Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreihplgm3kwszdv3ms6p6e4fhvghd52mteepp6jeaskt2iyduus57iq",
    "uri": "at://did:plc:j4nmy4ymoeorm3j6hzbijapg/app.bsky.feed.post/3mbol5kmcl6t2"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreid72hocuy5zta5k6hqxzhk5jwejrezstddvlbvsxtho6zszthm5eu"
    },
    "mimeType": "image/jpeg",
    "size": 614641
  },
  "description": "As I dive deeper into EU AI regulation, ISO 42001 keeps surfacing. This piece explores what it is, how certification works, and why it matters for vendors.",
  "path": "/iso-42001-ai-governance/",
  "publishedAt": "2026-01-05T13:45:06.000Z",
  "site": "https://hoeijmakers.net",
  "tags": [
    "International Organization for Standardization",
    "ISO - International Organization for StandardizationWe’re ISO, the International Organization for Standardization. We develop and publish International Standards.ISO",
    "ISO/IEC 42001:2023Information technology — Artificial intelligence — Management systemISO",
    "The Hot Potato of ComplianceFrom GDPR to the EU AI Act, a recurring pattern emerges: European regulation lands in procurement, spreading responsibility, caution, and friction.Rob HoeijmakersRob Hoeijmakers",
    "Learning to Work with the EU AI ActI used to avoid EU regulation. Now I’m learning to work with it. The AI Act isn’t perfect, but it’s shaping how I think about risk, trust, and tech.Rob HoeijmakersRob Hoeijmakers",
    "my own work",
    "ISO/IEC 42001: a new standard for AI governance",
    "ISO/IEC 42001:2023 Artificial Intelligence Management System Standards - Microsoft Compliance",
    "ISO/IEC 42001 - Compliance"
  ],
  "textContent": "It is the start of a new year, and like many people working with AI, I have been spending time reading things that are not models, prompts, or product updates.\n\nInstead, I have been reading regulation.\n\nThe EU AI Act. Privacy law. Compliance language. Procurement questionnaires. The kinds of documents that do not describe how AI works, but how organisations are expected to _live with it_.\n\nWhen you follow those threads for a while, you start to notice a different layer of the AI conversation. Less about innovation, more about responsibility. Less about what AI can do, more about who is accountable when it does it.\n\nThat is how I recently ran into **ISO 42001**.\n\nI am not writing this to argue for or against it. At this stage, I am simply trying to understand what it is, why it exists, and why it is starting to appear in conversations around AI, compliance, and procurement.\n\n## What ISO standards are, briefly\n\nISO is the International Organization for Standardization. It does not regulate, and it does not certify organisations itself. What it does is define shared standards that describe how organisations can structure their work around specific themes.\n\nMany of the better-known ISO standards focus on _management systems_. **ISO 9001** for quality management.**ISO 27001** for information security. **ISO 27701** for privacy.\n\nThese standards do not say “your outcomes must be good”. They say: if you care about this topic, here is how responsibility, risk, documentation, and continuous improvement are typically organised.\n\nCertification is handled by accredited third parties, not by ISO itself. Organisations are audited against the standard by certification bodies, which are in turn overseen by national accreditation authorities.\n\nIt is a layered system. Procedural. Institutional. Familiar to anyone who has worked with large organisations or public-sector procurement.\n\nISO - International Organization for StandardizationWe’re ISO, the International Organization for Standardization. We develop and publish International Standards.ISO\n\n## What ISO 42001 adds to that landscape\n\nISO 42001 is the first ISO standard specifically focused on AI. More precisely, it defines the requirements for an **Artificial Intelligence Management System**.\n\nThat phrasing matters.\n\nThis is not a technical AI standard. It does not evaluate models, measure bias, or certify that an AI system is “ethical”. Instead, it asks whether an organisation has a structured way to govern AI across its lifecycle.\n\nThings like:\n\n  * defining which AI systems are in scope,\n  * assigning responsibility and oversight,\n  * assessing risks and potential impacts,\n  * managing data, suppliers, and third-party components,\n  * handling incidents and continuous improvement.