Emerging ISO/IEC Standards for AI Agent Security: What to Expect in 2026–2028

The international standards landscape for AI is moving faster than any comparable technology domain in ISO/IEC's history. ISO/IEC 42001:2023 (AI Management Systems) was published in December 2023 and had already accumulated more than forty national adoption decisions by mid-2025—a pace that typically takes established standards five or more years to achieve. ISO/IEC 23894:2023 (AI Risk Management) followed, providing the risk management vocabulary and framework that organizations must master to implement 42001 meaningfully. ISO/IEC 5338:2023 (AI Lifecycle) defines the process framework for developing AI systems responsibly. And ISO/IEC TR 24368:2022 (AI Ethical Concerns) provides the conceptual foundation connecting technical standards to ethical requirements.

For organizations deploying AI agents in enterprise contexts, these standards are not academic exercises. They are increasingly referenced by procurement requirements, regulatory guidance, and partner due diligence processes. The EU AI Act mandates risk management systems that align with recognized standards; ISO/IEC 42001 is the recognized standard. NIST's AI RMF 1.0 references ISO/IEC 23894 for vocabulary alignment. Singapore's Model AI Governance Framework cites ISO/IEC TR 24368. The standards ecosystem is becoming the connective tissue between regulatory mandates and operational practice.

This analysis covers what each standard requires, how those requirements apply specifically to AI agent deployments (which the standards address more obliquely than practitioners would like), gap analysis for typical agent deployments, certification pathways, and a realistic compliance timeline through 2028.

ISO/IEC 42001: AI Management Systems Standard

What It Is

ISO/IEC 42001:2023 is the management systems standard for AI—the AI equivalent of ISO 9001 (quality management) and ISO 27001 (information security management). Organizations can obtain third-party certification to ISO/IEC 42001, providing external assurance that their AI management practices meet international standards.

Like ISO 27001, ISO/IEC 42001 follows the Annex SL high-level structure, making it compatible with other management systems standards. An organization already certified to ISO 27001 can implement ISO/IEC 42001 as an extension using compatible management system infrastructure.

The standard covers:

Clause 4: Context of the Organization — Understanding the organization's context, stakeholders, and the scope of AI activities. For AI agent deployments, this means explicitly documenting what agents are deployed, for what purposes, by whom, and in what contexts.

Clause 5: Leadership — Executive commitment to AI management, AI policy, and organizational roles and responsibilities. AI agent deployments need explicit governance ownership.

Clause 6: Planning — Risk assessment, risk treatment, and planning for AI management objectives. This is where ISO/IEC 23894's risk vocabulary connects.

Clause 7: Support — Resources, competence, awareness, communication, and documented information. Organizations must demonstrate they have competent personnel to manage AI agent deployments.

Clause 8: Operation — AI system lifecycle management, including development, deployment, monitoring, and decommissioning. This is the operational heart of the standard.

Clause 9: Performance Evaluation — Monitoring, measurement, analysis, audit, and management review. AI agents must be systematically monitored.

Clause 10: Improvement — Nonconformity handling and continual improvement.

The standard is accompanied by Annex A, which contains specific controls organized into 13 control categories.

Annex A Controls Applicable to AI Agents

The 13 Annex A control categories include controls specifically relevant to AI agent deployments:

A.6: AI System Impact Assessment Organizations must conduct impact assessments before deploying AI systems. For AI agents, this means assessing:

• What data does the agent access and process?
• What decisions does the agent influence or make?
• What actions can the agent take autonomously?
• What populations are affected by agent outputs?
• What are the potential harms from agent errors or manipulation?

The impact assessment must be documented and revisited when agent scope or behavior changes materially.

A.8: AI Risk Assessment Building on ISO/IEC 23894's vocabulary, the standard requires ongoing risk assessment specifically for AI risks. For AI agents, key risks include:

A.9: AI System Design and Development Controls Requirements covering the development lifecycle: requirements specification, architecture documentation, component sourcing, testing, and validation. For AI agents built from third-party models and plugins, this requires:

• Documentation of model provenance (training data sources, training methodology, pre-training vs. fine-tuning)
• Evaluation results demonstrating the agent performs within specification
• Documentation of third-party components and their vetting
• Adversarial testing results

A.10: AI System Deployment Controls Controls covering the transition from development to production: deployment authorization, monitoring setup, incident handling, and documentation. This maps naturally to Armalo's behavioral pact framework—pacts serve as the formal behavioral specification that deployment authorization checks against.

A.11: AI System Monitoring and Improvement Post-deployment monitoring requirements. AI agents must be continuously monitored for:

• Output quality and consistency
• Behavioral drift from established baselines
• Anomalous patterns that may indicate compromise
• Stakeholder feedback on agent behavior

This monitoring must be documented and feed into management review processes.

A.13: AI System Accountability Requirements for documenting who is responsible for AI system behavior and what accountability mechanisms exist. For AI agents operating autonomously, organizations must explicitly define:

• Who is accountable when an agent causes harm?
• What redress mechanisms exist for affected parties?
• How are agent decisions auditable after the fact?

Armalo's signed behavioral attestations directly support A.13 requirements by creating tamper-evident audit trails that establish accountability for specific agent actions.

Certification Pathway for ISO/IEC 42001

Certification follows the standard management systems audit process:

Stage 1 Audit (Documentation Review): Auditors review documentation to confirm the AI management system has been designed to meet the standard's requirements. For AI agent deployments, this means reviewing:

• AI policy
• AI impact assessments for deployed agents
• Risk assessments and treatment plans
• Procedures for AI system lifecycle management
• Competence records for AI management personnel
• Documented monitoring procedures

Stage 2 Audit (Implementation Audit): Auditors verify that documented procedures are actually implemented and effective. They will interview personnel, observe processes, and review evidence of monitoring, incident handling, and improvement activities.

Surveillance Audits: Annual surveillance audits verify continued conformance. Significant changes to AI deployments (new agents, expanded scope, material behavioral changes) may require additional audit activities.

Recertification Audit: Three-year recertification covers the full scope.

Estimated timeline for a mid-sized organization with existing ISO 27001 certification:

• Gap analysis and planning: 2-3 months
• Documentation development: 3-4 months
• Implementation and internal audit: 2-3 months
• Stage 1 and Stage 2 audits: 1-2 months
• Certification achieved: 9-12 months from start

Organizations without existing management systems certification face a longer timeline—15-24 months—due to the need to build management system infrastructure from scratch.

The AI Agent Gap in ISO/IEC 42001

ISO/IEC 42001 was designed primarily with traditional ML systems in mind: trained models with defined inputs and outputs, deployed in controlled pipelines, making recommendations that humans act on. The standard's language struggles with AI agents' key characteristics:

Autonomous multi-step action: The standard's controls assume AI systems that produce outputs for human review. AI agents take actions autonomously, often in chains, with each action affecting subsequent actions. The standard's monitoring controls don't naturally address monitoring behavior sequences rather than individual outputs.

Non-deterministic behavior: The standard's performance controls assume measurable, reproducible performance characteristics. LLM-based agents are inherently non-deterministic. Traditional software testing and QA frameworks don't translate directly.

Third-party capability composition: AI agents are often built from third-party foundation models, plugins, tools, and APIs. The standard's supply chain controls (A.9) reference component vetting but don't provide specific guidance for AI-specific supply chain risks like training data poisoning or model weight tampering.

Emergent capabilities: AI agents may develop capabilities during deployment that weren't present during testing—particularly as models are updated. The standard's change management controls don't specifically address emergent capability emergence.

Behavioral drift: LLM outputs shift as models are updated, prompts are modified, and context patterns change. The standard mentions monitoring but doesn't prescribe behavioral baseline approaches.

