Implementing AI Governance: How to Put ISO 42001 into Practice

Why should companies implement AI governance?

Companies should implement responsible AI governance to manage the use of AI in a structured manner, mitigate risks, build trust, and effectively meet both regulatory and strategic compliance requirements.

What at first glance seems like an ambitious idea quickly turns out to be the logical consequence of a trend that has long since become a reality: Artificial intelligence has made its way into businesses – often more quickly, more widely, and more deeply than anticipated. At the same time, regulatory requirements are increasing – for example, through the EU AI Act – and customers increasingly expect solid evidence of responsible AI use.

The outlook regarding the implementation and certification of ISO 42001 has thus shifted fundamentally. The question is no longer whether companies should implement AI governance, but rather how systematically and verifiably they do so – and what benefits this brings.

This is precisely where ISO 42001, as an AI Management System (AIMS), comes into play. As the world’s first standard for AI management systems, it defines a framework for systematically managing the use of AI, controlling risks, and clearly establishing responsibilities. It is thus far more than just another standard – it is a tool for operationalizing trust.

However, before organizations embark on this path, they need clarity regarding their goal. ISO 42001 certification is not an end in itself and should not be viewed merely as a compliance project. Rather, the aim is to build trust among customers, partners, and regulatory authorities; to specifically address risks such as bias, discrimination, data misuse, or erroneous decisions made by models; and to establish a robust governance framework for the use of AI.

At the same time, this presents a strategic advantage: in an environment where there are still few pioneers, early certification can serve as a clear point of differentiation.
 

What are the first steps needed for an AI management system?

The first step in implementing an AI management system is to conduct a comprehensive assessment of actual AI usage and clearly define what constitutes AI within the context of ISO 42001.

The real path to AI governance, then, does not begin with policies or documents, but with an honest assessment of the current situation. And this is precisely where many companies encounter their first surprise: they know far less about their own use of AI than they realize. Artificial intelligence is not only found in obvious applications like chatbots or machine learning models, but also in numerous tools, automations, software applications, and digital solutions used in everyday operations. Making this “hidden AI” visible is one of the most important – and at the same time most challenging – steps on the path to ISO 42001 certification.
 

How can we effectively assess AI systems?

Closely related to this is the question of what actually qualifies as artificial intelligence under the standard. Not every system automatically falls under the requirements of the management system standard. Key factors include whether a system makes decisions independently or merely supports them, whether models are trained or merely used, and what impact the application has on people, processes, data, or decisions. This distinction is essential, as it defines the scope of the future AI management system.

What roles and responsibilities are required for AI governance?

AI governance requires clearly defined roles throughout the AI lifecycle, as different responsibilities entail different obligations, risks, and control requirements.

An often underestimated but crucial aspect of implementing and certifying ISO 42001 is the clear definition of roles when dealing with AI. The ISO standard requires a nuanced approach throughout the lifecycle of AI systems. Typically, three roles can be distinguished: the AI developer, the AI producer, and the AI user.

The developer is responsible for developing models and systems—that is, for training, data preparation, model architecture, and technical implementation. The producer, on the other hand, deploys the AI system in a production environment, integrates it into business processes, and is responsible for its operation and compliance with defined requirements. Finally, the user applies the AI in day-to-day operations, makes responsible decisions based on the results, or has processes executed automatically.

This distinction is not only relevant from an organizational perspective but also has direct implications for risk assessment, responsibilities, and control mechanisms. This is because different roles entail different obligations, risks, and opportunities to influence the behavior of AI. 

How can AI governance be established within a company?

The development of AI governance draws on familiar management system frameworks, but due to the specific requirements of AI, it demands much more than a simple add-on.

This simple overview serves as the starting point for developing an AI management system. Formally, it is based on established ISO frameworks, such as those found in ISO 9001 or ISO 27001:

• Organizational Context
• Risk Management
• Clear roles and responsibilities
• Documented information
• Internal audits
• Continuous improvement (CIP)

This familiar structure makes it easier to get started, at least at first glance. In terms of content, however, ISO 42001 introduces a new dimension that goes far beyond traditional management systems.

The key difference lies in the nature of AI itself. While other standards often clearly define what the “product” or service is, artificial intelligence forces companies to rethink fundamental questions.

The focus is on:

• ethical assessments of applications
• algorithmic fairness and transparency
• the origin and quality of training data
• the traceability of decisions

The question of responsibility is particularly challenging: Who is ultimately responsible for decisions made by or with the help of artificial intelligence? These aspects cannot simply be integrated into existing systems – they require a shift in thinking.

