The AI Act: who faces new requirements, and who is largely unaffected?

The AI Act: who faces new requirements, and who is largely unaffected?

The AI Act and Norwegian organisations

When the General Data Protection Regulation (GDPR) was introduced, virtually every organisation was affected. Many leaders are therefore asking whether the AI Act will have similar consequences. The answer is more nuanced.

The AI Act is built around a risk-based approach, where the requirements depend on how artificial intelligence is used and what consequences it may have for individuals and society. Two organisations can therefore use AI every day whilst facing entirely different regulatory requirements.

For most organisations, it is not the industry alone that determines how significantly they are affected by the AI Act. What matters is which AI systems are in use, which data they process, and whether they feed into decisions that affect individuals.

The AI Act does not regulate all uses of artificial intelligence equally

The AI Act distinguishes between different risk levels. Whilst certain types of AI are prohibited, the most stringent requirements will apply to what are known as high-risk systems.

This means that many organisations will be able to use generative AI tools without extensive new obligations, whilst others must establish documented processes for risk assessment, control and follow-up.

It is therefore misleading to ask whether an organisation is “covered by the AI Act”. Every organisation that uses AI will be affected to a greater or lesser degree. The key question is how significant the regulation will be for each individual organisation.

Organisations with limited impact

For many organisations, AI is used primarily as a tool that supports employees in their day-to-day work.

Examples include:

  • Generating text drafts and content
  • Summarising meetings and documents
  • Coding assistance for developers
  • Language support and translation
  • Analysis of large volumes of information

In such cases, it is humans who make the decisions, whilst AI functions as a productivity tool.

Although these organisations should still maintain an overview of which AI solutions are in use, they will not normally face the most extensive requirements under the AI Act.

Organisations with moderate impact

A different picture emerges when AI becomes an integrated part of operational processes.

In industry, energy, transport and offshore, artificial intelligence is increasingly used for analysis, optimisation and predictive maintenance. AI can help identify anomalies, predict failures or recommend actions based on large volumes of data.

In such cases, the primary challenge is not necessarily human rights or discrimination. Rather, the need for control over data quality, traceability and an understanding of how AI models influence the basis for decisions becomes more pressing.

Many organisations in these sectors will therefore find that the AI Act creates a need for better documentation and governance, even if the solutions are not necessarily classified as high-risk systems.

Organisations that may be subject to stricter requirements

The most extensive requirements under the AI Act are linked to AI systems that can affect individuals’ rights, opportunities or access to essential services. This applies, amongst others, to solutions used in the following areas.

Recruitment and HR

AI used to rank candidates, filter applications or make recommendations in recruitment processes may fall within the high-risk categories of the regulation.

Education

AI solutions that affect the assessment of students or decisions about educational pathways may trigger stricter requirements.

Healthcare and social care

AI used for diagnostics or clinical decision support is among the areas subject to significant regulation.

Public sector

Municipalities, directorates and other public bodies must be particularly attentive if AI is involved in case processing or decisions that affect citizens.

In such cases, the AI Act sets requirements for, amongst other things, risk management, documentation, human oversight and ongoing follow-up.

AI Act readiness is about the organisation’s AI portfolio

For leaders, it is therefore more relevant to map the organisation’s AI portfolio than to attempt to determine whether the organisation “is covered by the AI Act”.

Two organisations in the same industry can have very different risk profiles.

A university using AI for administrative tasks faces different requirements from one using AI to assess students. In the same way, a municipality using generative AI for content production will have a different risk profile from one using AI in case processing or decision-making.

The first step towards AI Act readiness is therefore to establish an overview of which AI systems are in use within the organisation, which processes they form part of, and what the consequences could be if they produce incorrect results.

From AI use to AI governance

For many organisations, the AI Act will not entail extensive new requirements in the near term. Nevertheless, the regulation helps to make visible a need that already exists: the need for control over how artificial intelligence is used within the organisation.

Organisations that establish an early overview of their AI portfolio will be better placed to handle both regulatory requirements and the rapid development of artificial intelligence.

Talk to us about AI management systems

We help organisations with advisory services, establishment and further development of AI management systems. Get in touch to find out how we can help you!

Mirjam Meling

Mirjam Meling

Marketing & Communication Manager

Produces content for Certain QMS on management systems, quality management, information security and AI governance. She works with subject matter experts to communicate complex topics in a clear and practical way.

AI risk management is not like other risk – this is how ISO 42001 approaches it

AI risk management is not like other risk – this is how ISO 42001 approaches it

AI risiko

Many organisations already have established risk management processes. They identify risks, assess likelihood and impact, implement actions and follow up through audits and management reviews.

But artificial intelligence challenges several of the assumptions that traditional risk management is built on.

It is precisely for this reason that ISO 42001 places such emphasis on AI risk management. The standard builds on familiar principles from management systems, but also acknowledges that AI introduces risk factors that many organisations have not previously had to manage.

Why is AI risk different?

Traditional IT systems generally do what they are programmed to do. If a rule or process is defined, the system will follow it.

AI systems work differently.

They are typically built on statistical models that learn patterns from large volumes of data. The result is that the outcome is not always as predictable as in traditional software. The system can produce different answers to the same question, change behaviour over time or draw conclusions that are difficult to explain fully.

This does not mean that AI is necessarily dangerous. But it does mean that the risk must be assessed differently.

Risk is not only about technology

When leaders think about technology risk, it tends to focus on availability, security and data protection.

For AI, these remain important, but the risk landscape is broader.

Organisations must also consider questions such as:

  • Can the AI model produce incorrect or misleading responses?
  • Can it introduce bias or discrimination?
  • Could employees become overly reliant on AI-generated recommendations?
  • Is it clear who is accountable when AI is used in decision-making processes?
  • Can the system be used in ways it was not originally intended for?

These are risks that often affect people, business processes, reputation and regulatory compliance at least as much as the technology itself.

AI risikostyring

AI risk is dynamic

Another important difference is that AI risk is rarely static.

A machine on the factory floor works much the same way tomorrow as it did yesterday. Many AI solutions, on the other hand, evolve continuously.

Underlying data changes. Suppliers update models. New use cases emerge. Employees begin using tools in ways that differ from what was originally planned.

ISO 42001 therefore emphasises continuous monitoring and evaluation, not just a one-off assessment before the system is deployed.

Risk management becomes an ongoing activity.

Focus on context and use

A central principle in ISO 42001 is that risk lies not only in the technology, but in how the technology is used.

The same AI model can represent very different levels of risk depending on its purpose.

A chatbot that helps employees draft emails presents an entirely different risk profile from a system used as decision support in recruitment, credit assessment or healthcare.

This means that effective AI risk management requires the organisation to understand:

  • Where AI is used
  • Who is affected by its use
  • Which decisions AI influences
  • What the consequences of errors could be

This perspective runs throughout the whole of ISO 42001.

Human oversight remains essential

A recurring theme in the standard is the importance of human oversight.

Many organisations introduce AI to streamline work processes, but streamlining must not lead to accountability becoming unclear.

Leaders must be able to answer questions such as:

  • Who owns the process?
  • Who approves the results?
  • Who is accountable if something goes wrong?

ISO 42001 therefore requires the organisation to define roles, responsibilities and decision-making authority in connection with the use of AI.

Technology can support people. It does not relieve the organisation of responsibility.

From technology project to governance responsibility

One of the most common mistakes organisations make is treating AI as a purely IT project.

ISO 42001 takes a different view.

The standard places AI within the organisation’s existing governance model. AI should be assessed in the same way as other matters that affect the organisation’s objectives, risk exposure, compliance and reputation.

An AI management system therefore often involves functions beyond IT alone:

  • Leadership
  • Professional departments
  • Compliance and quality
  • Data protection and information security
  • HR
  • Risk management

The goal is not to control the technology itself, but to govern how the organisation uses it.

Risiko med AI

What does this mean for leaders?

For leaders already working with quality, internal control, information security or compliance, much of the thinking in ISO 42001 will feel familiar.

What is new is not necessarily the methodology.

What is new is that AI introduces risks that require different assessments from those applied to traditional systems and processes — and that systematic AI risk management therefore becomes a core competence for organisations in the years ahead.

Organisations that succeed with AI in the coming years will likely be those that manage to combine innovation with governance. Not because regulation demands it, but because trust, accountability and control become ever more important as artificial intelligence is adopted in business-critical processes.

Talk to us about AI management systems

We help organisations with advisory services, establishment and further development of AI management systems. Get in touch to find out how we can help you!

Mirjam Meling

Mirjam Meling

Marketing & Communication Manager

Produces content for Certain QMS on management systems, quality management, information security and AI governance. She works with subject matter experts to communicate complex topics in a clear and practical way.

Organisations have an AI strategy – but do they have AI governance?

Organisations have an AI strategy – but do they have AI governance?

Norwegian organisations AI strategy

Many organisations have developed AI strategies in recent years. They have identified opportunities, defined ambitions and pointed to areas where artificial intelligence can create value. But a strategy alone does not govern the use of AI.

The question leaders should be asking is therefore not whether the organisation has an AI strategy. The question is whether the organisation has control over how AI is actually being used.

From ambition to governance

An AI strategy tends to be about where the organisation wants to go. AI governance is about how the organisation gets there in a safe, responsible and controlled manner.

In many organisations, AI adoption is happening far faster than the governance surrounding it. Employees are picking up new tools, departments are experimenting with their own solutions, and AI is gradually becoming part of work processes and the basis for decisions.

