If you’re just getting started with AI governance or trying to make sense of the EU AI Act, you’re not alone. Many organisations are still working out how to manage AI risks, meet legal requirements and support innovation at the same time.
In a recent webinar, ISO 42001 and the EU AI Act: building a foundation for compliance, experts from IT Governance Ltd, a GRC Solutions company, explained how ISO 42001 can help businesses build a structured, future-proof approach to AI compliance.
Here’s what was covered – and what you should do next.
1. ISO 42001 gives you a structure – not just a certificate
Most attendees said their top challenge was getting a handle on AI risk in a structured way. That’s where ISO 42001 comes in.
It’s not a checklist or a set of rigid rules. It’s a management system – similar to ISO 27001, but designed specifically for AI. It helps organisations:
- Define legal, contractual and regulatory obligations (including the AI Act)
- Understand how AI systems fit into operations and where the risks lie
- Apply controls that are proportionate to their specific risk profile
It’s flexible by design. You don’t have to apply every control – only those that are relevant to your risk exposure. Even if you’re not working towards certification, using ISO 42001 as a framework can make AI governance easier to scale and more consistent across teams.
2. The EU AI Act applies to more businesses than you might expect
The Act doesn’t just apply to companies developing AI systems – it applies to those using them too. If an AI system is placed on the EU market or used within the EU, it’s in scope, regardless of where the organisation is based.
The Act uses a risk-based approach:
- Minimal risk: e.g. spam filters, with no significant obligations
- Limited risk: requires transparency (e.g. labelling AI-generated content)
- High risk: requires documentation, risk management, human oversight and more
- Prohibited uses: e.g. social scoring, manipulative profiling
Most obligations fall within the high-risk category. But even limited-risk systems carry requirements – especially around transparency. Many businesses are unaware they’re using AI at all, as it’s often embedded in platforms like CRM systems, productivity tools or cloud software. Visibility is the first step.
3. AI tools should be treated like any other part of the tech stack
A key takeaway was that AI should no longer be treated as something experimental or separate. It should be logged, assessed and monitored in the same way as any other system in your environment.
That means:
- Maintaining an asset inventory of AI tools
- Including them in risk, security and privacy assessments
- Applying access control, data classification and output validation
- Monitoring their outputs over time to catch drift, bias or other issues
Many of these steps can be built into existing governance processes. The goal is to avoid duplicating effort and ensure that AI is subject to the same scrutiny as other business-critical technologies.
Listen to the free webinar
Want to know more about the EU AI Act and how ISO 42001 can help you implement a structured AI management system that helps you manage AI risks effectively and meet your regulatory requirements?
4. Documentation doesn’t need to be perfect – but it does need to hold up
Effective AI documentation doesn’t need to be lengthy or complex. It needs to be accurate, used in practice, and able to stand up to scrutiny.
Organisations should be able to clearly show:
- What the AI system does
- Where the risks lie
- Who is accountable
- How outputs are validated and monitored
ISO 42001 outlines where documentation is mandatory and where it should be added based on risk. Good documentation should reflect how the organisation actually operates – not how it would like to operate in theory. The aim is accountability, not bureaucracy.
5. Innovation and compliance aren’t in conflict
One of the most useful discussions was around how to balance AI adoption with responsible governance. Organisations that are moving quickly with AI tend to be the ones that have built sensible safeguards early on.
Some effective practices include:
- Running pilots in sandboxes, away from live data and systems
- Holding short AI reviews before launch to flag risks
- Involving legal or risk teams early – not just at the end
- Assigning clear responsibility for AI coordination across the business
It’s also important to embed AI into existing governance structures rather than setting up separate ones. Many existing policies and processes (such as DPIAs or change management) can be adapted to cover AI. And getting the culture right is just as important as the controls. If policies exist but people don’t feel comfortable raising concerns, the governance will fall flat.
How we can help with ISO 42001 compliance
If you’re working towards ISO 42001 – or thinking about it – we can support you at every stage.
Our consultancy services are designed to help organisations achieve certification and build a robust, practical AI management framework.
We can help you:
- Run a gap analysis to identify where you meet the standard and where you don’t
- Develop policies and processes to manage AI risk in line with ISO 42001 requirements
- Get audit-ready, with support tailored to your certification timeline
If you’d like to talk to one of our consultants about your organisation’s needs, get in touch and we’ll help you plan the next step.
Get started today
Contact us for a free consultation on how ISO 42001 can support your AI strategy.
The post How ISO 42001 supports EU AI Act compliance appeared first on IT Governance Blog.
