AS9120 Certified and Still Wrong. What IA9120 Is Really Asking For

In February 2026, a man was sentenced to four years and eight months in prison in London. His name is Jose Alejandro Zamora Yrala. Between 2019 and 2023, he sold more than 60'000 aircraft engine parts to airlines around the world — parts accompanied by forged airworthiness certificates, created on his home computer. The parts were intended for CFM56 engines, the most common jet engine in commercial aviation, powering Boeing 737s and Airbus A320s flown by millions of passengers every day.

The scandal, known as the AOG Technics case, made headlines globally. Airlines including Delta, American, Southwest, Ryanair and Virgin Australia were forced to ground aircraft and conduct urgent inspections. The estimated financial loss exceeded £39 million.

What made the case particularly uncomfortable for our industry is this: many of the companies that bought those parts operated under quality management systems certified to AS9100 or equivalent standards. They had certificates on the wall. They had procedures. They had audits. And yet, they bought parts from a broker with no real employees, no verifiable history, and documentation forged in a garage.

I am not saying the standard failed. I am saying that a certificate is not the same as a working system. And that is exactly what the transition to IA9120 is asking us to think about.

What Is Actually Changing, and When

Before getting into the practical changes, let me clarify the timeline, because there is some confusion in the industry.

ISO 9001:2026 is expected to be published in September 2026. Once published, organizations certified to ISO 9001:2015 will have a three-year transition period, until approximately September 2029, to update their certification. This is the standard ISO transition window.

IA9120, the new name for what we currently call AS9120, EN9120 and SJAC9120 — will follow shortly after ISO 9001:2026, likely in late 2026 or early 2027. The IAQG is coordinating the release to avoid asking organizations to transition twice. However, the transition window for IA9120 will be set independently by the IAQG and the certification bodies, and it is expected to be shorter than the ISO standard three years. Plan accordingly.

The two transitions are connected but separate. You cannot assume that because you have time on the ISO 9001 side, you have the same time on the aerospace side.

What Will Actually Require Work

Let me skip the things that will not change much. The core of IA9120 will still be about traceability, chain of custody, supplier control and documentation. If you are doing those things well today, you are not starting from zero.

What is changing is something more demanding. Here is where I expect most companies will need to put in real effort.

Your supplier verification needs to be bulletproof, not just documented

The AOG Technics case is a masterclass in what happens when verification is treated as a paperwork exercise. The buyers had purchase orders. They had certificates of conformity. They had delivery records. What they did not have was a process that could detect when those documents were fabricated.

IA9120 is expected to tighten requirements around counterfeit and suspect unapproved parts significantly. This means documented criteria for what makes a source acceptable, not just an approved vendor list that nobody reviews. It means verification steps that go beyond checking whether a certificate exists, and include checking whether it is real. It means records of the decisions you made, and why, every time you step outside your normal supply chain.

A practical question to ask yourself today: if you received parts from a supplier you had never used before, what specific steps would your process require before those parts entered your stock? If the answer is not written down, it is not a process. It is a habit. And habits change depending on who is in the room and how much pressure there is to close a deal.

Your quality data needs to be protected, not just stored

Many companies today keep quality records in shared folders, email threads or systems with minimal access control. Under IA9120, this will not be sufficient.

The new standard is expected to require formal protection of the data that supports your quality system: certificates of conformity, traceability records, supplier documentation, test reports. The question is not only whether you have the records, but whether you can prove they have not been altered.

Think about what the AOG Technics case revealed. The parts had certificates. The certificates looked real. The problem was that nobody had a reliable way to verify them at the point of purchase. Digital record protection is not just about preventing external fraud, it is about maintaining the integrity of your own system so that an auditor, a customer or a regulator can trust what they see.

Practical question: if someone asked you to prove that a certificate of conformity in your system had not been changed since you received it, could you demonstrate that?

Risk management must be real, not decorative

Many quality management systems today have a risk register. It was created for the last certification audit and lives in a folder somewhere. Everyone knows it exists. Nobody uses it.

Under IA9120, risk-based thinking needs to be visible in how you actually make decisions, not just in how you document that you make decisions. Auditors will look for evidence that risk is considered in real situations: when you qualify a new supplier, when you handle a non-conformance, when you take on a customer with unusual sourcing requirements.

In the AOG Technics case, several buyers later acknowledged that the pricing was suspiciously low and the supplier was new and unknown. Risk was visible. It just was not acted on. A risk management process that does not influence real decisions is not risk management. It is paperwork.

Your supplier agreements need to cover more ground

Under IA9120, the requirements you pass down to your suppliers, whether through formal quality agreements, purchase order terms or flow-down clauses, will need to expand.

Two areas in particular will matter. First, cybersecurity: if a supplier handles documentation, data or systems connected to your quality process, you will need some assurance that they protect that information appropriately. Second, export control: for anyone moving parts across borders or dealing with components that have dual-use potential, there will be more pressure to demonstrate that your suppliers understand and comply with the relevant regulations.

If your current supplier terms are a paragraph of boilerplate that nobody reads, now is the time to rethink them.

Quality culture will be verified, not assumed

This is the one that makes some people uncomfortable, and I understand why. It is easier to write a quality policy than to build an environment where people actually follow it, and feel safe to say something when they see a problem.

IA9120 is expected to place greater emphasis on leadership commitment to quality and on what might be called organizational honesty: do people in the company feel safe to report concerns? Are errors treated as opportunities to improve, or as reasons to blame someone? Does management talk about quality, or demonstrate it?

In practical terms, this may show up in audits as conversations with people at different levels of the organization, not just with the quality manager. An auditor who hears completely different things from the warehouse team than what the quality manual says has learned something important.

The way to prepare for this is not to brief your team on what to say. It is to actually build the habits and the environment the standard is describing.

The Lesson That AOG Technics Left Us

The man behind AOG Technics did not have a sophisticated operation. He worked from a garage. He created fake employees on LinkedIn. He forged certificates on a home computer. And for four years, it worked, because the system around him depended more on the presence of documents than on the substance behind them.

IA9120 is, in part, a response to exactly this kind of vulnerability. Not just the fraud itself, but the conditions that allowed it to go undetected for so long. More rigorous supplier verification. Better data integrity. Real risk management. These are not bureaucratic additions to a standard. They are the lessons written into it.

A Simple Question to End With

You do not need to wait for IA9120 to be published to know whether you are ready for what it represents.

Ask yourself this: if someone came into your company tomorrow, not an auditor following a checklist, but someone who simply wanted to understand how you work, would what they see match what your quality system says? Would your people describe your processes the same way your documents do? Would your records tell a complete and honest story, even under scrutiny?

If the answer is yes, the transition will be manageable. If there is hesitation, that is where the work begins. And the work is worth doing, not because a standard requires it, but because the alternative has a name.

And that name is AOG Technics.

About Horix Aerospace

Horix Aerospace is an horizontally integrated aerospace company, strongly focused in Spare Parts Management solutions for the Business Aircraft Market. Horix has developed both the Trust Consignment Program and the Trust Dismantling Program to offer clients a unique opportunity becoming the Swiss Trusted Solution for Aerospace Components Management. With over USD 30M in assets under management, Horix Aerospace has become a disruptive force in the Aerospace Industry with both its Trust Dismantling Program and unique Business Model.

Strongly capitalized and managed by a team of industry veterans, Horix Aerospace is proud to be a Swiss owned and operated company.