ISO 42001 is not about AI. It is about being able to defend your decisions

AI adoption has quietly crossed a threshold in most mid-market organisations, whether planned or not. It is no longer limited to experimentation or isolated tools. It is now embedded in processes that shape outputs, accelerate decisions, and in some cases replace parts of professional judgement. This becomes especially clear in high-impact domains such as healthcare, where AI is already being used in decisions around patient care. When those outcomes influence diagnosis, prioritisation, or treatment pathways, the question is no longer about efficiency, but about accountability.

That shift changes the conversation. The question is no longer whether AI is used. The question is whether its outcomes can be explained and defended afterwards.

That is where most organisations currently struggle. Not because the use is irresponsible, but because it is poorly structured. AI sits across departments, embedded in tools and routines, without a clear inventory, without explicit ownership, and without consistent documentation of how outputs are reviewed or challenged. In other words, it works operationally, but it would not hold up under scrutiny from internal audit, regulators, or clients.

This is not an AI issue. It is a governance issue.

ISO 42001: structure instead of ambition

ISO/IEC 42001 enters that gap at exactly the right level. It does not try to regulate technology. It does not prescribe how models should be built or which risks are more important than others. What it does is much simpler: it defines what it means to manage AI in a structured, repeatable, and auditable way.

That sounds familiar because it is. The logic is identical to what organisations already apply in other domains: establish scope, assign responsibility, assess risk, implement controls, monitor outcomes, and improve continuously.

What ISO 42001 effectively does is draw a line. Once AI influences outcomes, it becomes part of the management system. Not in principle, but in evidence.

This also aligns with the broader direction set by the EU AI Act, which does not dictate how organisations should govern AI internally, but clearly expects that risks are understood, actively managed, and demonstrable when challenged. ISO 42001 provides a practical way to organise that.

The gap becomes visible very quickly

In practice, the gap becomes clear when you try to answer three simple questions:

• Where exactly is AI used today, in concrete processes rather than tools
• Who is accountable for each use case, beyond the technical owner
• What was assessed before deployment, and what control remains in place today

Most organisations can answer some of these questions, but rarely all of them, and almost never in a consistent way.

This is why internal audit often struggles with the topic. There is nothing stable or repeatable to test. Each use case is approached differently, documentation is incomplete, and controls are assumed rather than demonstrated.

What ISO 42001 brings is not a new theory, but a way to make those answers consistent and visible. It forces organisations to move from implicit understanding to explicit evidence.

One system, not two

The risk is how organisations respond. There is a strong tendency to treat AI governance as a separate initiative. A new policy, a new steering group, a new reporting layer.

That approach quickly creates fragmentation and loss of oversight. Different frameworks, different terminology, different audit trails. It becomes harder to see the full picture, not easier.

This is exactly what ISO 42001 tries to avoid. Structurally, it is not a separate system. It is aligned with existing management system standards such as ISO 27001. The same logic, the same cycles, the same structure.

That alignment is what makes it workable.

If you already have an ISMS in place, you do not need to build something new. You extend what already works. The same risk register can include AI-related risks. The same internal audit cycle can test AI-related controls. The same management review can incorporate AI-related observations.

The shift is subtle, but it changes the scope of governance. You move from protecting information to also governing how systems use that information and shape outcomes.

This is also where the discussion naturally moves from intention to evidence. Instead of asking whether AI is used responsibly, you start asking where that responsibility is reflected in processes, controls, and decisions. Not what is intended, but what can be shown.

When you look at it through that lens, the leap is not as large as it seems. Most organisations already have controls in place: reviews, approvals, validations, sanity checks. What is missing is the explicit link between those controls and AI usage, and the consistency in how they are applied and documented.

A manageable problem once structured

ISO 42001 does not add complexity. It reduces ambiguity.

It brings structure where there is currently variability, and creates a common language between operational teams, management, and audit. The real value is not in the standard itself, but in what it forces organisations to do: make visible how AI is used, who is responsible, and how outcomes are controlled.

Once that is in place, the discussion changes. It is no longer about “how to govern AI”, but about applying governance discipline to something that has outgrown informal handling. And that is a much more manageable problem.

If this feels familiar, it usually is. Most organisations do not need to start from scratch. They need to make what already exists visible, consistent, and testable. That is exactly where we typically support clients: mapping existing controls, identifying where AI usage sits today, and assessing whether this would stand up in an audit. From there, the effort is usually not transformation, but structuring and extending what is already in place.