Trust you can verify: Figma is now ISO 42001 certified

Saying you use AI responsibly is easy, but proving it to an accredited auditor is harder. We decided that was a standard worth meeting.
Share Trust you can verify: Figma is now ISO 42001 certified
ISO/IEC 42001 is the international standard for AI management systems, published in December 2023. It is the AI equivalent of ISO 27001: a framework that defines what responsible AI governance requires and subjects it to third-party verification.
An Artificial Intelligence Management System (AIMS) is the operational backbone of AI governance: the policies, processes, and controls that govern how AI is built, deployed, and monitored across an organization's products.
Security teams reviewing AI vendors face a familiar problem: every vendor's documentation looks the same whether the governance is real or not.
Figma's AI features are embedded in workflows across banking, healthcare, insurance, and the public sector, where strict regulatory, security, and privacy requirements are non-negotiable when building software. When security teams run vendor risk assessments, boards ask about AI governance, or customers weigh whether to turn on AI-assisted design features, just taking AI seriously isn't good enough.
Figma has achieved ISO/IEC 42001:2023 certification. Schellman, an accredited independent certification body, audited our AI governance policies, risk management processes, and development practices across the platform and confirmed Figma met the standard. This joins Figma's existing ISO/IEC 27001 and SOC 2 Type II certifications.
Why independent verification matters
There are two ways to answer a customer's question about AI governance. You can document your practices, publish a whitepaper, answer questionnaires, and ask customers to trust your account of your own controls. Or you can open your management system to an accredited third party, let them test it against an international standard, and hand customers the result. We do both. But only one of them is verifiable.
ISO 42001 certification means Schellman examined our governance policies, data practices, risk processes, and technical safeguards and confirmed they meet the standard.
What the certification covers
The certification covers the AI Management System governing how Figma designs, develops, and operates AI features across our platform: Figma Design, Figma Make, FigJam, Dev Mode, Figma Sites, Figma Slides, Figma Draw, Figma Buzz, and Figma Weave.
What was actually audited
Our ISO 42001 certification was issued by an ANAB-accredited certification body, which matters because accredited and unaccredited certifications are not the same thing. Accreditation requires the certification body itself to undergo a formal audit before it can issue conformant certificates to anyone.
The audit ran in two stages. Stage 1 assessed the design of Figma's AIMS, including documentation, policies, and risk methodology. Stage 2 tested whether it actually works, with auditors interviewing staff, observing processes, and evaluating operational effectiveness across 38 controls organized into nine Annex A control objectives:
- AI impact assessment
- Governance and accountability
- AI-specific risk management
- AI system lifecycle management
- Data governance
- Third-party AI risk
- Monitoring and performance evaluation
- Human oversight
- Responsible use of AI systems
These are not new concepts. What the certification validates is that we have put them into practice, not just documented them.
What this means for Figma users
At Figma, we sit on both sides of this problem. We build the programs that answer your security questionnaires, and we run the vendor risk programs that evaluate our own suppliers. We know what thorough documentation looks like.
ISO 42001 certification is independent evidence of AI governance. Instead of parsing our questionnaire responses, you have something more reliable: a recognized international standard, verified by an accredited body, that you can cite in vendor risk assessments, board reporting, and regulatory submissions.
This matters especially under the EU AI Act and emerging AI procurement standards, which require proof, not promises. For organizations in regulated industries such as financial services, healthcare, insurance, and the public sector your own vendor risk program is subject to audit. An externally verified AI governance posture is a different class of evidence than a vendor's self-assessment.
ISO 42001 is built to provide exactly that.
Our commitment going forward
As Figma's AI capabilities expand, so does our commitment to governing them responsibly. We will keep submitting that governance to third-party verification rather than asking you to take our word for it. Figma's ISO 42001 certificate, alongside our full security and compliance documentation, is available at compliance.figma.com, and can be verified through Schellman's certificate directory.
This certification is the start, not the finish. We will keep compliance.figma.com current so you can verify our posture at any point in the vendor relationship. And we will be transparent when our AI governance practices change in ways that affect your risk assessment.
Questions about Figma's AI governance or security posture? Reach out to your account team.

Based in the San Francisco Bay Area, Tushar is a security specialist at Figma, focused on customer trust and third-party risk. He spent 6.5 years at Okta, where he was a founding member of the Customer Trust function and later served as Global Customer Audit Manager, leading the customer audit program across AMER, EMEA, and APJ. Before Okta, he worked for consulting companies, such as EY and TCS.

