Glossary · ISO
Provider vs Deployer (AI)
The two principal AI roles in the EU AI Act and ISO-family terminology: a provider develops an AI system (or has it developed) and places it on the market under its own name — including companies that integrate a third-party foundation model into their product — while a deployer uses an AI system under its own authority. Your role determines your obligations, which is why "we just wrap an API" rarely means "out of scope."
This definition is part of TCSA’s plain-English compliance glossary, written and reviewed by the auditors who prepare organizations for these frameworks — 500+ audits delivered across India, USA, UK, Australia & UAE.
Go deeper: the full Provider vs Deployer (AI) guide
The complete plain-English explainer behind this definition.
Related ISO terms
Agentic AI
AI systems that plan and take multi-step actions toward a goal — calling tools, browsing, or executing tasks — with limited human intervention per step. Under ISO 42001, agentic systems raise the bar on lifecycle controls (A.6), event logging, and demonstrable human oversight, because autonomy widens the impact surface.
AI Impact Assessment
The outward-looking assessment ISO 42001 Annex A.5 requires: how an AI system could affect individuals, groups, and society — fairness, rights, safety — with documented mitigations. ISO/IEC 42005:2025 provides the methodology. It complements (and differs from) the inward-looking AI risk assessment and a privacy DPIA.
AI System
A machine-based system that infers from inputs how to generate outputs — predictions, content, recommendations, or decisions — that can influence real environments. The definition (shared in substance by ISO/IEC 22989 and the EU AI Act) is deliberately broad: a product feature wrapping a third-party foundation model is an AI system, not just the model itself.
AIMS
The governance system defined by ISO 42001 for managing the risks and obligations that come with building or deploying AI. It sets out policies, roles, and controls so an organisation can show its AI is developed and operated responsibly.
Annex A Controls
The catalogue of 93 information-security controls listed in Annex A of ISO/IEC 27001:2022, grouped into organisational, people, physical, and technological themes. An organisation selects the controls relevant to its risks and records that choice in the Statement of Applicability.
EU AI Act
The European Union's binding AI law, tiering systems by risk from prohibited practices to minimal risk. It phases in from 2025; after the May 2026 digital-omnibus agreement, high-risk obligations apply from December 2027 (Annex III) and August 2028 (Annex I), while transparency duties and GPAI enforcement arrive on 2 August 2026. ISO 42001 is the management system most organisations use to operationalise it.
Written By Expert Auditors
Get in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours