May 18, 2026
Aerospace & Defense

IA9100: What Changes for Supplier Quality

Table of Contents

IA9100: What Changes for Supplier Quality

A practical brief for quality leaders preparing for the AS9100 to IA9100 transition.

The shift in one paragraph

AS9100 is being rewritten and rebranded as IA9100, with formal adoption expected in late 2026. The name change reflects a structural reorganization under the International Aerospace Quality Group, but the substance is a generational update to what counts as a defensible quality system. Counterfeit controls, information security, and product safety are all being elevated. Most certified organizations will face a two to three year transition window. The work to prepare starts now.

What we know, and what is still being finalized

The Final Draft International Standard is not yet published. Working group communications and IAQG public materials give us a reliable read on direction, but specific clause language can still change. This brief separates what is well signaled from what remains advisory.

1. Counterfeit parts controls

Direction of travel. Counterfeit prevention is moving from guidance language into requirements. Expect tighter expectations on supplier verification, sub-tier flowdown, and detection capability inside receiving and inspection workflows.

What auditors will likely look for.

  • Documented counterfeit avoidance procedures aligned to AS6174 and AS5553 where applicable.
  • Evidence that flowdown requirements reach beyond Tier 1 suppliers.
  • Detection methods that are not solely paper-based. Auditors will want to see how the organization would catch a falsified certificate or a re-papered part.
  • Risk-based controls for parts identified as safety critical or high counterfeit exposure.

Question to ask suppliers in the next audit cycle. If a Certificate of Conformance turned out to be falsified, what in your process would have caught it before the part shipped?

2. Information security inside the QMS

Direction of travel. For the first time, cybersecurity expectations are being formalized inside the quality management standard rather than treated as a separate IT concern. This aligns IA9100 with the broader regulatory environment, including CMMC for defense suppliers and emerging EU NIS2 requirements.

What this means for QMS owners.

  • Information security controls will need to be visible within the QMS, not just within IT policy.
  • Expect explicit requirements around protection of product and process data, including supplier-shared technical data packages.
  • Incident response and breach notification will likely need procedural integration with corrective action workflows.

Practical implication. Quality leaders will inherit responsibility for a domain many have not owned before. Early coordination with IT and security teams is the difference between a smooth transition and a painful one.

3. Product safety, expanded

Direction of travel. Product safety requirements are being broadened. Working group materials point to several specific additions.

  • Anonymous hazard reporting mechanisms inside the organization.
  • Safety analysis embedded in FMEA, not run as a parallel exercise.
  • Traceable accountability for Safety Critical Items across the lifecycle.

Why this matters. The standard is moving toward proof that safety thinking is embedded in design and process, not bolted on through periodic review. Quality programs that already integrate safety analysis into core engineering workflows will adapt faster than those treating it as a compliance overlay.

4. APQP and PPAP. What is actually known.

There has been public commentary suggesting APQP and PPAP will become mandatory under IA9100. As of current IAQG communications, this is not confirmed. Available signals point to these tools being introduced as NOTE-level guidance, which is advisory rather than mandatory. AS9145 remains contractually required where customer-specific requirements call for it.

The honest read: expect strong encouragement and possibly conditional requirements tied to product or customer risk, but not a blanket mandate. Watch the Final Draft for definitive clause language.

5. Supply chain integrity as a system concern

The thread connecting all of the above is that supply chain integrity is being treated as a system-level responsibility rather than a procurement checkbox. The standard is moving toward a model where organizations must demonstrate, not assert, that their supply chain controls work in practice.

This is the area where current practice is most exposed. A supplier quality program built primarily on PDFs, attestations, and trust will struggle to demonstrate the level of verification IA9100 is pointing toward.

The catalyst behind the timing

Two recent enforcement actions are shaping how regulators are thinking about this rewrite.

AOG Technics, sentenced February 2026 in London. More than 60,000 falsified parts and over £40M in damages. Counterfeit components reached commercial fleets operated by American Airlines, Ryanair, and others. The case exposed how easily falsified documentation can move parts through standard receiving controls.

Avionics counterfeit ring, sentenced March 2026 in London. A separate supplier jailed for distributing counterfeit avionics into airline MRO workflows.

The pattern is clear. Paper-based controls failed in both cases. The regulatory response is not to require more paper. It is to require verifiable proof.

What quality leaders should do in the next 90 days

  1. Map your current supplier quality controls against the five areas above. Identify which depend primarily on supplier-provided documentation versus independent verification.
  2. Open the cyber conversation early. If your QMS does not yet reference information security controls, coordinate with IT and security leadership now. This will be one of the harder integrations.
  3. Audit your Safety Critical Items list. Confirm traceable accountability exists end to end. If accountability handoffs rely on email or shared drives, that is a gap.
  4. Update your supplier audit questions. Add detection-focused questions, not just attestation-focused ones.
  5. Track the FDIS. When the Final Draft International Standard publishes, the language will firm up quickly. Build a small internal working group now so you can move when it does.

A note on where physical identity fits

The direction of IA9100 points toward verifiable, persistent, tamper-evident proof at the part level. This is the problem DUST Identity works on. Physical identity bonded to the part itself. A digital thread that cannot be forged, cloned, or re-papered. Authentication that survives the full MRO lifecycle.

We share this brief as a contribution to the industry conversation, not as a sales document. If the transition raises specific questions about part-level authentication or supplier verification at scale, we are happy to compare notes.

Other articles

Aerospace & Defense

When Brand-New Aircraft Are Worth More Dead Than Alive

Airlines are dismantling nearly-new A320neos for parts. Not because the planes are broken. Because the engines are worth more than the airframes.

Read article
Supply Chain

The End of Paper Trust in Aerospace Manufacturing

For decades, aerospace has trusted documentation to prove compliance and authenticity.

Read article
Request a Demo
See how our solution can transform your workflow. Schedule a personalized demo with our team.
Our Story
Dust Identity
85 Wells Ave
Newton, MA 02459
508-205-6870
info@dustidentity.com
AboutSolutionsThe ProcessMaterial Compatibility & ValidationFAQ Who We AreBlogContactLinkedIn
Aerospace & Defense
Supply Chain
Secure Electronics
Premium Retail
Jewelry
Sports & Entertainment
Art
Raw Material TraceabilityCertified-Pre-Owned ProgramReturn Fraud DetectionSecurity Labeling and PackagingHigh Value Asset IdentityFraud DetectionDUST Identity Platform
Terms of Service
Privacy Policy
Accessibility Statement
Cookie Policy
Master Customer Agreement - Terms and Conditions
©2026 All Rights Reserved by Dust Identity. Trust in Things™