Learn · ISO 42001 Concepts
Which AI Role
Are You?
Provider, deployer, producer, user — the role you hold decides your obligations under the EU AI Act and what belongs in your ISO 42001 scope. The short answer to the most-asked version of this question: wrapping someone else's model into your product almost always makes it YOUR AI system.
Why it matters: role determination is the first scoping decision of any AIMS (clause 4.3) — get it wrong and you either audit things that aren't yours or, worse, exclude the things that are.
Plain-English explainer · EU AI Act + ISO/IEC 22989 terminology · Last reviewed July 2026
Under the EU AI Act (Article 3), a provider develops an AI system — or has one developed — and places it on the market under its own name; a deployer uses an AI system under its own authority. Integrating a third-party model into your product under your brand makes you the provider of that system. That single sentence resolves most of the “we just wrap an API” confusion. The ISO vocabulary (ISO/IEC 22989) slices the ecosystem more finely — AI providers, AI producers (developers/designers), AI customers and users, AI partners such as data suppliers and integrators, AI subjects (the people affected), and relevant authorities — and ISO 42001 expects your AIMS scope (clause 4.3) to reflect the roles you actually hold, per AI system. Most product companies hold more than one: provider of the features they ship, deployer of the AI tools their staff use internally. The roles carry different obligations, different Annex A control emphases, and different evidence you can — and cannot — inherit from your model vendor.
The Decision Tree
Four Scenarios That Decide Most Cases
Work top to bottom; the first scenario that matches is usually your primary role. Hold multiple? Scope each AI system separately — the standard expects it.
“We wrap the OpenAI / Anthropic API in our product”
You are a provider of your AI system.
Integrating a third-party foundation model into a product you offer under your own name makes the resulting AI system yours — the model vendor is your supplier, not your shield. Your AIMS scopes the wrapper system: prompts, guardrails, data flows, monitoring, and supplier controls (A.10.3) over the model vendor. You inherit some evidence from the vendor (their certifications cover their controls, not your use of them).
“We fine-tune open or hosted models and ship the result”
Provider — with data obligations front and center.
Fine-tuning and placing the result in your product keeps you a provider, and pulls the data-for-AI controls (A.7: acquisition rights, quality, provenance, preparation) into the audit spotlight, along with verification and validation (A.6.2.4) of the tuned behavior. Under the EU AI Act, substantially modifying a system or rebranding it can likewise shift provider duties to you.
“We self-host open-weight models inside our platform”
Provider of the system; operator of the stack.
Self-hosting adds the resource controls (A.4: compute, tooling, data, human competence) and operational monitoring (A.6.2.6) squarely to your side — there is no vendor SOC 2 to point at for the serving infrastructure. Scope the AIMS to the systems built on the models, not the weights themselves.
“We only use ChatGPT / Copilot internally”
Deployer — a lighter, but real, governance surface.
Using AI under your own authority in professional activity makes you a deployer. Full ISO 42001 certification is rarely the first move here; an AI use policy, an approved-tools register, and data-handling rules usually are. Certification becomes worth it when customers start asking how you govern AI use — or when internal AI starts touching customer deliverables.
Control Inheritance
What Your Model Vendor's Certificate Does and Doesn't Cover
You can lean on the vendor for
- — Their model development, training-data governance, and infrastructure controls — evidenced by their ISO 42001 / SOC 2 reports.
- — Their model documentation and usage policies (inputs to your A.10.3 supplier assessment).
- — Their uptime, security, and incident commitments — verified, not assumed.
You must evidence yourself
- — Your use case: the impact assessment for your deployment context (A.5) — the vendor cannot know who your system affects.
- — Your prompts, guardrails, retrieval data, and output handling (A.6 lifecycle, A.7 data).
- — Your transparency to users and your human oversight (A.8, A.9).
- — Your monitoring of the vendor itself — model changes, deprecations, incidents (A.10.3).
This split is the practical payoff of getting roles right: it converts “is the vendor certified?” into a concrete inheritance table your auditor — and your enterprise customers' AI questionnaires — can actually verify.
AI Roles — Common Questions
Provider, deployer, and the scope decisions that follow.
Does using the OpenAI or Anthropic API put us in scope of ISO 42001?
If the model powers a feature in your product, yes — you are the provider of that AI system, and an AIMS scoped to it is exactly what ISO 42001 certification covers. The API vendor is a supplier: their certifications evidence their controls (model development, infrastructure), while your impact assessment, guardrails, transparency, oversight, and supplier monitoring remain yours to evidence. If staff merely use AI tools internally, you are a deployer, and a full AIMS is optional rather than expected.
What is the difference between an AI provider and an AI deployer?
Under EU AI Act Article 3: a provider develops an AI system (or has one developed) and places it on the market or puts it into service under its own name or trademark; a deployer uses an AI system under its own authority in a professional context. The provider carries the heavier design-side obligations; the deployer carries use-side duties such as using systems as intended and (for high-risk systems) oversight and monitoring obligations.
Can we be both provider and deployer at once?
Most product companies are. You are the provider of the AI features you ship, and the deployer of the AI tools your teams use internally (coding assistants, chatbots, analytics copilots). A well-scoped AIMS says this explicitly: the provider-role systems get the full lifecycle treatment; the deployer-role usage gets an AI use policy, an approved-tools register, and data-handling rules.
Does fine-tuning a model change our role?
It reinforces provider status and shifts the evidence burden toward data. Fine-tuning and shipping the result keeps the system yours, and auditors will focus on A.7 (acquisition rights, quality, provenance, preparation of the tuning data) and A.6.2.4 (verification and validation of the tuned behavior). Under the EU AI Act, rebranding or substantially modifying a system can likewise transfer provider obligations to you.
What are the ISO/IEC 22989 stakeholder roles?
ISO/IEC 22989 — the AI concepts and terminology standard the 42001 family builds on — describes the ecosystem in finer grain: AI providers (platform and product/service providers), AI producers (developers, designers), AI customers and AI users, AI partners (such as data providers and system integrators), AI subjects (the individuals affected by AI decisions), and relevant authorities (regulators, policy makers). For scoping purposes, most organizations map cleanly onto provider, producer, and user/deployer, with subjects appearing in the impact assessment.
If we are only a deployer, do we need ISO 42001 at all?
Rarely as the first step — and it is worth being honest about that. Deployer-only organizations usually start with an AI use policy, an approved-tools register, and staff guidance; that is proportionate governance. Certification enters the picture when customers ask how you govern AI in delivering services to them, when AI-assisted output ships to clients, or when procurement questionnaires make an auditable AIMS commercially valuable.
Related reading: the Learn hub, AI risk vs impact assessment, ISO 42001 vs the EU AI Act, the Annex A controls, and the ISO 42001 hub. Terms in the compliance glossary.
Written By Expert Auditors
Get in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours