ISO 42001 and Governance Maturity: Where to Start

ISO/IEC 42001 is the international standard for AI management systems. Published in 2023, it provides a framework for organisations to develop, use, and govern AI systems responsibly.

But let's establish one thing clearly first: ISO 42001 is not a compliance certificate — it is a management system standard.

What ISO 42001 Is — and Isn't

ISO 42001 systematises how your organisation identifies, manages, and monitors AI-related risks. What ISO 9001 does for quality management, ISO 42001 does for AI governance.

What ISO 42001 Is

A management system standard that systematises the processes for identifying, managing, and monitoring AI risks. It structures the existence and consistency of those processes.

What ISO 42001 Is Not

Not a checklist. Achieving certification does not guarantee that your AI systems are safe or ethical. The standard verifies the existence of processes — not outcomes.

ISO 42001 also does not replace EU AI Act. The two address different questions: EU AI Act asks "is this system lawful?" — ISO 42001 asks "how are we governing this system?"

Where It Intersects with EU AI Act

These two frameworks complement each other. EU AI Act mandates technical documentation, risk management, and human oversight for high-risk systems. ISO 42001 provides a roadmap for building precisely the management infrastructure needed to meet those requirements.

In practice, this means: for an organisation working toward EU AI Act compliance, ISO 42001 is the most efficient way to build systematic governance — rather than assembling ad hoc measures. The standard shows which processes need to be built, and in which order.

How Is Governance Maturity Measured?

ISO 42001 evaluates governance maturity across four core dimensions: leadership and commitment, risk management processes, operational controls, and continual improvement.

These dimensions map directly onto the phases of the Hexis Model:

Hexis Model

ISO 42001 Equivalent

Diagnose

Risk assessment requirements — defining the scope and impact domain of the system

Structure

Responsibility and accountability structures — who is authorised for what, and who is accountable to whom

Govern

Operational controls — oversight mechanisms across the full AI system lifecycle

Sustain

Continual improvement cycle — adapting to changing context and evolving regulation

Maturity is not binary. "Compliant" or "non-compliant" is the wrong framing. The right question is: where on this spectrum does your organisation sit today?

Practical First Steps for Organisations Starting from Scratch

Most organisations approach ISO 42001 with the question: "where do we begin?" The answer is always the same: start with inventory.

1

Build Your AI System Inventory

List all AI systems and tools in your organisation. Internally developed systems, purchased SaaS tools, integrated APIs — all of them belong in this inventory. You cannot build a management system for what you haven't mapped.
2

Answer the Core Questions for Each System

What does this system do? Who is responsible for it? What data does it process? How does human oversight work? These questions are the starting point for both ISO 42001 and EU AI Act.
3

Document the Gaps

Which processes exist, and which need to be built? This gap analysis maps the standard's requirements against your organisation's reality — and shows you exactly what to build next.

Hexis Perspective

Hexis · Governance Perspectives

When ISO 42001 certification is treated as the destination, the process tends to collapse into document production. Policies are written, procedures are drafted, audits are passed. What typically follows: documents sit in drawers, and actual governance practice remains unchanged.

Hexis approaches the standard differently — as an orientation tool. ISO 42001's real value does not lie in the certificate. It emerges during the process of systematising your organisation's relationship with its AI systems: determining which questions need to be asked, who is accountable for what, and when reviews are triggered.

Governance maturity is not about having the right documents. It is about making the right questions a habit.

Conclusion

ISO 42001 is a powerful framework for AI governance. But a framework is only as valuable as the intent of the organisation using it.

The starting point is simple: build your AI system inventory. You cannot govern what you haven't mapped.

Use the Hexis Governance Matrix to assess your AI system's maturity level and build your compliance roadmap.

Governance Matrix → Compliance Checklist →

Note: This article is based on information available as of February 2026. ISO/IEC 42001 references are to the 2023 edition. EU AI Act references are to Regulation (EU) 2024/1689. This article does not constitute legal advice.