Working groups are actively developing guidance documents to address these gaps. JTC 1/SC 42 (the ISO subcommittee responsible for AI standards) has published several technical reports and is developing additional guidance specifically for autonomous AI systems.

ISO/IEC 23894: AI Risk Management

Risk Management Vocabulary

ISO/IEC 23894:2023 provides the risk management vocabulary and process framework that ISO/IEC 42001 builds on. It aligns with ISO 31000 (generic risk management) while extending it with AI-specific concepts.

Key vocabulary for AI agent risk management:

AI system risk: Combination of the probability of harm occurring from the AI system and the magnitude of that harm, considering all stakeholders.

Unintended outcome: An outcome that occurs during AI system operation that wasn't intended by the developer, deployer, or user—distinct from failures (which are intended behaviors that fail to occur).

For AI agents, "unintended outcomes" is a crucial concept because many agent-related harms arise not from explicit failures but from agents achieving their narrow objectives in ways that create collateral damage.

AI risk source: An element with the potential to give rise to AI risk. For AI agents, risk sources include: training data quality, model architecture, instruction following fidelity, plugin capabilities, and environmental context.

Risk treatment: Modification of risk. ISO/IEC 23894 identifies five treatment options:

1. Avoiding the risk (don't deploy the agent)
2. Taking the risk to pursue an opportunity (deploy with known residual risk)
3. Removing the risk source (remove the capability that generates risk)
4. Changing the likelihood (add monitoring and controls)
5. Changing the consequences (add containment and recovery)
6. Sharing the risk (contractual risk allocation with vendors)
7. Retaining the risk by informed decision

For AI agent deployments, risk treatment commonly combines: reducing risk scope (limiting agent capabilities), changing likelihood (adversarial evaluation, monitoring), and changing consequences (human-in-the-loop for high-risk actions, behavioral pacts with escrow).

AI-Specific Risk Categories

ISO/IEC 23894 identifies AI-specific risk categories that go beyond traditional software risks:

Data-related risks:

• Training data quality and representativeness
• Data drift (distribution shift between training and deployment)
• Privacy risks from training data memorization
• Bias in training data propagating to outputs

Model-related risks:

• Overfitting (poor generalization)
• Adversarial vulnerability (sensitivity to crafted inputs)
• Lack of interpretability
• Emergent behavior not observed in testing
• Performance degradation over time

Human-AI interaction risks:

• Automation bias (over-reliance on AI)
• Misuse (using AI for purposes beyond its specification)
• Misunderstanding of AI capabilities or limitations

Operational risks:

• Dependency on unavailable infrastructure
• Security vulnerabilities in AI pipeline
• Supply chain compromise

For AI agent deployments, the operational risks category warrants particular attention because agents create attack surfaces that traditional ML systems don't: the plugin ecosystem, the agent-to-agent communication channels, and the autonomous action capabilities.

Integrating ISO/IEC 23894 with Agent Behavioral Pacts

Armalo's behavioral pact framework maps naturally to ISO/IEC 23894's risk treatment approach:

{
  "pactId": "pact_2026_enterprise_data_agent",
  "agentDid": "did:armalo:agent_enterprise_data_001",
  "riskProfile": {
    "isoStandard": "ISO/IEC 23894:2023",
    "riskCategory": "operational",
    "residualRisk": "low",
    "treatmentMeasures": [
      {
        "treatment": "change_likelihood",
        "measure": "adversarial_evaluation",
        "frequency": "weekly",
        "coverage": "prompt_injection_owasp_llm01"
      },
      {
        "treatment": "change_consequences",
        "measure": "capability_scoping",
        "restriction": "read_only_by_default",
        "escrowBacked": true
      },
      {
        "treatment": "share_risk",
        "measure": "performance_bond",
        "bondAmount": "10000_usdc",
        "bondConditions": "data_exfiltration_unauthorized_access"
      }
    ]
  },
  "behavioralCommitments": {
    "dataAccess": "only_explicitly_authorized_namespaces",
    "outputFormat": "structured_json_no_raw_code_execution",
    "actionScope": "read_operations_only_unless_explicitly_authorized"
  },
  "monitoringRequirements": {
    "continuousScoring": true,
    "alertThreshold": "composite_score_below_750",
    "reportingFrequency": "weekly_to_risk_committee"
  }
}

This structure maps ISO/IEC 23894 risk treatment concepts directly into operational agent governance artifacts. The pact documents risk treatment measures, behavioral commitments serve as risk controls, and monitoring requirements connect to ISO/IEC 42001's A.11 monitoring controls.

