May 2026. Generative AI and decision-support systems sit in HR, customer service, development and finance. The EU AI Act makes risk classification and governance mandatory for many use cases; ISO 42001 offers a management system for AI.
What leadership wants to know
- Which AI systems run (internal and via SaaS)?
- Which risk class applies per system (minimal, limited, high)?
- Who approves new use cases before production?
- How do we cover privacy, bias and incident response?
ISO 42001 without a parallel universe
Connect AI governance to ISMS and GDPR alignment. One risk register, one action list, one management review — with AI as an explicit category. See ISO 42001 certification.
First 30 days
- Register of AI systems + owner per system.
- Acceptable use policy (including copilots and external APIs).
- Impact assessment for high-risk use cases.
- Training for key users — not only IT.
In 2026 enterprise customers explicitly ask for an AI register with data flows, model owner and human oversight. Link SaaS AI (Microsoft Copilot, CRM AI, HR tools) in the same register as internal models — auditors and privacy officers hunt inconsistencies.
AI Act risk classification is not one-off. Reassess when datasets, models or countries change. Record decisions in management review so ISO 42001 and ISMS show the same governance line.
For high-risk AI: document technical and organisational measures, logging and incident procedures. That overlaps ISO 27001 logging and GDPR DPIAs — use one evidence map tagged per framework.
AI register that matches reality
Shadow AI — staff using tools without approval — belongs in the register via periodic inventory, not only formal projects. Ask line managers which copilots, APIs and SaaS AI they use.
For high-risk use cases: record human oversight, logging and fallback before production. Auditors and enterprise customers compare AI register with DPIAs and ISO 27001 logging — inconsistencies are a red flag.
Training need not be one-off e-learning; short quarterly updates on acceptable use and incident reporting work better for adoption.
Link AI decisions to management review: new systems, risk class changes and incidents belong on the agenda, like vendors and security.
Record which datasets must not feed training for customer or personal data — technically and contractually. Many enterprise customers ask explicitly alongside AI Act classification. One data governance policy with AI tags avoids duplicate documents.
AI inventory and governance aligned
Start with an inventory: which systems use AI (generative or classical), which datasets, which decisions affect customers or staff? Classify under the EU AI Act and link high-risk systems to extra governance — DPIA, human oversight, logging.
ISO 42001 provides structure for AI management systems alongside your ISMS. Use shared risk registers and management review; do not split documentation into an “AI folder” auditors cannot follow.
Enterprise customers in 2026 explicitly ask which datasets must not train on customer or personal data. Record that technically and contractually in one data governance policy with AI tags.
Next steps in your ISMS
Turn this article into one concrete action in your risk register or improvement plan: owner, deadline, expected evidence. Discuss progress in the next management review — auditors and chain partners want decisions, not policy intent alone. Link where possible to existing ISO 27001, NIS2 or GDPR documentation so you do not maintain parallel folders.
Questions on scope, certification or chain requirements? Use our readiness overview and knowledge base for deeper guidance. This article does not replace legal or audit advice for your situation.
Share relevant findings briefly with line management and procurement — compliance becomes workable when the whole organisation recognises the same priorities. Repeat the chosen action quarterly in team meetings and update evidence locations in your SoA or control plan so surveillance samples are easy to answer.
What to do this week
Pick one concrete action from this article, assign an owner and add it to your risk or improvement register with a deadline. Share briefly in team meetings so compliance is something the line recognises. Repeat quarterly in management review so leadership sees progress, not only intent.
Note: this article is educational and does not replace legal, privacy or audit advice for your specific situation.
Evidence and governance
Record who owns the measures in this article and how you prove operation in the sample period — logs, tickets, approved changes or exercise reports. Certification bodies and chain partners do not accept intent without samples. Link evidence locations to your SoA or control plan so internal and external audit use the same sources.
