Is ISO 42001 Really about AI "Governance"?
“AI Governance” is now firmly in the buzzword hall of fame. And when people reach for a standard to anchor it, they almost always reach for ISO/IEC 42001.
Here’s the inconvenient detail: ISO 42001 is a management system standard. The clue is in the name — Artificial Intelligence Management System (AIMS). It sits in the same structural family as ISO 27001 and ISO 9001, built on the same Harmonized Structure. It is, quite literally and quite deliberately, about management.
So either the entire market is using the word wrong, or “AI Governance” and “AI Management” are not the same thing — and ISO 42001 only partly delivers the former.
It’s the second one. And the distinction isn’t pedantry. If you can’t tell which parts of your AIMS are governance and which are management, you will quietly let your management system make decisions that your board should be making. Let’s fix that.
What governance actually is (and isn’t)
The cleanest definition doesn’t come from ISO 42001 at all. It comes from ISO 37000:2021, Governance of organizations — Guidance — the standard written specifically to answer this question. So we’ll use it as our reference point throughout.
ISO 37000 defines the governance of organizations as the “human-based system by which an organization is directed, overseen and held accountable for achieving its defined purpose.” Direct. Oversee. Hold to account. Keep those three verbs in mind.
Then, in clause 4.2.3, ISO 37000 explicitly separates governance from management:
Governance involves setting and being accountable for the organization’s fulfilment of its purpose within the parameters set for the organization, whereas management is about fulfilling the associated objectives by making choices within those parameters.
Read that twice. Governance sets the parameters and owns the outcome. Management operates inside those parameters and makes the day-to-day choices. One draws the box; the other works within it.
ISO 37000 reinforces this with its definition of the governing body — the “person or group of people who have ultimate accountability for the whole organization.” Crucially, it notes that ISO management system standards refer to “top management” as a role that reports to, and is held accountable by, the governing body. In other words, ISO’s own architecture puts governance above the management system, not inside it.
A second non-negotiable from ISO 37000: the governing body can delegate, but it cannot delegate away accountability. It “remains accountable for what it has delegated and always remains responsible for the organization as a whole” (4.2.2). You can hand the AIMS to a management team. You cannot hand them the buck.
So the question to ask for any clause of ISO 42001 is simple:
Is this clause asking someone to set parameters and own the outcome (governance), or to operate within parameters and make choices (management)?
Analysing ISO 42001: governance or management?
ISO 42001 is built on clauses 4–10 (the management-system requirements) plus Annex A (a reference set of 38 AI-specific controls). Let’s walk the structure clause by clause and analyse each requirement against that question.
The governance parts
Clause 5.1 — Leadership and commitment. This is the most governance-like requirement in the whole standard, and it maps almost directly onto ISO 37000’s Leadership principle (6.7) and Purpose principle (6.1). It demands that the top of the organization establish an AI policy, ensure the AIMS is integrated into business processes, and own its strategic direction. ISO 37000 would call this setting the tone and direction — squarely governance.
Clause 5.2 — AI Policy (and Annex A.2, AI policy controls). A policy is, in ISO 37000’s language (3.2.9), the “intentions and direction of an organization, as formally expressed by its governing body.” Setting intentions and direction is the definition of a governance act. The catch — which we’ll come back to — is that ISO 42001 lets top management own the policy, when ISO 37000 would expect the governing body to set the parameters that policy must respect.
Clause 5.3 — Roles, responsibilities and authorities (and Annex A.3, internal organization). Defining who holds what authority is governance work. ISO 37000 treats delegation — “assignment of authority and responsibility from one that holds them to another” (3.2.4) — as a core governance mechanism. Deciding the limits of decision-making authority “in response to assessed risk” (4.2.2) is exactly what A.3 is reaching for.
The hybrids
This is the bucket most people get wrong, and Clause 6.2 (AI objectives and planning to achieve them) is the trap. “Setting objectives” sounds like pure governance — and the instinct to file it there is understandable. But it doesn’t survive the analysis.