ISO/IEC 5338: AI Lifecycle Standard

Process Framework Overview

ISO/IEC 5338:2023 defines the processes for AI system development, operation, and maintenance throughout the AI system lifecycle. It adapts ISO/IEC 12207 (software lifecycle processes) for AI-specific needs.

The standard defines 29 processes organized across four lifecycle process groups:

Agreement Processes (4 processes): Acquisition, supply, and related contractual activities. For AI agent deployments, this covers vendor agreements for foundation models, plugin providers, and evaluation services.

Organizational Project-Enabling Processes (7 processes): Infrastructure, portfolio management, human resource management, quality, configuration management, knowledge management, and measurement. These apply to the organization's AI development capability, not individual AI systems.

Technical Management Processes (8 processes): Project planning, risk management, configuration management, information management, measurement, quality assurance, decision management, and risk management.

Technical Processes (10 processes): Business requirements, system architecture, design, implementation, integration, verification, transition, validation, operation, and maintenance. These apply to individual AI system development.

AI-Specific Process Extensions

ISO/IEC 5338 extends traditional software lifecycle processes with AI-specific activities:

Data Management Process: Defines requirements for training data collection, curation, annotation, validation, and documentation. For AI agents, this covers both the foundation model's training data (which organizations sourcing third-party models must evaluate) and any fine-tuning data.

Required data management activities:

• Data source documentation (provenance, licensing, quality assessment)
• Bias assessment for training data
• Privacy compliance review
• Data preparation documentation (preprocessing, filtering, augmentation)
• Data validation (representative distribution, annotation quality)

AI System Verification and Validation Process: Extends traditional V&V with AI-specific testing requirements:

• Functional testing against specified behaviors
• Robustness testing (distribution shift, edge cases)
• Adversarial testing (prompt injection, evasion, extraction)
• Fairness assessment
• Performance testing (accuracy, reliability, consistency)
• Safety testing (what happens at failure boundaries?)

For AI agents, V&V must address the non-deterministic nature of LLM outputs. Standard deterministic testing (input X always produces output Y) is insufficient. ISO/IEC 5338's guidance acknowledges this by requiring statistical validation rather than deterministic pass/fail testing.

AI System Monitoring Process: Defines ongoing monitoring requirements post-deployment:

• Output quality monitoring (consistency, accuracy, completeness)
• Data drift detection
• Performance degradation detection
• Incident detection and reporting
• Feedback loop management

Gap Analysis: ISO/IEC 5338 vs. Typical Agent Deployments

Most organizations deploying AI agents have significant gaps relative to ISO/IEC 5338's process requirements:

The most critical gaps for AI agent deployments are:

Data management for foundation models: Organizations cannot obtain the training data documentation that ISO/IEC 5338 requires from most foundation model providers (OpenAI, Anthropic, Google). The standard's requirements were written assuming the organization controls training data. A guidance document is in development for this scenario, expected in 2026-2027.

Adversarial validation: Traditional QA processes are insufficient for AI agents. Organizations need adversarial evaluation capability—which most lack. This is an area where platforms like Armalo provide value: the adversarial evaluation and red-team testing components fulfill ISO/IEC 5338's validation requirements that organizations cannot easily build themselves.

Behavioral baseline establishment: The monitoring process requires monitoring against a baseline. For AI agents, establishing what "normal" behavior looks like is non-trivial, because behavior is context-dependent and outputs are non-deterministic. Armalo's composite trust scoring provides a continuous, structured measurement framework that can serve as the behavioral baseline for ISO/IEC 5338 monitoring compliance.

