ISO 42001 Is What Happens When AI Stops Being Informal

There is a mistake I keep seeing in how organisations talk about AI.

They talk about capability as though it were the hard part, and governance as though it were the paperwork that follows once the serious people have finished choosing tools. The model is discussed seriously. The vendor is discussed seriously. The use case is discussed seriously. Governance arrives later, in softer language, with weaker ownership and lower urgency.

That distinction no longer holds.

The Problem Has Matured

ISO/IEC 42001:2023 was published on 18 December 2023 as the first international management system standard for AI. ISO is explicit about what it is for: organisations that develop, provide, or use AI systems. It covers leadership, policy, objectives, risk management, data governance, transparency, performance evaluation, and continual improvement. That is not a technical side note. It is a management response to the fact that AI now sits inside live operating environments rather than beside them.

A standard like that does not appear by accident. It appears when a control problem has become durable enough to deserve one.

That is the first thing many firms still miss. ISO 42001 is not evidence of fashion. It is evidence that AI governance has moved categories. The question is no longer whether a system is impressive. The question is whether its authority, boundaries, review burden, and accountability model have been specified at all.

Existing Control Language Is Not Enough

NIST made the underlying point clearly in AI RMF 1.0, released on 26 January 2023. Its guidance says AI risks can exceed the enterprise, span organisations, and produce impacts not comprehensively addressed by current risk frameworks. It points to context failure, uncertain ground truth, representativeness problems, and harmful bias as risks that do not behave like ordinary software defects.

That matters because many organisations are still trying to answer an AI governance problem with stretched versions of older language. They know how to ask who has access. They know how to ask whether a supplier has been reviewed. They know how to ask whether logs exist. Those remain necessary questions. They are not the whole question.

They do not tell you what the system should be allowed to decide. They do not tell you what level of variance is tolerable. They do not tell you when human review must remain. They do not tell you what forms of opacity are unacceptable, or who remains answerable when the model behaves exactly as deployed but the deployment logic itself was poor.

That gap is not administrative. It is structural.

The Regulatory Sequence Is Already Live

The comfortable fiction is that governance can wait until regulation settles.

That fiction is getting expensive.

The EU AI Act entered into force on 1 August 2024. Prohibited AI practices and AI literacy obligations began applying on 2 February 2025. Obligations for general-purpose AI models became applicable on 2 August 2025. Most of the remaining framework becomes fully applicable on 2 August 2026, with certain high-risk product-related provisions extending to 2 August 2027. These are implementation dates, not theoretical milestones.

The narrow response is to say that not every firm sits directly inside EU jurisdiction.

Legally, perhaps. Commercially, that answer is thin. Regulatory logic does not remain inside national containers once customers, partners, insurers, advisers, and procurement functions begin using it as shorthand for what serious governance looks like. Once one major market makes AI governance legible, other markets inherit the pressure long before they inherit identical law.

Privacy Has Already Entered The Room

The UK picture points in the same direction.

The ICO’s guidance on AI and data protection, updated on 15 March 2023, addresses accountability and governance, lawfulness, fairness, transparency, security, accuracy, data minimisation, and individual rights in the context of AI. The ICO also states that the guidance is under review because the Data (Use and Access) Act became law on 19 June 2025. That is not the profile of a topic drifting toward simplicity. It is the profile of a topic becoming more operational, more specific, and less tolerant of vague internal assurances.

This matters for a simple reason. Many firms still behave as though AI governance were mainly a matter of internal temperament. How cautious do we feel? How much review do we want? How much process can the business bear this quarter?

That framing collapses the moment AI touches personal data, inference, prioritisation, or decision support. At that point, internal preference is no longer the only thing in the room. Rights, fairness, transparency, and accountability are already there with you.

Boards Already Know This Pattern

Boards have seen this film before, just under a different title.

The UK government published the Cyber Governance Code of Practice on 8 April 2025 to support boards and directors in governing cyber security risks. The NCSC frames cyber governance explicitly as a board responsibility. That matters here not because AI is identical to cyber, but because it shows how technical exposure becomes a governance issue once the consequences of weak oversight become strategically obvious.

AI has now reached that threshold in many firms. Not because every use case is high-risk. Not because every model is catastrophic. But because the technology increasingly sits close to judgment, delegation, data movement, external communication, and operational authority. Once a system materially influences those things, governance stops being a technical courtesy and becomes a board-level concern whether the board has caught up or not.

The Assurance Layer Is Forming

The market infrastructure is catching up as well.

ISO states that certification to ISO/IEC 42001 is voluntary and carried out by independent certification bodies, not by ISO itself. In the UK, that assurance layer became more concrete on 15 January 2026, when UKAS announced the first accreditation for certification of AI management systems to ISO/IEC 42001:2023. The deeper point is not ceremonial. It is commercial. AI governance is becoming something that can be inspected, compared, and asked for.

That changes the conversation.

Once accreditors, certifiers, auditors, and procurement teams have a legible framework through which to evaluate AI governance, informal reassurance starts to lose market value. The organisation may still choose not to certify. It no longer has the luxury of pretending that no external assurance language exists.

The Cost Of Waiting Is Becoming Visible

Weak AI governance is not only a future compliance problem. It is already producing commercial friction.

Reuters reported on 8 October 2025 that an EY survey of 975 executives found nearly every large company deploying AI had experienced some initial financial loss tied to issues such as compliance failures, inaccurate outputs, or bias. The same reporting said companies with more developed responsible-AI policies reported stronger outcomes on sales, cost savings, and employee satisfaction. That does not prove ISO 42001 certification is the only answer. It does show that governance quality is no longer abstract. It is showing up in commercial performance.

This is where the discussion usually becomes evasive. Organisations start talking about maturity. About keeping an eye on things. About learning as they go.

Sometimes that is sensible. Often it is a polite way of saying that delegated machine influence has already entered the business before anyone has defined the operating terms under which it is allowed to remain there.

The Category Error

This is the real error.

Many firms still talk about AI as though the core issue were adoption: whether to move, how fast to move, which platform to buy, which model to choose, which workflow to pilot.

Those are downstream questions.

The upstream question is whether the organisation has specified enough of its own operating environment to govern delegated machine influence at all. What is the task? Where does judgment remain non-delegable? What constitutes harmful error? Which outputs must remain reviewable? What data boundaries are inviolable? What changes require reassessment? Who carries the authority to decide any of this?

Without answers to those questions, what looks like AI strategy is often just unmanaged delegation. The technology impresses. The governance vacillates. The risk accumulates.

The External Case Is Already Substantial

The external case is no longer speculative.

The standard exists. The regulatory timetable is live. The UK privacy regulator is actively engaged. The assurance market is accrediting. The surrounding ecosystem is expanding as well: ISO/IEC 42005:2025, published in May 2025, adds guidance for AI system impact assessment and focuses on how AI systems and their foreseeable applications may affect individuals, groups, or society. That is what a maturing control domain looks like. Management system first. Then surrounding methods. Then assurance infrastructure.

So the question is not whether AI is strategically interesting. Of course it is.

The question is whether your organisation has already given AI enough operational influence that governing it informally is no longer credible.

For a growing number of firms, the answer is already yes. They simply have not updated their governance architecture to match their operational reality.

ISO 42001 matters because it provides a management-system architecture for doing exactly that. Not as theatre. Not as a badge first. As a way of making AI governable before the organisation confuses visible movement with actual readiness.

What is your systematic response?