On March 26, Datadog announced it had achieved ISO 42001 certification for its AI-powered products. Bits AI agents, Watchdog, LLM Observability, AI Guard: all now covered by the first international standard designed specifically for AI management systems.
The certification itself is not the story. The positioning is. Datadog did not publish this as a compliance update buried in a legal page. They published it as a product announcement. The headline framing tells you everything: this is a feature, not a footnote.
What ISO 42001 Actually Covers
ISO 42001 is the AI-specific cousin of ISO 27001, the information security standard that went from optional to table stakes over the past decade. Where ISO 27001 governs how organizations protect data, ISO 42001 governs how organizations build, deploy, and operate AI systems.
The standard requires documented practices across the full AI lifecycle. Risk management. Transparency. Ethical development. Continuous improvement. Monitoring. If that list sounds familiar, it should. These are the same concerns that every internal AI governance initiative tries to address.
The difference: ISO 42001 makes those practices externally verifiable. A third-party auditor validates the controls. The certification number goes on your security page. Procurement teams can check a box instead of conducting a 47-page vendor assessment.
The ISO 27001 Trajectory
Anyone who watched ISO 27001’s adoption curve knows where this is heading.
In 2010, ISO 27001 was a differentiator. Security-conscious vendors pursued it to stand out. By 2015, it was expected. Enterprise RFPs started listing it as a requirement. By 2020, not having ISO 27001 was disqualifying for any vendor handling sensitive data.
ISO 42001 is at the 2010 stage. Datadog is early. Their existing certification stack (ISO 27001, ISO 27701, HIPAA, PCI, TISAX) means they already had the compliance infrastructure to add another standard. Most vendors do not.
That advantage is temporary. Regulatory pressure will compress the adoption timeline. The EU AI Act is creating compliance requirements for high-risk AI systems across Europe. US states are passing their own AI legislation. The organizations that need to comply will, in turn, require their vendors to demonstrate compliance. External certification is the simplest way to demonstrate it.
Governance as Product
Here is the shift that matters for anyone evaluating AI vendors.
Datadog’s announcement explicitly frames ISO 42001 as a buyer benefit: “Datadog’s ISO 42001 certification simplifies vendor assessment and gives organizations a clear, third-party-verified benchmark.” This is not compliance language. This is sales language. The certification reduces friction in procurement cycles.
In What 220 Controls Teach About Building AI Governance Frameworks, we examined how GitLab built a custom framework to reduce 220 SOC controls to something manageable. That approach works for internal governance. ISO 42001 offers an alternative path for the vendor relationship: a standardized, externally verified framework that vendors can adopt and buyers can require.
The two approaches are complementary. Internal governance frameworks address your specific environment. External certifications address your vendor supply chain. You need both.
When Cloudflare made AI security free, it established a governance floor in infrastructure. ISO 42001 certification establishes a governance floor in vendor selection. The pattern is the same: what was once aspirational becomes expected, then mandatory.
The Buyer Question
The practical implication is a question every organization using AI-powered tools should be asking: are your vendors certified?
Not “do they have an AI ethics page.” Not “did they publish responsible AI principles.” Certified. Third-party audited. Externally verified.
Most vendors will not have an answer yet. ISO 42001 was published in December 2023 and the certification ecosystem is still maturing. But the question itself changes the conversation. It signals that governance is a procurement criterion, not an afterthought.
For vendors, the calculus is straightforward. Certification costs time and money. Not having it will cost deals. The vendors that move first (Datadog, and the GitLab ISO 42001 certification noted in their control framework) set the expectation. Everyone else plays catch-up.
What This Does Not Solve
Certification is a floor, not a ceiling.
ISO 42001 verifies that an AI management system exists and follows documented processes. It does not verify that those processes are good. An organization can have certified risk management practices and still ship biased models. The standard ensures the process exists. It does not guarantee the outcomes.
This is the same limitation ISO 27001 has always had. Certified organizations still get breached. The certification means they have incident response plans, access controls, and audit trails. It does not mean those controls are perfectly calibrated.
Organizations that treat ISO 42001 as “AI governance, done” are making the same mistake as organizations that treated ISO 27001 as “security, done.” The certification is the starting line. The work is everything that follows.
The Signal
Datadog’s move is a leading indicator. When a vendor packages governance as a competitive differentiator, the market is repricing governance from cost center to revenue enabler.
The organizations that will benefit most from this shift are the ones that started building governance practices before the certification existed. They already have the risk assessments, the monitoring, the documentation. Certification is a formalization of work already done.
The organizations that will struggle are the ones that treated governance as optional. For them, ISO 42001 is not a certification to pursue. It is an entire discipline to build from scratch, under pressure, while competitors already have the badge on their website.
The question is not whether ISO 42001 becomes a vendor requirement. It is when. If ISO 27001’s trajectory is any guide, the answer is sooner than most vendors expect.
This analysis synthesizes Datadog Achieves ISO 42001 Certification for Responsible AI by Aaron Ta and Joe Jones (March 2026), and references the ISO 42001 standard published by ISO/IEC (December 2023).
Victorino Group helps organizations build AI governance practices that are certification-ready before the market requires it. Let’s talk.
All articles on The Thinking Wire are written with the assistance of Anthropic's Opus LLM. Each piece goes through multi-agent research to verify facts and surface contradictions, followed by human review and approval before publication. If you find any inaccurate information or wish to contact our editorial team, please reach out at editorial@victorinollc.com . About The Thinking Wire →
If this resonates, let's talk
We help companies implement AI without losing control.
Schedule a Conversation