ISO/IEC TR 24368: AI Ethical Concerns

Conceptual Framework

ISO/IEC TR 24368:2022 is a Technical Report (not a standard, so not certifiable) that provides the conceptual framework connecting technical AI standards to ethical requirements. It's the "why" behind the "what" of the other standards.

The report identifies seven high-level ethical concerns for AI:

1. Transparency and explainability: AI systems should be understandable to the extent necessary for their context of use
2. Responsibility and accountability: Clear allocation of responsibility for AI system behavior
3. Privacy and data governance: Protection of personal data throughout the AI lifecycle
4. Reliability, robustness, and safety: AI systems should perform as intended across their operating conditions
5. Fairness and the mitigation of unwanted biases: AI outputs should not systematically disadvantage protected groups
6. Security: AI systems should be protected against adversarial manipulation
7. Respect for the law: AI systems should comply with applicable law

For AI agents, TR 24368's framework has direct operational implications:

Transparency: Agents must be identifiable as AI to the people they interact with. Agents' scope of authority must be disclosed. Agents' decision rationale should be available when material decisions are made.

Accountability: Human accountability must be maintained even for fully autonomous agents. The "accountability gap" (no one is accountable when an autonomous agent causes harm) is explicitly identified as a concern. This is precisely what Armalo's behavioral pact framework addresses: escrow-backed pacts maintain accountability by ensuring agents have skin in the game for their behavioral commitments.

Privacy: Agents that process personal data must comply with applicable data protection law. For agents operating across jurisdictions, data residency, cross-border transfer restrictions, and purpose limitation requirements apply. Agents must not memorize or inadvertently reproduce personal data from their training.

Reliability: Agents must be tested for reliability in their specific deployment context. Reliability claims must be evidence-based, not assumed. This maps to Armalo's evaluation framework—behavioral claims must be verified by adversarial testing, not self-reported.

Fairness: Agents whose outputs affect different populations must be evaluated for systematic bias. For AI agents in employment, credit, healthcare, and law enforcement contexts, fairness testing is mandatory under applicable law (ADA, ECOA, EU AI Act).

Security: Agents must be protected against prompt injection, training data poisoning, model theft, and supply chain attacks. TR 24368 explicitly identifies adversarial manipulation as an ethical concern, not just a security concern, because manipulation can cause agents to harm users they were supposed to serve.

Respect for law: Agents operating across jurisdictions face a complex multi-law compliance challenge. TR 24368 acknowledges this without resolving it—resolution is the work of standards in development.

Upcoming Standards in Development (2026–2028)

ISO/IEC AWI 42006: AI Assurance

ISO/IEC AWI 42006 is under development (anticipated publication 2026-2027) and will provide specific requirements for AI system assurance—the processes and evidence that demonstrate AI systems are trustworthy. This is the most directly relevant upcoming standard for AI agent deployments.

Expected coverage:

• Evaluation methodology for AI systems (extending ISO/IEC 5338's validation requirements)
• Evidence requirements for AI system trustworthiness claims
• Third-party assessment requirements for high-risk AI systems
• Continuous assurance monitoring requirements

For AI agent deployments, ISO/IEC AWI 42006 is expected to require:

• Documented evaluation results from adversarial testing
• Third-party evaluation for high-risk agent deployments
• Continuous monitoring evidence demonstrating ongoing conformance to behavioral commitments

This standard will create significant demand for adversarial evaluation capabilities—exactly what Armalo's red-team evaluation framework provides.

ISO/IEC AWI 42701: AI Governance Framework

ISO/IEC AWI 42701 (anticipated 2026-2028) will provide specific guidance on AI governance structures—how organizations should organize oversight, accountability, and decision-making for AI systems.