Often without leadership having full visibility.

Do you know where AI is used?

If you are a leader, can you answer these questions:

  • Which AI tools are being used in the organisation today?
  • Which data is being shared with these solutions?
  • Who is responsible for approving new AI tools?
  • How is AI-generated content quality-assured?
  • Which decisions are influenced by AI?
  • How do you document your use of AI to customers, owners and authorities?

Many leaders find they do not have good answers to all of these questions.

That does not necessarily mean the organisation has a problem. But it may mean the organisation lacks governance.

AI tools on PC

AI governance is about control

AI governance is the framework that ensures AI is used in line with the organisation’s objectives, values, risk appetite and regulatory requirements.

It covers, amongst other things:

  • roles and responsibilities
  • guidelines for AI use
  • risk assessments
  • control over data and models
  • documentation and traceability
  • compliance with legislation and standards

In short: AI governance turns AI into a governed organisational capability, rather than simply a set of tools employees use on their own initiative.

The AI Act raises expectations

With the EU AI Act, it is becoming increasingly difficult to treat AI as a purely technology initiative.

Organisations must be able to document how AI is used, which risks have been assessed and which control mechanisms are in place. For many, this will require far more than a strategy or a general AI policy. It requires governance.

AI documentation

The most important question leaders should be asking now

Many organisations spend considerable time discussing what AI can do for them. Perhaps it is time to spend just as much time discussing how AI should be governed.

Because when AI becomes part of the organisation’s work processes and decisions, having a strategy is no longer enough. What you need is AI governance.

Talk to us about AI management systems

We help organisations with advisory services, establishment and further development of AI management systems. Get in touch to find out how we can help you!

Mirjam Meling

Mirjam Meling

Marketing & Communication Manager

Produces content for Certain QMS on management systems, quality management, information security and AI governance. She works with subject matter experts to communicate complex topics in a clear and practical way.

Who is responsible for AI in the organisation?

Who is responsible for AI in the organisation?

Responsible AI leaders

As AI is adopted in an ever-growing number of work processes, the same question arises in many organisations: Who is actually responsible for AI?

Is it the IT department? HR? The quality manager? Senior leadership?

The challenge is that AI rarely fits neatly within a single department.

An AI tool can simultaneously affect data protection, information security, quality, work processes, customer handling and decision-making. This quickly makes it unclear who should own the risk, the guidelines and the follow-up.

AI cannot be owned by IT alone

Many organisations start by placing responsibility with IT. This is understandable, but often insufficient.

IT can take responsibility for the technology and security, but rarely has the position to assess how AI affects the professional areas that use it.

If HR uses AI in recruitment, HR must understand the risks and own the process. If the marketing team uses generative AI for content production, the marketing team must take responsibility for how the tool is used. If the finance department uses AI for analysis or decision support, they must own their part of the usage.

Just as departments own their own systems and work processes, they must also own the AI solutions they use.

Why we are seeing new roles and steering groups

Large organisations are now beginning to establish AI steering groups, AI governance functions and dedicated leads for coordinating AI work.

The goal is not necessarily to control all use of AI, but to create visibility and ensure the organisation has shared guidelines and risk assessments.

For smaller organisations, dedicated AI roles are rarely necessary. There it is often more realistic to distribute responsibility between leadership, IT, quality functions and the departments that actually use the technology.

Working with AI

The EU AI Act makes the question even more important

One of the challenges many organisations are now discovering is that they do not have a full overview of how AI is being used internally.

EU AI Act sets out different requirements depending on how AI is used. Before an organisation can assess which requirements apply, it must first map which AI systems are actually in use.

This is difficult for one person to do alone.

To gain an overview, the organisation must involve multiple professional areas. Each department must contribute information about which tools are in use, what they are used for and which processes they form part of.

The most important thing is not a single AI lead

Many organisations are looking for one person who can own AI.

In practice, good AI governance is often less about finding a single accountable individual and more about establishing clear roles and responsibilities across the organisation.

Someone must coordinate the work. Leadership must own the governance. But those who use AI day to day must also own the risk and the responsibility for how the technology is used in their own processes.

It is only when these roles are clearly defined that the organisation gains the visibility and control that both leadership, ISO 42001 and the EU AI Act call for.

Talk to us about AI management systems

We help organisations with advisory services, establishment and further development of AI management systems. Get in touch to find out how we can help you!

Mirjam Meling

Mirjam Meling

Marketing & Communication Manager

Produces content for Certain QMS on management systems, quality management, information security and AI governance. She works with subject matter experts to communicate complex topics in a clear and practical way.

What is document management?

What is document management?

Document control Certain QMS

The terms document collection, document storage and document management are often used interchangeably. In practice, they describe very different ways of managing an organisation’s documentation. The difference is not primarily about technology, but about governance, responsibility and trust.

