If you have purchased clinical software in the last five years, you have seen HIPAA and SOC 2 Type II in every security review. Those two cover the question “is the system secure.” They do not cover the question “is the AI managed responsibly,” and behavioral-health procurement teams are starting to notice the gap.
ISO/IEC 42001 is the international standard for AI management systems. It was published in late 2023, and it is the first standard that asks vendors to demonstrate, at a system level, how they govern the AI products they ship. Risk assessment, data lineage, model lifecycle, human oversight, incident response, and the controls around all of it. Nextvisit completed the certification in 2026.
For most clinical-software categories, 42001 is a nice-to-have today. For behavioral-health AI documentation, it is moving toward table stakes, and quickly. Here is why.
What 42001 actually covers
The short version: 42001 is the AI counterpart to ISO 27001 (security management) and ISO 9001 (quality management). It defines a management system, a set of policies, processes, and controls, that an organization uses to govern AI throughout its lifecycle.
Concretely, that means documented answers to questions like:
- Who is accountable when an AI output causes harm.
- How are training data, model versions, and inference logs tracked.
- How are users informed when they are interacting with AI output.
- How is human oversight built into the workflow.
- How are model changes evaluated before they reach production.
- How are AI incidents detected, escalated, and resolved.
A 42001 audit reviews the documented system, then samples evidence to verify the system is operating as documented. It is not a checklist. It is a management-system audit, similar in style to SOC 2, focused on AI governance instead of security controls.
Why behavioral health is different
Behavioral-health documentation is the highest-stakes ambient AI use case in healthcare. The chart contains direct quotes about suicidal ideation, substance use, custody disputes, and trauma history. A flattened summary or a hallucinated symptom does not just create a documentation defect. It can change clinical decisions, payer coverage, and legal exposure.
Procurement teams at large behavioral-health groups have started asking specifically about AI governance during contracting. The questions tend to look like this:
- What model do you use, and how do you evaluate changes before promotion.
- What is your hallucination rate on behavioral-health content, and how is it measured.
- How do you handle the case where the AI mishears or misattributes a quote.
- What human oversight is built into the workflow.
- How would you detect a regression in clinical accuracy in the field.
These are 42001 questions. A vendor who has done the standard can answer them with documented evidence. A vendor who has not gets a verbal answer and a request to “send the policy.”
What procurement is starting to ask for
In the last six months, four of the largest behavioral-health groups Nextvisit works with have asked for one of the following during procurement:
- ISO/IEC 42001 certificate (preferred).
- A documented AI risk assessment in the format of a 42001 Statement of Applicability.
- A vendor questionnaire that mirrors 42001 controls.
The pattern is the same one we saw with SOC 2 ten years ago. Larger buyers ask first, smaller buyers follow within two procurement cycles.
What this means for buyers
If you are evaluating a behavioral-health AI scribe today, ask for the 42001 certificate, or the documented equivalent. If a vendor cannot show one, ask how they govern the model their product depends on, and how they would detect a clinical-accuracy regression in production. The answers tell you more about a vendor’s seriousness than any feature comparison.