For AI agents, expected requirements include:

• Defined escalation paths for agent behavioral incidents
• Regular management review of agent behavioral performance
• Board-level oversight for high-risk agent deployments
• External audit requirements for certain agent categories

ISO/IEC AWI 5259: AI Data Quality

ISO/IEC AWI 5259 addresses AI data quality specifically, including training data, evaluation data, and operational data. It will provide:

• Data quality dimensions for AI systems
• Measurement approaches for AI data quality
• Documentation requirements for data quality management

For AI agents built on third-party foundation models, ISO/IEC AWI 5259 will likely require organizations to obtain training data quality documentation from model providers—creating pressure on providers to make this information available.

ISO/IEC TR 24027: Bias in AI Systems

ISO/IEC TR 24027 (already published, subject to revision) addresses bias specifically. Expected updates will cover:

• Bias testing methodology for autonomous AI systems
• Fairness metrics appropriate for AI agent decision-making
• Bias remediation requirements

Technical Committee Work on Autonomous AI

JTC 1/SC 42 has a standing agenda item specifically for autonomous AI systems (including agents). Working group outputs expected in 2026-2028:

• Vocabulary: Standardized definitions for "AI agent," "autonomous action," "human oversight," and related terms
• Lifecycle guidance: Extension of ISO/IEC 5338 processes specifically for autonomous agents
• Accountability framework: Guidance on maintaining human accountability for autonomous agent actions

Compliance Timeline and Roadmap

2026: Foundation Year

Organizations should prioritize during 2026:

Q1 2026:

• Complete ISO/IEC 42001 gap analysis against current AI agent deployments
• Establish AI impact assessment process for new agent deployments
• Define AI risk categories and risk appetite statement

Q2 2026:

• Complete ISO/IEC 42001 documentation development
• Implement AI system monitoring processes (behavioral baselines, anomaly detection)
• Prepare for ISO/IEC 42001 Stage 1 audit

Q3 2026:

• ISO/IEC 42001 Stage 1 audit
• Remediate documentation gaps identified in Stage 1
• Implement adversarial evaluation capability (in-house or via Armalo)

Q4 2026:

• ISO/IEC 42001 Stage 2 audit and certification
• Begin ISO/IEC 5338 process implementation for new AI agent projects

2027: Expansion Year

H1 2027:

• Full ISO/IEC 5338 compliance for all active AI agent development projects
• Preparation for ISO/IEC AWI 42006 (expected publication 2027)
• Third-party assurance assessments for high-risk agent deployments

H2 2027:

• Implement ISO/IEC AWI 42006 requirements as standard emerges
• Integrate compliance monitoring into CI/CD pipelines
• Establish multi-jurisdictional compliance documentation for cross-border agent deployments

2028: Maturity Year

Full 2028:

• ISO/IEC 42001 recertification covering expanded AI agent scope
• ISO/IEC AWI 42006 assurance certification for high-risk agents
• Continuous compliance monitoring automated and evidence-generating
• Supply chain standards compliance (tracking training data provenance, model cards, SBOM)

Priority Matrix for AI Agent Deployments

Building a Standards-Compliant AI Agent Program

The Documentation Stack

ISO/IEC 42001 requires a comprehensive documentation structure. For AI agent deployments specifically:

AI Policy (top-level):

• Organizational commitment to responsible AI use
• Scope of AI activities covered by the policy
• Roles and responsibilities (AI Owner, AI Developer, AI Risk Manager)
• References to external frameworks (NIST AI RMF, EU AI Act, ISO/IEC 42001)

AI Impact Assessment Template:

• Agent purpose and scope
• Affected populations
• Data processed
• Autonomous actions enabled
• Risk assessment summary
• Treatment measures
• Residual risk statement
• Authorization signature

AI Agent Registry:

• Inventory of all deployed AI agents
• Per-agent: purpose, scope, responsible owner, deployment date, last evaluation date, current trust status
• For Armalo-integrated agents: composite trust score history, pact terms, evaluation results

Evaluation Records:

• Adversarial evaluation results (prompt injection, data exfiltration, scope violation)
• Functional evaluation results
• Comparative evaluation results (baseline vs. current)
• Evaluation methodology documentation

Monitoring Records:

• Behavioral baseline documentation
• Monitoring alert log (what triggered, what was investigated, what was found)
• Incident records
• Management review minutes

Using Armalo to Accelerate Standards Compliance

Armalo's platform provides pre-built infrastructure for several ISO/IEC 42001 control requirements:

A.6 (Impact Assessment): Armalo's agent registration process requires behavioral scope definition, which serves as the foundation for impact assessment documentation.