\n\n\n\nIn other words, it standardises _how questions about AI are handled_ , not the answers themselves.\n\nIf you are familiar with ISO 27001, the logic will feel recognisable. ISO 42001 follows the same management-system structure, just applied to AI.\n\nISO/IEC 42001:2023Information technology — Artificial intelligence — Management systemISO\n\n## Why this shows up in procurement, not product design\n\nFormally, ISO 42001 applies to “organisations”. In practice, it attaches itself most strongly to **vendors**.\n\nThat is not because vendors are morally more responsible, but because procurement needs certainty.\n\nLarge organisations, public bodies, and regulated sectors often prefer not to deeply inspect every supplier’s internal practices. Certification becomes a shortcut. A way to say: an independent party has checked that there is a governance system in place.\n\nIn that sense, ISO 42001 functions a bit like insurance.\n\nNot because it prevents problems, but because it redistributes risk and responsibility. It creates a shared baseline that allows organisations to move forward without fully understanding each other’s internal complexity.\n\nThis also explains why such standards are often more relevant for AI vendors than for advisory or exploratory work. The closer you are to operating AI systems in production, the more likely these questions become unavoidable.\n\nThe Hot Potato of ComplianceFrom GDPR to the EU AI Act, a recurring pattern emerges: European regulation lands in procurement, spreading responsibility, caution, and friction.Rob HoeijmakersRob Hoeijmakers\n\n## How this relates to the EU AI Act\n\nISO 42001 is not law. It does not replace the EU AI Act, and it does not guarantee compliance.\n\nBut the two are clearly moving in the same direction.\n\nThe AI Act introduces a risk-based regulatory framework. ISO 42001 introduces a risk-based governance framework. One is legal, the other procedural.\n\nWhat ISO 42001 offers is not legal compliance, but _organisational readiness_. A way for companies to show that they have thought about responsibility, oversight, and control in a structured way.\n\nFor regulators, clients, and procurement teams, that distinction often matters less than one might expect.\n\nLearning to Work with the EU AI ActI used to avoid EU regulation. Now I’m learning to work with it. The AI Act isn’t perfect, but it’s shaping how I think about risk, trust, and tech.Rob HoeijmakersRob Hoeijmakers\n\n## Where this fits into my own exploration\n\nFor me, this sits alongside a broader research question: how responsibility for AI is being redistributed.\n\nOn the one hand, there is a strong emphasis on AI literacy. Organisations are encouraged to understand AI better, make informed decisions, and build internal competence.\n\nOn the other hand, there is a parallel move to push complexity upstream. To require vendors to demonstrate that they have governance systems in place, so that not every organisation has to reinvent that wheel.\n\nISO 42001 clearly belongs to the second category.\n\nIt does not replace understanding. But it does change where questions are asked, and who is expected to answer them.\n\nIn my own work, this is not a primary goal right now. It is something I am keeping in my peripheral vision. Something to be aware of as I look at my own organisation, the vendors we work with, and the institutional environment forming around AI.\n\nNot as a decision to make, but as a signal.\n\n## Why it is worth noticing, even if you do nothing with it\n\nYou do not need to pursue ISO 42001 to find it interesting.\n\nIts value, at least for me, lies in what it reveals about the direction things are moving. AI is no longer just a technical or creative concern. It is becoming part of the same governance machinery that already exists for quality, security, and privacy.\n\nWhether that is reassuring, constraining, or simply inevitable is not something I am trying to resolve here.\n\nFor now, it is enough to recognise that this layer exists, to understand roughly how it works, and to notice when it starts to appear in conversations.\n\nSometimes orientation is more useful than opinion.\n\n### Further reading\n\n  * ISO/IEC 42001: a new standard for AI governance\n  * ISO/IEC 42001:2023 Artificial Intelligence Management System Standards - Microsoft Compliance\n  * ISO/IEC 42001 - Compliance\n\n",
  "title": "Exploring ISO 42001 and AI governance",
  "updatedAt": "2026-05-10T08:53:40.504Z"
}