The distinction forces a split. ISO 37000 separates setting the parameters and owning the outcome from making choices within those parameters (4.2.3). Apply that to objectives and the single word “objectives” cracks into two acts at two levels. Deciding what the AI effort exists to serve — the strategic direction it must align to, and the risk appetite it sits within — is governance. ISO 37000 makes this explicit: the governing body defines the value the organization intends to generate (6.2) and “sets the tone” for risk, including risk appetite and risk criteria (6.9.3). But the act Clause 6.2 actually requires — establishing measurable AI objectives, deciding what will be done, what resources are needed, who is responsible, and when it’s complete — is management. That’s “fulfilling the associated objectives by making choices within those parameters” almost verbatim. So 6.2 is a hybrid: governance hands down the strategic objective and the appetite; management writes the SMART objectives and the plan to hit them. Call the whole clause “governance” and you’ve quietly let the management system set its own direction — the exact failure this article is about.
Clause 6.1.x — Risk and the AI impact assessment direction (with Annex A.5). Same shape. ISO 37000 dedicates an entire principle to Risk governance (6.9): the governing body should “set the tone for the organization with respect to how the management of risk is to be approached” and establish the organizational risk framework, including risk appetite and risk criteria. When ISO 42001 requires you to define how AI risks and impacts on individuals and society are assessed, the framing and appetite-setting part is governance. The running of those assessments (Clause 8) is not.
Clause 4 — Context of the organization. Determining purpose, interested parties and scope sounds governance-y, and ISO 37000 does treat Purpose (6.1) and Stakeholder engagement (6.6) as governance principles. But in 42001, Clause 4 is framed as input to building the management system, not as the governing body defining the organization’s reason to exist. The governance act (defining purpose) is assumed to have already happened elsewhere; Clause 4 just documents it for the AIMS. Governance in spirit, management in placement.
Clause 9.3 — Management review. A review of the AIMS by top management is an oversight activity, and ISO 37000 makes Oversight a foundational principle (6.4). But note the ceiling: a management review is top management checking its own system. ISO 37000’s oversight sits with the governing body assuring itself — often through independent assurance and internal audit (6.4.3.3) — that the whole system works. Clause 9.3 is the management-level shadow of a governance activity.
Clause 9.2 — Internal audit. Genuinely an assurance mechanism, and ISO 37000 explicitly values internal audit for governance assurance (4.3.2, 6.4.3.3). But in 42001 it serves the management system’s conformity, not the governing body’s independent line of sight. Useful to governance; not itself governance.
The management parts
Everything below is essential — and none of it is governance. It’s the engine, not the steering wheel.
Clause 7 — Support (resources, competence, awareness, communication, documented information). Operating the system.
Clause 8 — Operation (operational planning and control, running the AI risk assessment, running the AI system impact assessment). This is where the parameters set above get executed. ISO 37000’s line is exact: management is “fulfilling the associated objectives by making choices within those parameters.”
Clause 10 — Improvement (nonconformity, corrective action, continual improvement). The PDCA “Act.” Operational.
Most of Annex A — A.4 (resources for AI systems), A.6 (data for AI systems), A.7 (information for interested parties), A.8 (responsible use), A.9/A.10 (third-party and supplier relationships). These are controls operated within the policy and risk parameters. Implementation, not direction.
The conclusion
Once you sort it, the pattern is obvious: ISO 42001’s genuine governance content is concentrated almost entirely in Clause 5 and the framing parts of Clause 6. Everything else is management — excellent, necessary management, but management.
And even the governance-flavoured clauses have a structural ceiling. ISO 42001, like every management system standard, assigns its top-of-house duties to “top management.” But ISO 37000 is unambiguous that top management reports to and is held accountable by the governing body. The standard assumes a governance layer above the AIMS — and then doesn’t provide it.
That’s the gap. ISO 42001 will tell you to have an AI policy. It will not tell your board to own AI risk appetite, to demand independent assurance over the AIMS, or to account to stakeholders for the organization’s AI impacts. Those are governing-body duties, and they live in ISO 37000, not ISO 42001.
So when someone says ISO 42001 is your AI governance, gently correct them:
ISO 42001 gives you an AI management system with a few governance hooks at the top. Real AI governance is the layer your governing body operates above it — setting the parameters the AIMS runs inside, and owning the outcomes it produces.
Call the management system a management system. Then make sure someone is actually doing the governing.
From ZERO to AUDIT-READY in 12 Steps
If you are responsible for an ISO 27001 implementation project, you are fighting a battle against the clock.
The standard tells you WHAT must be done,
but it leaves the HOW entirely to your imagination.
This leaves you staring at a blank map, forced to build an ISMS from scratch while the deadline approaches.
Our ISO 27001 Lead Implementer Framework gives you the Roadmap, Project Plan, Templates and Training to be audit-ready in months, not years.