Many organizations therefore start with the assumption that ISO 42001 can be implemented as an extension of existing management systems. In practice, however, it quickly becomes apparent that this works only to a limited extent. While existing structures can serve as a foundation, the AI-specific requirements demand a much deeper examination of an organization’s own processes, technologies, and decision-making mechanisms. ISO 42001 is thus not an add-on, but a shift in perspective.

How are ISO 42001 and the EU AI Act related?

The EU AI Act sets out the regulatory requirements for AI, and ISO 42001 shows how organizations can systematically integrate these requirements into their governance and management systems.

A key aspect that is becoming increasingly important in conjunction with ISO 42001 is the classification of AI systems according to their risk potential, as provided for in the regulation. It essentially distinguishes between four risk classes:

• Prohibited AI systems
• High-risk systems
• AI systems with limited risk
• Systems with minimal risk

This classification has a direct impact on the requirements for development, deployment, and monitoring.

While systems with minimal risk are subject to few regulatory requirements, high-risk applications – such as those involving critical infrastructure, personnel decisions, or medical applications – are subject to strict requirements regarding documentation, transparency, human oversight, security, and AI risk management.

For companies, this means that ISO 42001 and the AI Regulation are interlinked. While the Regulation specifies what is required by law, the ISO standard provides the structural framework for systematically translating these requirements into concrete measures. Especially in the case of high-risk systems, it becomes clear how important a functioning AI management system is for ensuring compliance not just on an ad hoc basis, but in a sustainable manner.

How can ISO 42001 be implemented in practice?

The successful implementation of ISO 42001 depends on organizations managing AI deployment, AI risk management, and responsibilities in an iterative, cross-functional, and transparent manner.

Ein unverzichtbarer Bestandteil des bereits skizzierten Perspektivwechsels ist die bewusste Auseinandersetzung mit der Frage, wo und warum KI eingesetzt wird. Unternehmen nutzen KI heute in unterschiedlichsten Bereichen – von der Automatisierung interner Prozesse über datenbasierte Entscheidungsunterstützung bis hin zur Kundeninteraktion oder Mustererkennung in großen Datenmengen.  

However, the real challenge lies not in identifying these areas of application, but in weighing their benefits against their risks. This is precisely where ISO 42001 comes in: it compels organizations to actively strike this balance rather than leaving it to chance.

The path to certification is rarely straightforward. On the contrary, it is marked by iterations, new insights, and, at times, uncertainties. Typical challenges include unclear responsibilities, a lack of transparency regarding existing AI systems, the complexity of risk assessment, and the necessary cultural shift within the organization.  

One thing becomes particularly clear as the process unfolds: AI governance and the responsible use of artificial intelligence cannot be delegated. It concerns management as much as it does IT and the business units, and requires a shared understanding and close collaboration.

What are the reasons for implementing AI governance?

The challenges involved in implementing an AI management system must not be overlooked – yet there are many good reasons to adopt AI governance and to pursue ISO 42001 certification in a structured manner. Companies that take this step not only position themselves as pioneers but also establish a robust legal foundation for addressing future regulatory requirements and ensuring sustainable compliance.

They build trust with their customers and partners while gaining a much deeper understanding of their own use of AI. Ultimately, it’s also a matter of credibility: anyone who explains to others how to use AI responsibly should be able to demonstrate that commitment themselves.

Conclusion: Is AI governance more than just a certificate?

Ultimately, ISO 42001 certification is far more than just another item on your to-do list. It is a tool for maturing our approach to one of the key technologies of our time. In an environment where there is still little empirical data, few best practices, and only limited guidance, getting started inevitably involves a certain amount of risk. But that is precisely where the opportunity lies. Because those who start today are actively shaping the standards of tomorrow.

The key question, therefore, is not whether the path is easy. It is not. Rather, the key question is whether, in the context of digitalization and technology governance, we are prepared to face these current challenges and take our responsible use of AI to a new level.

DQS – because not all audits are created equal

Just as every company and organization uses artificial intelligence in its own way, the goals they pursue with it vary widely. To ensure the safe use of AI systems, a new international management system standard specifically for AI—ISO/IEC 42001—has been in effect since the end of 2023. DQS is one of the first certification bodies worldwide to offer accredited ISO 42001 certification. 

Take advantage of our experts’ expertise. Learn about the most important standard requirements and what they mean for your organization. For 40 years, we have been committed to impartial audits and certifications. Our commitment always begins where audit checklists end. Take our word for it. We look forward to hearing from you.

Trust and Expertise

Our documents and brochures are written exclusively by our standards experts or experienced auditors. If you have any questions for our author regarding the content of our documents or our services, please feel free to send us an email: [email protected]

Note: For the sake of readability, we use the generic masculine form. However, this directive generally includes people of all gender identities, to the extent necessary for the statement.