buying is part of that scope. For hyperscalers, the scope statement is typically an exhaustive list of in-scope services — verify that Bedrock, Azure OpenAI Service, or Vertex AI is named. For model vendors, verify that the API, the enterprise dashboard, and any related products (fine-tuning service, batch endpoints, evaluation tooling) are in scope. Anything outside the scope clause is, for audit purposes, not certified — regardless of what the marketing page says.

Get the audit firm name and verify accreditation. ISO 27001 and 42001 certifications must be issued by a certification body accredited by a national accreditation body (UKAS in the UK, ANAB in the US, etc.). The accreditation body's logo should appear on the certificate alongside the certification body's. If you cannot verify the audit firm or its accreditation, treat the certificate with skepticism — there is a non-zero market for unaccredited ISO-style certificates that look legitimate at a glance and would not survive a regulator's review.

Negotiate the contract language explicitly. The Data Processing Agreement should reference the current ISO 27001, 27017, 27018, 27701, and (where applicable) 42001 certifications by name and commit the vendor to maintaining them throughout the contract term. The Master Services Agreement should give you the right to receive annual surveillance audit confirmation and to be notified if any certification is suspended, withdrawn, or materially reduced in scope. For high-risk use cases, negotiate a right to terminate without penalty if certifications lapse.

Zero Data Retention (ZDR) is a separate contractual question from ISO certification. ISO 27001 certifies that the organization has appropriate controls; ZDR is a specific commitment that your prompts and completions will not be used for training and will not be retained beyond an operational window. Both OpenAI and Anthropic offer ZDR on enterprise tiers — get it in the order form, with the specific retention window (typically 30 days for abuse monitoring) and the data classification it applies to explicitly named.

For sub-processor risk, ask for the current sub-processor list and the change notification commitment. ISO 27001 requires that an organization manage third-party risk for its sub-processors — but the contractual commitment to notify you when sub-processors change is separate. Get a 30-day notification commitment in the DPA, and reserve the right to object. Sub-processor lists are typically published at the trust portal level (https://trust.openai.com/, https://trust.anthropic.com/) but the contractual notification commitment goes in the agreement.

The most common reason to self-host open-weight models — Llama, Mistral, Qwen, DeepSeek, or any of the broader open-weight ecosystem — is data sovereignty. If your data classification or regulatory obligations preclude sending prompts to a third-party model API, no amount of ISO certification on the vendor side changes the analysis. Self-hosting on infrastructure you already control (your own AWS, Azure, or on-premises environment) keeps the data inside an existing audited boundary. The 27001 question moves from the model vendor to your own ISMS.

The trade-off is real. Self-hosting open-weight models eliminates the model-vendor compliance question but adds an inference-infrastructure question. You are now responsible for the model serving stack (vLLM, TGI, SageMaker JumpStart, Azure AI Foundry, Vertex AI Model Garden), the GPU capacity planning, the model lifecycle management, the prompt logging and audit trail, the output filtering, and the AI risk management program. That is a lot of work, and ISO 42001 still applies to your organization as the AI operator — the standard does not care whether you are using a vendor model or a self-hosted one.

Where self-hosting works well in 2026: regulated industries (healthcare, financial services, defense) with mature DevOps and security teams, organizations with existing GPU capacity and infrastructure-as-code maturity, and use cases where the latency or cost of vendor APIs is prohibitive. Mistral's open-weight releases at https://mistral.ai/news/ and the broader Llama / Qwen / DeepSeek ecosystem make this credible at frontier-adjacent capability levels.

Where self-hosting fails: organizations without dedicated MLOps capacity, use cases that require frontier capability (GPT-5, Claude Opus 4.7, Gemini 2.5 Pro) where the open-weight gap is still meaningful, and procurement scenarios where the audit evidence inheritance from a certified vendor is genuinely the cleanest path. For most enterprise buyers in 2026, the right answer is hybrid: vendor APIs for frontier-capability workloads, self-hosted open-weight models for high-sensitivity workloads, with both wrapped in your organization's ISO 42001-aligned AI management system.

On the procurement math, the inference cost calculators at the GPT-5 cost calculator and the Claude API cost calculator let you compare vendor inference against self-hosted GPU economics honestly. The breakeven point depends heavily on workload volume — for low-volume workloads, vendor APIs are cheaper even before you count the engineering cost of self-hosting; for high-volume workloads (millions of requests per day at long context windows), self-hosting can pay back the infrastructure investment within a year.

The clearest signal that you should self-host: your security review keeps blocking vendor selection because the data classification is too sensitive to leave your environment. The clearest signal that you should buy from a certified vendor: your security review is unblocked because the vendor's ISO 27001/42001 evidence stack satisfies your auditor and your procurement team can move on to solving the actual business problem. Both are valid in 2026. Neither is universal.

If I were running enterprise procurement for an AI workload in 2026 and ISO 42001 evidence mattered specifically — typically because the workload qualifies as high-risk under the EU AI Act or because the board has asked for evidence of audited AI governance — I would shortlist **OpenAI** and **Anthropic** first. Both publish current ISO 27001/27017/27018/27701 plus ISO 42001 evidence via self-service trust portals (https://trust.openai.com/ and https://trust.anthropic.com/), and both make the underlying certificates available under standard NDA without custom contracting friction.

If I were already a Microsoft 365 shop with an existing Azure Enterprise Agreement, I would deploy **Azure OpenAI Service**. The infrastructure layer inherits Azure's full ISO portfolio per https://servicetrust.microsoft.com/, the model layer inherits OpenAI's certifications, and the workload sits inside the same compliance boundary I have already audited. The friction of adding a new vendor is replaced by a configuration change inside an existing relationship. For Microsoft shops, this is almost always the right answer.

If I were AWS-anchored, I would deploy **Anthropic Claude via Bedrock** for frontier-capability workloads and **Mistral or Llama via Bedrock** for cost-sensitive workloads. Per https://aws.amazon.com/compliance/iso-27001-faqs/, Bedrock inherits AWS's full ISO portfolio. The model-vendor compliance question still applies — Anthropic publishes its certifications directly — but the infrastructure question is solved by AWS Artifact. For ISO 42001 specifically, verify Bedrock's current scope in AWS Artifact rather than relying on inheritance assumptions.

If I were GCP-anchored, I would deploy via **Vertex AI** with Claude or Gemini, per https://cloud.google.com/security/compliance/iso-27001. The shape of the answer mirrors the AWS analysis. The ISO 42001 maturity at Google Cloud is slightly behind Microsoft and AWS as of June 2026 — verify scope directly in the Compliance Reports Manager before assuming inheritance for high-risk workloads.

If I were an EU buyer with sovereignty requirements, I would prioritize **Mistral** per https://mistral.ai/security. The combination of European hosting, confirmed ISO 27001, and in-flight ISO 42001 makes Mistral the cleanest sovereign-AI procurement story for EU public sector and regulated industries. For frontier-capability workloads where Mistral's models are not yet sufficient, the next-best EU-data-residency option is OpenAI or Anthropic in an EU region with explicit data residency commitments in the order form.

The one thing I would not do in 2026 is accept a vendor that holds only ISO 27001 and treats ISO 42001 as a future intention without a public timeline. The standard has been published since December 2023 and the early-mover labs have certified. A vendor selling AI services in 2026 that has not started the 42001 audit cycle is signaling something about its compliance investment priorities — and the signal is not flattering. Push them for a timeline in writing, or shortlist a vendor that has already done the work.