A.8 (Risk Assessment): Armalo's 12-dimension composite trust scoring provides a structured risk assessment framework:

A.9 (Development Controls): Armalo's SBOM integration and supply chain security tooling supports documentation of AI component provenance.

A.10 (Deployment Controls): Behavioral pacts serve as deployment authorization artifacts—deployment is only authorized when pact terms are satisfied and initial evaluation thresholds are met.

A.11 (Monitoring): Armalo's continuous composite trust scoring provides structured ongoing monitoring with documented evidence. Score history constitutes the monitoring record required by A.11.

A.13 (Accountability): Signed behavioral attestations provide the audit trail required by A.13. Every evaluation that contributes to a trust score is cryptographically signed and tamper-evident.

Integrating Standards Compliance into Development Workflows

Standards compliance is most effective when integrated into development workflows rather than treated as periodic audit preparation:

#.github/workflows/ai-agent-compliance.yml
name: AI Agent Standards Compliance Check

on:
  pull_request:
    paths:
      - 'agents/**'
      - 'prompts/**'
      - 'tools/**'

jobs:
  impact-assessment:
    name: Automated Impact Assessment Pre-check
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Check agent registry for new agents
        run: |
          python scripts/check_agent_registry.py --pr-files ${{ github.event.pull_request.changed_files }}
      - name: Verify impact assessment exists for new agents
        run: |
          python scripts/verify_impact_assessments.py
          
  sbom-generation:
    name: Generate AI Agent SBOM
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Generate CycloneDX ML-BOM
        run: |
          cyclonedx-py poetry --output sbom/agent-sbom.json
      - name: Upload SBOM to Armalo registry
        run: |
          curl -X POST https://api.armalo.ai/v1/agents/$AGENT_ID/sbom \
            -H "X-Pact-Key: $ARMALO_API_KEY" \
            -H "Content-Type: application/json" \
            -d @sbom/agent-sbom.json
            
  behavioral-evaluation:
    name: Pre-deployment Behavioral Evaluation
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Request adversarial evaluation
        run: |
          EVAL_ID=$(curl -X POST https://api.armalo.ai/v1/evals \
            -H "X-Pact-Key: $ARMALO_API_KEY" \
            -d '{"agentId": "'$AGENT_ID'", "evalType": "adversarial"}' | jq -r.id)
          echo "EVAL_ID=$EVAL_ID" >> $GITHUB_ENV
      - name: Wait for evaluation completion
        run: |
          python scripts/wait_for_eval.py --eval-id $EVAL_ID --timeout 3600
      - name: Verify trust score threshold
        run: |
          SCORE=$(curl -s https://api.armalo.ai/v1/scores/$AGENT_ID \
            -H "X-Pact-Key: $ARMALO_API_KEY" | jq -r.compositeScore)
          if [ $(echo "$SCORE < 700" | bc) -eq 1 ]; then
            echo "Trust score $SCORE below deployment threshold 700"
            exit 1
          fi

This workflow automatically checks impact assessment documentation, generates SBOM for supply chain documentation, and runs adversarial evaluation before any agent deployment—creating automated compliance artifacts for ISO/IEC 42001 A.6, A.9, A.10, and A.11.

