Roles and responsibilities under ISO 42001

Management system standards are built around accountability. A policy without an owner is a statement of intent. A risk register without a named acceptor is a list. A management review without a named decision maker is a meeting. ISO 42001 requires the role structure that converts each of these documents into accountable actions.

ISO 42001 Clause 5.3 states that top management shall ensure that responsibilities and authorities for relevant roles are assigned, communicated, and understood. The clause identifies two specific requirements:

• Responsibility must be assigned for ensuring that the AIMS conforms to the requirements of the standard.
• Responsibility must be assigned for reporting on the performance of the AIMS to top management.

These two requirements define the minimum role structure: a person or function that owns the AIMS (responsible for conformance) and a reporting line to the executive level (responsible for performance reporting). Everything else — system owners, risk acceptors, auditors — flows from these two anchors.

ISO 42001 Clause 5 places several obligations directly on top management — obligations that cannot be delegated. Top management must:

• Establish, implement, maintain, and continually improve the AIMS.
• Communicate the importance of effective AI governance and conformance with AIMS requirements.
• Ensure that AIMS objectives are compatible with the organisation's strategic direction.
• Ensure that the resources required for the AIMS are available.
• Demonstrate leadership and commitment with respect to the AIMS.

The “demonstration” requirement is what creates the evidence obligation. Top management demonstrating commitment means making AI governance a visible agenda item at executive level — in board minutes, in management review records, in resource allocation decisions. A CEO statement on a website does not satisfy this clause; an executive committee meeting that reviewed AIMS performance and made resource decisions does.

The most common gap in the leadership clause is organisations that have named an AI governance lead but have not created the executive reporting line. The AI governance lead produces excellent documentation that nobody at executive level has reviewed. That is a Clause 5 gap, and it is a major nonconformity at audit.

The AI governance function is the role or team that operates the AIMS on a day-to-day basis. Organisations variously call this role AI Ethics Officer, AI Governance Lead, Head of Responsible AI, or AI Risk Manager. The title is not specified by the standard; the authorities and accountabilities are.

The AI governance function must have defined authority to:

• Require AI system owners to produce and maintain risk register entries, treatment plans, and operational procedure records.
• Require AI system owners to complete re-assessments when trigger criteria are met.
• Escalate AIMS non-conformances to the executive level with a recommendation for resolution.
• Convene and manage the management review cycle, including producing the agenda and recording decisions.

The evidence that this authority is real — not just documented — includes instances where the AI governance function exercised it: a risk re-assessment initiated because the governance lead triggered it, an escalation record, a management review minute showing that the governance function's report was presented and discussed.

Below the AI governance function, ISO 42001 requires operational role assignments for each AI system in scope:

AI system owners are the most operationally critical role. They are the people who know the systems, who commission the risk assessments, and who accept the residual risks. An auditor will ask them, directly, to describe the risks associated with their system and to produce the treatment plan. A system owner who cannot do this is evidence of a role in name only — which is a nonconformity.

Organisations subject to GDPR will already have a Data Protection Officer. The DPO role and the ISO 42001 AI governance roles overlap in scope but are not identical. Key distinctions:

The DPO is responsible for data protection compliance — ensuring that personal data is processed lawfully. The AI governance lead is responsible for AI management system conformance — ensuring that the AIMS operates and produces defensible records. For AI systems that process personal data (most enterprise AI), the two roles must coordinate on DPIAs, data subject rights, and incident notification.

ISO 42001 Annex A.6.2 (AI impact assessment) and GDPR Article 35 (DPIA) overlap for AI systems that make or influence decisions about individuals. The most efficient approach is a combined AI impact assessment and DPIA process, with the DPO and AI governance lead jointly responsible for the output.

The DPO cannot be directed to perform tasks that conflict with the independence requirement under GDPR Article 38. Assigning the DPO as the AI governance lead is permissible if there is no conflict of interest — but requires careful scoping to avoid creating a situation where the DPO is reviewing decisions they made in their operational capacity.

ISO 42001 Clause 5.3 requires that responsibilities and authorities are communicated. Communication means the people in the roles know they are in them — and know what the roles require. Evidence of communication includes:

• A role charter or terms of reference for the AI governance function, signed by the executive sponsor.
• Named AI system owner assignments in the AIMS scope document or risk register, with acknowledgement records.
• Risk acceptor authority levels documented in the risk management process, with delegation records where authority has been delegated below the executive level.
• Internal auditor competency records and independence declarations.

Job descriptions alone are not sufficient. An auditor may ask to see the job description — but they will also ask to see evidence that the role was actually exercised. A risk register entry signed by the named system owner is evidence of exercise. A job description that mentions AI governance is evidence of intent.

The ISO 42001 AI governance toolkit includes a role charter template, an AI system owner assignment record, and a risk acceptor authority matrix that cover the documentation requirements for each role.