AI Governance (ISO/IEC 42001)

ISO 42001 establishes requirements for an AI Management System (AIMS) — a structured framework for governing AI-related activities within an organisation. It follows the same high-level structure as ISO 27001 and ISO 9001 (the Annex SL framework), making it familiar to organisations that already hold those certifications. The standard covers the full AI lifecycle: from initial use case identification through development, testing, deployment, monitoring, and retirement.

The Annex A controls address AI-specific risks that generic security frameworks miss. These include controls for AI policy and strategy, AI impact assessment, data quality and provenance, transparency and explainability, bias detection and mitigation, human oversight mechanisms, AI system monitoring, and incident management for AI-specific failures. Annex B provides implementation guidance, and Annex C and D address AI risk sources and use case considerations.

The organisations that need AI governance most urgently are often not the ones building frontier models — they are the ones deploying AI into business-critical processes without adequate oversight. Technology companies developing AI-powered products or features, where customers and regulators will increasingly demand evidence of responsible AI practices. Financial services firms using AI for credit scoring, fraud detection, or trading, where regulatory expectations around algorithmic decision-making are hardening. Healthcare organisations deploying AI for diagnosis support, triage, or treatment recommendations. Any organisation using AI in HR processes — recruitment screening, performance evaluation, or workforce planning — where bias risks carry significant legal and reputational exposure.

Enterprises procuring AI tools from vendors are also within scope. ISO 42001 addresses the responsibilities of AI providers, deployers, and users — meaning that even if you do not build AI systems, you need governance around how you select, evaluate, and monitor the AI tools you use.

The EU AI Act, which entered into force in 2024, classifies AI systems by risk level and imposes mandatory requirements on high-risk AI. India’s Digital India Act is expected to include AI governance provisions. The US has issued executive orders on AI safety. Singapore’s Model AI Governance Framework is widely referenced in APAC. In this environment, ISO 42001 provides a structured, internationally recognised way to demonstrate that your AI governance meets or exceeds regulatory expectations across jurisdictions.

An AIMS implementation begins with an AI inventory — identifying all AI systems the organisation develops, deploys, or uses, and classifying them by risk level. An AI impact assessment evaluates potential harms: fairness and bias, privacy, safety, transparency, and societal impact. AI-specific policies are developed covering acceptable use, data governance for AI training, model validation, human oversight requirements, and incident response for AI failures.

Technical controls include bias testing and monitoring, model performance tracking, data lineage and quality management, explainability mechanisms appropriate to the risk level, and drift detection. Organisational controls include defined roles and responsibilities for AI governance, training and competency requirements, stakeholder communication, and management review processes.

We work with organisations at every stage of AI maturity — from those deploying their first AI tool to those with mature ML engineering teams building production AI systems. Our approach is practical and proportionate: we design governance that matches the actual risk your AI systems present, not governance theatre that looks impressive on paper but adds no value. We help you build an AIMS that integrates with your existing ISO 27001 ISMS where applicable, conduct AI impact assessments that surface real risks, implement monitoring that catches problems before they reach production, and prepare for certification if that is your goal.