Moving Beyond AI Checklists: Implementing ISO 42001 Governance

A bank using machine learning for loan approvals completed its ISO 42001 documentation in Q1: risk register signed off, model scope defined, impact assessment approved. In Q3, the model was retrained on updated economic data. The new training set shifted the rejection threshold for applicants with irregular income histories by a meaningful margin. That change wasn't captured in the risk register until the Q4 review, three months after it had already affected real decisions.

That's the governance gap ISO 42001 closes — and the one it can't close on its own. The standard creates the accountability chain regulators need: documented controls, named owners, evidence of review. What it doesn't create is a live-system tripwire that catches drift between formal review cycles. For static or slowly-changing models, the PDCA cycle is sufficient. For generative AI or models that retrain more frequently than your audit schedule, it isn't.

ISO 42001 defines six governance areas: AI policy, roles and responsibilities, risk and impact assessment, control implementation, monitoring, and management review. The practical work happens in the risk register and impact assessments — teams must document which AI systems exist, what data they use, who owns each decision type, and what evidence trail will exist if a decision is challenged. Most organisations believe they have this. Few do in a form that would survive external audit.

The assurance gap is worth being explicit about. The standard doesn't specify how to test a model for demographic parity, how to detect distribution shift in production, or how frequently a language model's outputs should be sampled against safety criteria. ISO 42001 creates the governance frame; technical validation sits outside it. Teams that need those controls will have to source or build them separately.

The most useful comparison is with NIST AI RMF, published around the same time. ISO 42001 fits inside existing ISO compliance programmes — if your organisation already runs ISO 27001 or ISO 9001, the structure is familiar and the audit process integrates naturally. NIST AI RMF is a risk-function framework designed for technical teams building or evaluating AI systems. They're not competing standards. Regulated organisations in financial services, healthcare, or critical infrastructure will often need to apply both.

Implementation follows five stages that most organisations should treat as sequential rather than parallel.

1. Inventory — list every AI system in production, including vendor-sourced tools and models embedded in existing software. The count is almost always higher than expected.

2. Classify by impact — identify which systems carry regulatory or reputational exposure. Credit decisions, hiring, medical triage, and customer service automation are the typical starting points. High-impact systems need full documentation; lower-stakes tools may not.

3. Assign ownership — each documented system needs a named owner, a defined scope, and a clear evidence structure. Shared ownership is no ownership in a regulatory context.

4. Define your review cadence — ISO 42001 requires active monitoring, not one-time documentation. The review frequency should match the actual rate of model updates, not the annual audit calendar.

5. Add live controls for evolving systems — this is the step most roadmaps skip. Static documentation needs a live counterpart for any system that updates more frequently than your review cycle. In practice, that means drift detection, output sampling, and an escalation path when behaviour changes outside approved thresholds.

In the first 90 days, focus on steps one and two. Certification without a working evidence culture behind it produces paperwork, not governance.