The Standards Landscape: Observations and Predictions

What Will Be Required vs. What Will Be Voluntary

By 2028, the regulatory landscape will have established clearer lines between mandatory and voluntary standards compliance:

Mandatory (via regulation):

• ISO/IEC 42001 certification (or equivalent) will likely be mandatory for high-risk AI deployments under EU AI Act Article 9 (risk management systems). The EU AI Act references "harmonised standards" and ISO/IEC 42001 is the primary candidate.
• ISO/IEC 5338 compliance will be required for AI systems subject to EU AI Act Annex IV documentation requirements (high-risk AI systems).
• Training data documentation compliant with ISO/IEC AWI 5259 will be required for AI systems making consequential decisions in EU-regulated sectors.

Market-required (via procurement):

• ISO/IEC 42001 certification will be required by procurement processes in financial services, healthcare, and defense by 2027, even where not legally mandated.
• ISO/IEC AWI 42006 assurance assessments will be required for AI agents handling sensitive data or making consequential autonomous decisions.

Competitive differentiator:

• Comprehensive ISO/IEC 5338 compliance will differentiate AI agent vendors in enterprise markets.
• ISO/IEC TR 24368 framework alignment will differentiate responsible AI branding.

The Vendor Compliance Ecosystem

The standards ecosystem is creating a vendor compliance ecosystem where:

• Foundation model providers (OpenAI, Anthropic, Google) will need to provide standardized documentation packages (training data summaries, evaluation results, model cards aligned with ISO requirements)
• Evaluation service providers (like Armalo) will become critical infrastructure for demonstrating compliance with ISO/IEC 42001 A.8 and A.11
• Certification bodies (BSI, TÜV SÜD, DNV) will develop AI-specific audit competency
• Third-party assurance firms will emerge specifically for ISO/IEC AWI 42006 assessments

Staying Ahead of the Standards Curve

Organizations that treat standards compliance as a one-time achievement rather than a continuous practice will find themselves repeatedly disrupted. The AI standards landscape is evolving faster than any comparable technology domain. Best practices for staying ahead:

1. Monitor JTC 1/SC 42 working group output at standards.iso.org quarterly
2. Participate in national standards body technical committees (ANSI/INCITS in the US, BSI in the UK, DIN in Germany) to get advance notice of standards development
3. Build compliance infrastructure that can absorb new requirements rather than building minimum-viable compliance for each standard independently
4. Treat Armalo's trust scoring as your standards compliance evidence baseline—the 12 scoring dimensions, continuous evaluation, and signed attestations create the evidence trail that standards require, regardless of which specific standard asks for it

Conclusion

The ISO/IEC standards ecosystem for AI is maturing from conceptual frameworks to operational requirements faster than most practitioners expected. ISO/IEC 42001's certifiability makes it the anchor standard—organizations with enterprise AI agent deployments should be planning certification now, not after it becomes a procurement requirement in 2027.

The gap between current AI agent practices and ISO/IEC 42001 requirements is significant but not insurmountable. The most critical gaps—adversarial evaluation, behavioral monitoring, supply chain documentation, accountability infrastructure—are exactly the gaps that platforms like Armalo were built to close. Behavioral pacts provide deployment authorization artifacts. Composite trust scoring provides continuous monitoring evidence. Signed behavioral attestations provide the accountability audit trail. Adversarial evaluation provides the validation evidence that standards require but most organizations cannot produce independently.

The standards landscape through 2028 will continue to develop, with ISO/IEC AWI 42006 (AI Assurance) being the most consequential upcoming standard for AI agent deployments. Organizations that build standards-compliant infrastructure now—evaluation capability, behavioral monitoring, supply chain documentation—will absorb the new assurance requirements as extensions of existing practice rather than as disruptive new obligations.

---

Armalo's behavioral pact framework, adversarial evaluation system, and composite trust scoring are designed to generate the evidence artifacts required by ISO/IEC 42001, ISO/IEC 23894, and ISO/IEC 5338. Organizations pursuing AI management systems certification can query Armalo's trust oracle at /api/v1/trust/ to obtain standardized trust evidence for their certified AI agents.