Who should read this ai governance article?

This article is written for compliance professionals, CISOs, GRC managers, audit teams, and risk officers working in ai governance. It provides actionable insights relevant to organizations managing compliance programs.

How can I apply these ai governance insights?

Use our AI-powered compliance platform to map your requirements across 692 frameworks with 819,000+ control mappings. Start with a free account to explore relevant frameworks, run gap analyses, and build remediation plans.

ISO 42001: The World's First AI Management System Standard

Published in December 2023, ISO/IEC 42001 provides the requirements for an AI Management System (AIMS). We explain what it covers, how it relates to the EU AI Act, and why early adoption matters.

The First International Standard for AI

ISO/IEC 42001:2023, published in December 2023, is the world's first international management system standard specifically for artificial intelligence. Just as ISO 27001 provides a framework for information security management, ISO 42001 provides a framework for responsible AI development and use.

What It Covers

ISO 42001 follows the Annex SL high-level structure, making it compatible with other ISO management systems (27001, 9001, 14001). The standard requires organisations to:

Establish an AI policy: Define the organisation's approach to responsible AI, including ethical principles and risk tolerance
Conduct AI risk assessments: Identify and assess risks specific to AI systems, including bias, transparency, reliability, safety, and privacy
Implement AI-specific controls: Apply controls from Annex A (organisational) and Annex B (AI-specific) covering data management, model transparency, human oversight, and impact assessment
Monitor and measure: Track AI system performance, bias metrics, and incident rates
Continually improve: Use audit findings, incidents, and performance data to improve the AI management system

Annex A and Annex B Controls

Annex A provides organisational controls for AI governance: policies, roles, risk assessment, impact assessment, and third-party AI management.

Annex B provides AI-specific controls grouped by lifecycle stage: data management, AI model development, AI system deployment, AI system operation, and AI system retirement.

Relationship to the EU AI Act

ISO 42001 and the EU AI Act are complementary. The EU AI Act mandates what must be done:risk classification, conformity assessment, and specific requirements for high-risk AI. ISO 42001 provides a management system framework for how to do it systematically.

Organisations pursuing ISO 42001 certification will find that much of the groundwork transfers directly to EU AI Act compliance. The risk assessment methodology, documentation requirements, and governance structures align closely.

Why Early Adoption Matters

AI regulation is accelerating globally. The EU AI Act is first, but similar legislation is emerging in the US, UK, Canada, China, and Australia. ISO 42001 provides a vendor-neutral, internationally recognised framework that positions organisations well regardless of which jurisdictions they operate in.

ISO 42001: The World's First AI Management System Standard

The First International Standard for AI

What It Covers

Annex A and Annex B Controls

Relationship to the EU AI Act

Why Early Adoption Matters

Frequently Asked Questions

Explore this topic on our compliance platform

More on AI Governance

EU AI Act Timeline: What You Need to Comply With and When

Put compliance intelligence to work