ISO/IEC 42001 · AI Governance
AI Governance: Building an
AIMS under ISO 42001
AI governance is how an organization stays accountable for the AI it builds and uses. ISO 42001 turns that into a certifiable AI Management System. This guide covers the clause structure, the operating model, the principles behind it, and how to start.
ISO/IEC 42001:2023 · AI Management System · Last reviewed June 2026
Definition
From principle to management system
AI governance is the system of policies, roles, risk processes, and oversight that lets you develop and use AI responsibly — and prove it. Most organizations already have the values; what they lack is the machinery to make those values operational, auditable, and consistent across every team shipping AI.
That machinery is an AI Management System (AIMS). ISO/IEC 42001 defines it on the same Annex SL backbone as ISO 27001, so it integrates with an existing ISMS rather than competing with it. Below is the structure, the people, and the principles that make one work.
Fairness
Identify and mitigate unfair bias across protected groups and use cases.
Transparency
Make AI use disclosable and decisions explainable to the right audience.
Accountability
A named human owns each AI system and its outcomes — not "the model".
Safety & robustness
Systems perform reliably, degrade gracefully, and resist misuse and attack.
Human oversight
People can understand, intervene in, and override AI where it matters.
Privacy & security
Personal data and the AI system itself are protected end to end.
The Structure
The AIMS, clause by clause
ISO 42001 follows the Annex SL structure shared by all modern ISO management-system standards. If you have run ISO 27001, this shape will be familiar — only the subject matter changes from information security to AI.
Context of the organization
Identify internal and external issues, the interested parties affected by your AI, and the scope of the AIMS.
Leadership
Top-management commitment, the AI policy, and clearly allocated AI roles, responsibilities, and authorities.
Planning
Address AI risks and opportunities, run the AI risk and impact assessments, and set measurable AI objectives.
Support
Resources, competence, awareness, communication, and documented information that keep the AIMS running.
Operation
Operational planning and control — execute the risk treatment and impact-assessment processes day to day.
Performance evaluation
Monitor and measure, run internal audits, and hold management reviews of the AIMS.
Improvement
Handle nonconformities, take corrective action, and continually improve the system.
Clauses 4–10 are the auditable requirements; the Annex A controls plug into clauses 6 and 8. See the full Annex A controls catalog.
The Operating Model
Governance is a team sport
A policy nobody owns is not governance. These are the roles that make an AIMS function in practice.
Executive sponsor
Owns the AI policy and accountability; chairs or charters the governance forum.
AI / product owners
Accountable for individual AI systems, their intended purpose, and their risk.
Risk & compliance
Runs the AI risk and impact assessment process and the Statement of Applicability.
Security
Covers model, data, and infrastructure security — adversarial and supply-chain risk.
Privacy / DPO
Connects AI governance to data-protection law (DPDP Act, GDPR) and personal-data use.
Legal & ethics
Regulatory exposure (EU AI Act), contracts, and the harder responsible-AI judgment calls.
Getting Started
Five moves to stand up governance
You do not need the whole standard on day one. Get these five in place and the rest of the AIMS has something to attach to.
1 — Inventory your AI
List every AI system in use, including embedded foundation models and shadow AI. You cannot govern what you cannot see.
2 — Assign ownership
Give each system a named human owner accountable for its purpose, risk, and outcomes.
3 — Issue an AI policy
A short, leadership-signed policy (A.2) that states your principles and what is in and out of bounds.
4 — Stand up a forum
A small cross-functional committee that reviews high-risk use cases and impact assessments.
5 — Run the risk process
Adopt a repeatable AI risk and impact assessment, and let the results drive your controls.
Next steps: the AI risk & impact assessment guide details move five, the certification guide shows how it all gets audited, and our ISO 42001 services can run the build with you.
Keep Exploring
More in the ISO 42001 Hub
AI Risk & Impact Assessment
Annex A.5 methodology for AI risk and system impact assessments, with a register structure.
Annex A Controls Catalog
All 38 Annex A controls across the nine objectives (A.2–A.10), with what each one governs.
Certification Process
Stage 1, Stage 2, and surveillance — the two-stage audit path and how to prepare for it.
EU AI Act Mapping
How ISO 42001 controls map onto EU AI Act obligations — and what certification does and does not prove.
Templates & Downloads
The AIMS template pack — AI use-case register, AI policy, risk and impact assessment, and SoA.
Frequently Asked Questions
The governance questions that come up at the first AI risk review.
What is AI governance?
AI governance is the set of policies, roles, processes, and oversight mechanisms an organization uses to develop, deploy, and use AI responsibly and accountably. It covers who is accountable for each AI system, how AI risks and impacts are assessed and treated, how data and models are governed across their lifecycle, how humans stay in the loop, and how the organization stays aligned with law and its own ethical principles. ISO/IEC 42001 is the international standard that makes AI governance a certifiable management system.
What is an AI Management System (AIMS)?
An AIMS is the ISO 42001 term for a structured, organization-wide system for governing AI — analogous to an ISMS for information security under ISO 27001. It is built on the Annex SL clauses (context, leadership, planning, support, operation, performance evaluation, improvement) and tailored with the Annex A controls. Because it shares the Annex SL backbone, an AIMS integrates cleanly with an existing ISO 27001 or ISO 27701 management system.
How do we start building AI governance?
Start with visibility and ownership. Build an inventory of every AI system in use (including embedded foundation models and shadow AI), assign a named owner to each, and document its intended purpose and risk level. In parallel, issue a short AI policy signed by leadership and stand up a small cross-functional governance forum. From there, run AI risk and impact assessments and use the results to decide which ISO 42001 controls you need. Visibility first, controls second.
Who should sit on an AI governance committee?
Keep it cross-functional and small enough to decide. A typical forum includes an executive sponsor who owns the AI policy, the owners of significant AI systems or products, risk and compliance, security, privacy or the Data Protection Officer, and legal. Bringing ethics or domain experts in for specific high-impact systems is good practice. The committee sets policy, reviews high-risk use cases and impact assessments, and signs off on the Statement of Applicability.
How does AI governance relate to NIST AI RMF and the OECD AI Principles?
They are complementary. The OECD AI Principles and similar frameworks set the values — fairness, transparency, accountability, safety, human oversight. The NIST AI Risk Management Framework offers a voluntary, function-based approach (Govern, Map, Measure, Manage) for managing AI risk. ISO/IEC 42001 is the certifiable management-system standard that operationalizes those values and risk practices into auditable processes and controls. Many organizations reference NIST AI RMF and OECD for direction and certify to ISO 42001 for assurance.
Written By Expert Auditors
Keep Exploring
Related Reading
ISO 42001 Knowledge Hub
AIMS controls, EU AI Act mapping, risk assessment and guides.
Read moreISO 42001 Annex A Controls
The 39 AI-specific controls grouped by domain, mapped to clauses.
Read moreAI Risk Assessment
Risk identification, impact analysis and treatment for AI systems.
Read moreISO 42001 Certification Guide
From gap analysis to Stage 2 audit — the path to an AIMS certificate.
Read moreEU AI Act Mapping
How ISO 42001 controls map onto EU AI Act obligations.
Read moreISO 27001 Overview
The ISMS standard — the baseline certificate global buyers ask for.
Read moreGet in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours