This is not unusual. New standards typically lag adoption by years, and organisational compliance functions tend to be reactive rather than anticipatory. ISO 42001 was published in December 2023. Many compliance teams are still working through its implications. Many development teams have never heard of it.
But the gap is worth closing proactively. Not because an auditor is likely to ask next quarter, but because mapping your AI obligations is also a design discipline — and it produces better AI systems as well as more defensible compliance postures.
What ISO 42001 actually is
ISO 42001 is a management system standard. It specifies requirements for establishing, implementing, maintaining and continually improving an Artificial Intelligence Management System — an AIMS. The structure will be familiar to anyone who has worked with ISO 27001 (information security) or ISO 9001 (quality management): it uses the same high-level structure, the same emphasis on documented objectives, risk assessment, evidence of conformance, and management review.
The content is what changes. Where ISO 27001 asks about information security controls, ISO 42001 asks about AI governance: how AI systems are designed and deployed, what risks they create, how those risks are managed, who is responsible for oversight, and how the organisation ensures that its AI systems behave consistently with its stated objectives and values.
What it actually requires
At its core, ISO 42001 requires five things that many AI-adopting organisations currently lack in documented form:
An AI policy — a statement of your organisation's approach to AI, covering objectives, commitments, and the boundaries within which AI systems are permitted to operate.
An AI risk assessment — a documented analysis of the AI systems you operate, what they can affect, what could go wrong, the severity of potential harms, and the likelihood of each.
Documented AI objectives — measurable goals for your AI use that connect to organisational strategy and are monitored over time.
Evidence of conformance — records demonstrating that your controls are operating as described. Not just that controls exist on paper, but that they are functioning.
A management review cycle — a formal process by which leadership periodically assesses whether the AI management system is adequate, effective, and aligned with the organisation's current context.
Why most AI projects are structurally non-compliant
Consider a typical AI deployment: a team integrates a language model into a product feature, ships it to users, and monitors for regressions. The technical work may be sound. But ask the harder questions: Is there a documented AI policy this deployment can be checked against? Is there a risk assessment identifying what the model could get wrong and who would be affected? Are the controls — on model selection, output handling, human review thresholds — documented and demonstrably operating? Is there a review cycle that would surface it if those controls stopped working?
In most organisations, the answer to at least some of these questions is no. Not because of negligence, but because the standard is new, AI adoption is fast, and the compliance function has not caught up with the development function.
That gap is the obligation that has not yet been mapped.
The connection to ISO 27001
For organisations that already hold ISO 27001 certification, this is less of a leap than it appears. The structural requirements are the same. The evidence you need is largely parallel: where 27001 asks for evidence that your information security controls are operating, 42001 asks for evidence that your AI governance controls are operating. Many of the underlying documents — risk assessments, policy records, review minutes, control logs — serve both.
ISO 42001 is not a replacement for 27001. It is the next layer. If you have information security governance in place, AI governance is an extension of the same discipline applied to a new domain.
The case for mapping it now
There are two reasons to close this gap proactively rather than waiting for an audit request.
The first is regulatory trajectory. ISO 42001 is becoming a reference point for regulators assessing AI governance. The EU AI Act, which came into force in 2024, creates obligations that align substantially with ISO 42001 controls. Being able to demonstrate conformance ahead of enforcement is meaningfully easier than reconstructing evidence under pressure.
The second is operational. Mapping your AI obligations is a design constraint that improves how you build. Teams that document what an AI system is for, what it should not do, and how failures will be detected, build more reliable systems. The discipline of accountability is also a discipline of clarity — and clarity about what a system is supposed to do is the prerequisite for building it well.
The work is more tractable than it looks. Your organisation already holds most of the evidence: development documentation, model selection records, review notes, risk assessments, policies. What is missing is not usually the evidence — it is the connection between the evidence and the obligation it covers, and the visibility into what is genuinely absent.
Connecting that evidence, surfacing the gaps, and making the coverage picture continuously visible — that is what Phase 1 of Sovaign does, today.