Building an AI management system (AIMS) from scratch

ISO 42001 structures the AIMS around seven clauses (Clauses 4–10), each corresponding to a management system function. For practical implementation purposes, these map to eight components — splitting the policy and operational procedure layer, which the standard treats in a single clause but which represent distinct workstreams in practice.

ISO 42001 Clause 5 requires top management to demonstrate commitment to the AI management system. This is not a ceremonial requirement. The standard defines specific actions that demonstrate commitment: establishing an AI policy, assigning responsibility for the AIMS (with the authority to require compliance), and ensuring that the AIMS has the resources it needs to operate.

In practice, leadership commitment requires naming an executive sponsor — typically a CISO, Chief AI Officer, Chief Risk Officer, or a board-level AI governance committee — who owns the AI governance mandate. The scope of that mandate (which AI systems, which parts of the business) must be recorded. Without an authoritative scope decision, subsequent components are contested.

Evidence of leadership commitment at audit includes the board or executive committee meeting minutes where AI governance was placed on the agenda, the appointment record for the responsible role, and the approved AI policy signed by the executive sponsor.

ISO 42001 Clause 4.3 requires the organisation to define the scope of the AIMS. The scope document names which AI systems are governed by the management system, which are excluded, and why. It also defines the boundaries of the organisation (legal entities, business units, geographies) that are in scope.

Scope definition is where most AIMS implementations encounter their first practical difficulty. The number of AI systems in operation is usually higher than the organisation expects — embedded AI in SaaS tools, AI features in productivity software, and AI-powered analytics platforms are all AI systems within the standard's definition. The scope decision requires a prior inventory.

An AI system inventory that was produced for the purpose of scope definition is not a one-time document. Every new AI system deployed is a scope decision — is it in or out? The AIMS needs a process for making that decision consistently, not just a list produced at programme start.

The scope document must be reviewed at least annually and whenever a significant new AI system is deployed or an in-scope system is decommissioned.

ISO 42001 Clause 6.1 requires a documented AI risk assessment process — a methodology that the organisation applies consistently to each AI system in scope. The process produces an AI risk register with entries covering AI-specific risk categories: data quality, bias and fairness, safety, security, explainability, and societal impact.

For each risk in the register, the process must produce a treatment record: the option selected (accept, avoid, transfer, or mitigate), the controls applied, the named risk acceptor, and the residual risk rating. The treatment record must include a re-review trigger — the events that would require the risk to be re-assessed.

Organisations with an existing ISO 27001 ISMS should extend the existing risk methodology rather than build a new one. The ISO 27001 risk methodology is compatible with ISO 42001; it needs to be extended to cover AI-specific categories and lifecycle phases.

ISO 42001 Clause 5.3 requires documented roles and responsibilities for the AIMS. The standard explicitly requires top management to ensure that roles are assigned, communicated, and understood. At minimum, the following roles must be defined:

• AI governance lead. The person or function responsible for the AIMS overall — maintaining the policy framework, overseeing the risk management process, and managing the management review cycle.
• AI system owners. The named individuals responsible for each AI system in scope — accountable for the risk register entry, the treatment plan, and the operational procedures for that system.
• Risk acceptors. The people authorised to accept residual risk for AI systems. This is often the system owner for routine risks and the AI governance lead or executive sponsor for significant risks.
• Internal auditors. People with the competence to audit the AIMS who are independent from the functions they audit.

ISO 42001 Clause 5.2 and Annex A.2 require an AI policy — the high-level statement of intent that governs the organisation's use and governance of AI. In practice, the policy framework comprises several documents:

• An AI acceptable use policy (what AI may and may not be used for).
• An AI ethics or values statement (the principles applied in AI decisions).
• An AI accountability policy (who is responsible for what, and how accountability is discharged).
• A data governance policy for AI (how data used in AI systems is sourced, classified, and managed).

Policies must be approved by top management and communicated to the people responsible for implementing them. Communication records — email distribution logs, intranet acknowledgement records, training attendance records — are the evidence the auditor expects.

ISO 42001 Clause 8 covers the operational layer of the AIMS: the procedures that govern how policies are implemented across the AI system lifecycle. The minimum required procedures are:

• An AI system requirements and design review procedure — defining how AI systems are assessed before build.
• A deployment gate procedure — defining the checks that must pass before an AI system enters production, including the security review requirement.
• An AI monitoring procedure — defining what is monitored, how, and with what frequency, for each system in scope.
• An AI incident response procedure — defining how AI-specific incidents are classified, escalated, and communicated.
• An AI change management procedure — defining what changes trigger a re-assessment and what the re-assessment process is.

Procedures must be maintained as documented information. They must be reviewed when the systems they govern change and must be tested at least once per audit cycle to produce the records the internal auditor will inspect.

ISO 42001 Clause 9 requires the organisation to monitor, measure, analyse, and evaluate the AIMS. This has three sub-requirements: ongoing monitoring, periodic internal audit, and annual management review.

The monitoring plan defines what is measured (risk register coverage, treatment plan completion, incident response timeliness, training completion) and at what frequency. The internal audit programme defines the scope, criteria, and cadence for internal audits — typically covering all clauses over a rolling 12-month cycle. The management review agenda defines what top management reviews annually: AIMS performance against objectives, outstanding non-conformances, risk register status, and proposed improvements.

ISO 42001 Clause 10 requires the organisation to address non-conformities and continually improve the AIMS. The non-conformance procedure defines how gaps identified in internal audit, management review, or operational monitoring are recorded, root-caused, and corrected. Corrective action records must be retained.

Continual improvement is evidenced by the management review records showing improvement decisions, the corrective action log showing closed items, and year-over-year changes in the AIMS performance metrics. An auditor reviewing a mature AIMS expects to see evidence that the system is getting better — not just evidence that it exists.

The ISO 42001 AI governance toolkit provides templates for each of these eight components, including the scope document, risk register, treatment plan, management review agenda, and non-conformance record.