In 2024 and 2025 the question we heard from boards and executive teams was “should we use AI?” In 2026 it is increasingly “how do we govern the AI we are already using?” ISO/IEC 42001 — the AI Management System standard — is the framework that will dominate that conversation, and Australian organisations that already operate ISO 27001 will find the path to it short.

What ISO 42001 is

ISO/IEC 42001:2023 is the first international management system standard for artificial intelligence. It is structured the same way as ISO 27001 (information security) and ISO 9001 (quality) — a Plan–Do–Check–Act management system that defines how an organisation governs its AI activities, with a set of controls in an annex covering specific areas of risk.

Crucially, ISO 42001 is not a technical specification for AI models. It does not tell you which architecture to use, which test set to apply, or what accuracy threshold to require. It defines the management system around AI: roles, accountability, risk assessment, supplier management, monitoring, and continuous improvement.

What it covers

The standard organises AI governance around several themes:

  • AI policy — an explicit, board-endorsed position on how the organisation will and will not use AI.
  • AI risk assessment — for each AI system, an assessment of intended use, potential harms, and impact on individuals.
  • AI system lifecycle — controls across design, development, validation, deployment, and decommissioning.
  • Data for AI — provenance, quality, and bias considerations for training and operational data.
  • Information for interested parties — transparency to users, regulators, and the public about how AI is used.
  • Use of AI systems — procurement, integration, and monitoring of third-party AI services.

Why this matters in Australia specifically

Australia does not yet have AI-specific legislation comparable to the EU AI Act, but the trajectory is clear:

  • The Australian Government’s Voluntary AI Safety Standard (released in 2024) maps closely to ISO 42001 themes.
  • The Privacy Act reform programme introduces transparency obligations for substantially automated decisions affecting individuals.
  • Procurement frameworks — particularly Commonwealth and state government procurement — are beginning to ask suppliers about their AI governance posture.
  • Major customer organisations are starting to require AI governance evidence as part of vendor due diligence.

For organisations selling into government, financial services, or large enterprise, ISO 42001 alignment is moving from differentiator toward expectation.

Where to start

If your organisation already operates an ISO 27001 ISMS, the gap to ISO 42001 is much narrower than starting from zero. The management-system mechanics are familiar; what is new is the AI-specific risk lens.

  1. Build an AI inventory. List every AI system the organisation uses or builds, including embedded features in software you already buy. Most organisations are surprised at the size of this list.
  2. Adopt an AI Acceptable Use policy. Clear, practical, board-endorsed.
  3. Run impact assessments on the highest-risk AI systems first — particularly those making or supporting decisions about people.
  4. Bring AI into vendor due diligence. Ask suppliers what AI is involved in their service, what data feeds it, and how it is governed.
  5. Decide whether certification is the goal, or whether internal alignment is sufficient. The cost-benefit varies by sector.

If you would like help establishing an AI governance baseline that is proportionate to your risk and integrates cleanly with your existing ISMS, we can help.