ISO 42001 and Its Impact on Customer Trust

Global tech companies and even small and medium organizations across different verticals that are increasing the use of AI capabilities or integrating AI-based features into their existing products or services are faced with questions around AI security, safety or trust. In addition to adopting security measures like red teaming and other Open Web Application Security Project (OWASP)   requirements, companies must implement applicable AI governance controls at every phase of the AI system lifecycle to address the unique risks of AI.

The ISO 42001 standard introduced in December 2023 is the leading standard for companies to pursue certification and demonstrate a strong AI governance posture and commitment to Responsible AI. ISO 42001 requires that organizations adopt processes and implement controls that promote the responsible use of AI. ISO 42001 establishes requirements for creating, implementing, sustaining, and consistently improving a trustworthy artificial intelligence management system (AIMS) within the parameters of each organization’s specific needs. This standard also establishes requirements for assessing the unique risks related to AI systems and treatment of the risks related to the organization by implementing applicable controls. 

Organizations that meet the requirements may be certified by an accredited certification body after the completion of a successful audit.

ISO 42001 certification is most applicable to an organization that is developing and providing AI-based services to a broad base of enterprise customers or individual consumers. This may come in the form of discrete AI services or AI-based functionality within other applications and services, whether built internally or also integrating third party AI services.  

The ISO 42001 standard is also a helpful tool for establishing AI governance over AI services that are used internally, whether built internally or leveraging third party AI services. Formal certification is currently less common in these internal only scenarios.

The ISO 42001 standard, applicable to companies of all sizes across industries, helps organizations establish an AI governance framework, ensuring AI systems follow defined policies, ethical guidelines, and industry standards. The ISO 42001 requirements help ensure an AI system is fair, transparent, secure, and accountable throughout its lifecycle and can be applied to any organization. Having an AIMS in place that addresses the requirements of ISO 42001 establishes an important foundation and positions a company to more effectively maintain governance over increasing deployment of agentic AI and new applications of AI and to consider the incremental requirements of new laws, regulations, and frameworks that become applicable to the company.

Given the increasing number of AI-related laws, regulations or directives that are being formalized in different geographies, companies may be legally or contractually required to comply with the requirements in their respective jurisdictions. Vendor security risk questionnaires seek information about guardrails implemented by enterprise AI solution providers around the security and trustworthiness of their offerings. ISO 42001 is an effective mechanism to help meet growing customer and regulatory expectations. GRC teams must look to build an inventory of the AI system components that are built or used including products and features, third party tools, foundational and proprietary models, and underlying infrastructure. Subsequently, they need to assess the governance processes in place, identify any critical gaps and mitigate them. As technology evolves, new services and integrations are built, the regulatory and compliance expectations will also continue to rise, and GRC functions should keep pace. 

Successful ISO 42001 implementation takes strong support from leadership and a commitment to ethical, responsible use of AI. A holistic AI risk assessment and system impact analysis program must be implemented. There is a heightened focus on secure and trustworthy development - data governance and quality, verification and validation and AI observability monitoring, and handling of errors and incidents. Continuous improvement, a fundamental component of the AI management system, is orchestrated through periodic internal audits and management reviews.  

While the management clauses are similar for both standards and companies that are already certified for ISO 27001 may implement an integrated management system, the technical control requirements for 27001 and 42001 are different with minimal overlap. 

Some companies choose to establish and maintain a separate AI Management System and AI Governance organizational structure given the high-profile nature of AI services and unique requirements. Other companies have chosen to implement integrated management systems covering AI, security and other domains while maintaining strong AI subject matter involvement and common processes for areas such as planning, risk assessment, internal audit, management review and continuous improvement.    

From a scoping perspective, companies include their AI governance functions and AI services that are most relevant to stakeholders. One organization may cover all their AI services from the start whereas another organization might start with a core set of AI services and add additional products, services or business units over time based on business need or compliance posture. A subset of organizations also includes internal corporate usage of AI services within their certification scope where required by their stakeholders.

Companies are utilizing ISO 42001 as the foundation of their customer-facing AI governance and external compliance programs. For many organizations irrespective of their size or scale that build or deploy AI services, ISO 42001 is not only an essential governance and external compliance foundation but also an effective mechanism to provide assurance over core AI capabilities and help address growing customer and regulatory expectations.