Recertification: ISO 42001 for the second consecutive year Today, we are announcing that Microsoft 365 Copilot and Copilot Chat (Copilot) have achieved ISO/IEC 42001:2023 recertification independently validated for the second consecutive year. First certified in March 2025, Copilot was among the first enterprise AI systems in the world to earn ISO 42001 certification. One year later, the recertification audit conducted in March 2026 confirmed: zero non-conformities and zero improvement observations , with back-to-back clean audits. ISO 42001 requires annual recertification (called surveillance) audits that re-examine the AI management system across governance, risk assessment, data management, transparency, human oversight, and supplier management. An independent internal audit in late 2025 had already confirmed the system as effective across nine functional domains. The recertification audit by the certification body validated the same conclusion. Microsoft 365 Copilot and Copilot Chat is joined by GitHub Copilot, Microsoft Copilot Studio, Microsoft Dragon Copilot, Microsoft Dragon Copilot (Radiologists), Microsoft Copilot Health, Microsoft Foundry, and Security Copilot in Microsoft's ISO 42001 certified portfolio, for a total of eight AI systems, including previously certified Microsoft Foundry and Security Copilot, spanning enterprise productivity, developer tools, healthcare, platform, and security. Certificates, audit reports, and control alignment documentation are available on the Service Trust Portal . What changed in a year ISO 42001 recertification is not about maintaining the status quo. It is about demonstrating that the AI management system evolves with the technology it governs. Here is what changed between March 2025 and March 2026: The model portfolio expanded and governance scaled with it. When Copilot was first certified in 2025, it relied primarily on a single model family from Azure OpenAI. One year later, the same governance framework now manages a multi-model, multi-provider portfolio: GPT-5 is the default model, and Anthropic Claude models are available as an additional option. Third-party model providers undergo Microsoft's supplier security and privacy review process before integration, and enterprise customers have full admin controls including the ability to enable or disable third-party models. This is the proof that ISO 42001 scales. The management system designed for a single-model architecture governed the expansion to multi-model, multi-provider without requiring a fundamental redesign. AI risk assessment processes matured. The responsible AI assessment workflow was streamlined consolidating review steps to reduce duplicative effort while maintaining rigor. A structured harm identification capability was added to strengthen pre-release risk evaluation. And a risk-tiered review model was implemented to ensure senior oversight is aligned with the highest-impact AI systems and features. Product quality improved alongside governance. User satisfaction with M365 Copilot improved meaningfully over the year a sign that governance and quality reinforce each other. When responsible AI practices are embedded into development, the result is not just a safer product but a better one. The AIMS scope expanded. Microsoft Copilot Studio was formally brought under the governance framework, expanding coverage from two AI systems to three under a single certified management system. Using AI to govern AI This is perhaps the most distinctive aspect of Microsoft's approach. Over the past year, Microsoft has deployed AI agents internally to scale responsible AI governance. These AI-powered tools empower engineering teams in conducting RAI assessments, streamline design review processes, without replacing human judgment. The result is an improvement loop: the same AI technology Microsoft builds for customers is being used to strengthen the governance of that technology. AI agents help in drafting assessments; human experts review, challenge, and approve. Humans remain in the loop, but AI helps us scale. Product teams across the Copilot organization now use AI-assisted governance tools as part of their responsible AI workflow. Responsible AI training is also enforced across governance leadership roles. This is what continuous improvement looks like in practice: not just maintaining the AI management system, but using AI to make the management system itself more effective. Customer confidence, validated The impact of this governance investment shows up in customer decisions: Quilter , one of the UK's leading wealth management firms, explicitly cited Microsoft's data protection policies and assurances as "key factors in our decision" to deploy M365 Copilot. In a regulated financial services environment where client trust is paramount, Quilter took a deliberately phased approach beginning with technology teams to manage compliance risk before expanding. Clifford Chance , one of the world's leading "Magic Circle" law firms, deployed M365 Copilot at global scale after developing comprehensive AI governance principles grounded in fairness, transparency, accountability, and privacy. Every legal output generated by AI is identified as such and validated by a qualified lawyer. Clifford Chance now advises other organizations on building their own AI governance frameworks and chose Microsoft as the platform they trust enough to build on. PwC deployed 200,000 Copilot licenses globally, generating $150 million in time savings and 40.8 million Copilot actions in six months. At this scale, governance is not optional it is what makes the deployment responsible. For government customers, M365 Copilot is now available in GCC-High, built to meet FedRAMP High, DFARS, ITAR, and CMMC requirements with web grounding disabled by default and all data remaining within US-based data centers managed by screened US personnel. A Forrester Total Economic Impact study found M365 Copilot delivers 116% ROI for enterprises and notably, 66% of respondents said Copilot improved or simplified their IT and data security posture. As Drena Kusari, Microsoft VP & GM for Shared Services and Responsible AI, puts it: "Earning and keeping our users' trust is what gives us permission to build cutting-edge AI functionality. We put equal thought into the functionality of our features as we do into the responsible AI practices that encourage lasting interactions with Microsoft 365 Copilot." What comes next The AI landscape in March 2026 looks different than it did in March 2025, and it will look different again in March 2027. Models are becoming more capable, multi-agent architectures are emerging, and regulatory frameworks like the EU AI Act are moving from policy to enforcement, with high-risk system requirements taking effect in August 2026. Our commitment is to evolve the AI management system with the technology. As Microsoft 365 Copilot continues to add agentic capabilities and expands multi-model support, the governance framework will scale accordingly. ISO 42001 recertification is not a destination; it is the annual proof point of continuous improvement. Moreover, we have also achieved CSA STAR for AI Level 2 certification - pairing ISO 42001 with CSA's AI-specific transparency artifacts, and we are among the first organizations globally to do so. Trust is not earned once; it is earned continuously, and it must be re-earned every year. Additional resources Trust should be verifiable. Here is where you can check the supporting information: Service Trust Portal, ISO/IEC , ISO/IEC 42001 certificates, audit reports, and control alignment documentation 2025 Responsible AI Transparency Report , our annual report on AI governance, risk management, and implementation Microsoft 365 Copilot Application Card , detailed documentation of capabilities, models, evaluations, limitations, and safety mitigations ISO/IEC 42001 Compliance Offering , details of our ISO/IEC 42001 certification scope and services EU AI Act Compliance , our EU AI Act compliance posture and GPAI Code of Practice signatory status CSA STAR for AI Registry , our CSA STAR for AI Level 2 certification, achieved among the first organizations globally Learn more about Microsoft’s approach to responsible AI at
Comments
Sign in to join the conversation.
No comments yet. Be the first.