Corporate Governance
ISO/IEC 42001: The AI Management System Standard Every Board Should Know

Jeremiah Ssekabira
May 4, 2025 · 9 min read
Executive Summary
ISO/IEC 42001 is the first international management-system standard for artificial intelligence. For boards, it offers something rare: an auditable, certifiable structure for AI governance that maps cleanly onto existing management-system disciplines (ISO 9001, 27001, 31000). This article explains what 42001 is, why boards should care, and how to use it without turning AI governance into a paperwork exercise.
Context
Until recently, boards seeking a defensible AI control framework had to assemble one from principles documents, sector guidance and bespoke risk frameworks. The publication of ISO/IEC 42001 changes that. It defines an AI Management System (AIMS): the policies, processes, roles and controls an organization puts in place to develop, provide and use AI responsibly. Crucially, it is designed to be audited and certified by accredited bodies — the same pattern that turned ISO 27001 into the de facto language of information security.
Key Issues
Auditable structure
42001 is structured around the familiar Plan-Do-Check-Act cycle and a set of Annex A controls covering AI policy, roles, risk assessment, impact assessment, data, lifecycle, third parties and incident handling.
Complementary, not duplicative
Organizations already certified to ISO 27001 or 9001 will recognize the integrated management-system structure. 42001 is intended to be implemented alongside, not in place of, those systems.
Regulator and procurement signal
Procurement teams in regulated industries and government are beginning to ask for AIMS evidence. Even where certification is not required, demonstrable alignment to 42001 is a credible answer to supplier due-diligence questionnaires.
Strategic Implications
Adopting 42001 is a strategic, not a documentary, decision. Done well, it forces clarity about who owns AI, how risks are assessed, and how the organization responds when something goes wrong. Done as box-ticking, it produces a binder no one reads. Boards should approve the intent and expect management to implement it as a working system, not a manual.
Governance Considerations
- Treat the AIMS as enterprise-wide; AI is not an IT subsystem.
- Integrate AI impact assessments with existing data-protection impact assessments where possible.
- Use Annex A as a checklist for board-reporting structure; if management cannot speak to a control, that is the signal.
Practical Recommendations
- Commission a 42001 gap assessment against current practice.
- Decide on certification or alignment as a sequenced two-stage objective.
- Use third-party assurance to challenge internal optimism.
Conclusion
ISO/IEC 42001 will not, on its own, make an organization a responsible AI user. But it gives boards and management a shared, auditable language for governing AI — and that is exactly the missing piece many AI governance programs have been waiting for.
Share this article
Bring AI Governance to Your Boardroom
Book an executive masterclass or advisory session with Jeremiah Ssekabira.
Previous
Africa's AI Regulatory Landscape: A Strategic Outlook
Next
Re-engineering the Three Lines of Defense for the AI Era
The AI Governance Brief
Weekly insights on AI governance, board leadership, responsible AI and emerging technologies — delivered to executives across Africa and beyond.