Document collection and document storage

A document collection is exactly what it sounds like: documents gathered in one or more locations, organised in folders or libraries. The purpose is storage and sharing.

Document storage provides a common place to find files, easy access and flexibility in how content is organised. However, few requirements are placed on who owns the content, how changes should be handled, when documents should be reviewed, or which document actually applies.

This works well as an archive and a sharing platform — but provides limited support for managing the organisation’s practices over time.

What document management is really about

Document management is the systematic management of governing documentation throughout its entire lifecycle — from creation through use, review and eventual withdrawal.

The core is not where documents are stored, but how they are governed. This requires clear frameworks for ownership and responsibility, review and approval, versioning and change history, access and availability, and compliance in practice.

Where document storage answers the question of where documents can be found, document management answers the question of how the organisation ensures that documentation is correct, up to date and actually used.

Document management requirements in ISO standards

Document management is not merely good practice — it is an explicit requirement in the most widely adopted management system standards. ISO 9001, ISO 14001, ISO 45001 and ISO 27001 all place requirements on document management — that is, control of documented information: ensuring that documents are available where needed, that they are fit for purpose, and that they are adequately protected against unintended alteration or loss.

For organisations that are certified — or working towards certification — document management is therefore not optional. It is a prerequisite for meeting the requirements of the standards and for being able to demonstrate this to an external auditor.

When does the difference become visible?

The gap between storage and control typically becomes apparent when someone questions the documentation. Employees are uncertain about which version applies. Multiple versions are circulating simultaneously. Practice varies between departments. An audit demands traceability.

In these situations, it is rarely a lack of documents that is the problem. It is a lack of governance around them.

The consequences can be more serious than they first appear. Employees following outdated procedures increase the risk of errors and non-conformities. Internal audits uncover gaps that require resource-intensive remediation. External inspections can, in the worst case, result in non-conformities against the standard — with loss of certification as a possible outcome. And in organisations experiencing high turnover or growth, inadequate document management is often what causes knowledge to disappear when experienced employees leave.

Trust in a document does not build itself

What actually makes us trust a document? The question is rarely asked explicitly, but the answer is crucial.

Trust is not about the title or the location. It is built on certainty that this is the last approved version, that someone has held clear responsibility for the content, that changes have been made in a controlled and deliberate manner — and that what you are reading is what currently applies.

When this confidence is absent, informal workarounds emerge: local copies, personal notes, ‘the way we usually do it’. Over time, this undermines shared practice and genuine governance.

Change control: the underestimated element

One dimension of document management that is often underestimated is the role it plays when people leave or new employees join. In organisations without effective document management, much of the practice is bound up in individuals — in experience, memory and informal routines that have never been written down, or that have been written down but never maintained.

When an experienced employee leaves, this knowledge often goes with them. Good document management is what prevents the organisation from starting from scratch each time — enabling a new employee to find out how things are actually done, and ensuring that training is built on something more solid than colleagues’ personal notes.

Document management and knowledge transfer

A central but often overlooked aspect of document management is visibility of changes. It is not enough to know that a document has been updated. Equally important is knowing who made the changes, when they were made, and what specifically has changed since the previous version.

When changes are clear and traceable, trust in the documentation increases. Employees no longer need to re-read entire documents to find out what is new. Management gains better oversight of how practice is actually developing over time.

This is one of the clearest distinctions between document management and simple document storage — and a core principle of document management as understood in the ISO standards.

From archive to management tool

Document management only becomes valuable when documentation is used actively in day-to-day work — not merely as a reference, but as a governing framework for how work is carried out.

Organisations that succeed in this are typically characterised by employees having a single, clear source of current practice, roles and responsibilities being clearly defined, documentation being perceived as relevant and trustworthy, and review and follow-up being a natural part of operations — not a last-minute effort.

Document control Certain QMS

Document management in Certain QMS

In Certain QMS, document management is built around the same principles: clear responsibility, controlled publishing and full traceability of changes. The solution makes a clear distinction between the work of drafting and revising documents, and what is at any given time the organisation’s official, approved practice.

Drafting, revision and quality assurance take place in controlled workspaces. Employees who use the documentation in their day-to-day work only ever encounter what has been approved and published. This reduces uncertainty and creates a documentation foundation that can genuinely be used for governance.

For employees, this means that the latest approved version is always the one available, that it is clear who owns the content and when it was last reviewed, and that documentation feels safe to rely on in practice. When employees no longer need to check version numbers or compare alternative documents, the threshold for actual use is lowered — and compliance improves across roles and departments.

For the organisation as a whole, the approach delivers better oversight and governance: clearly defined ownership per document, full traceability of who has revised and changed what and when, a clear change history where previous and new versions can be compared directly, and a stronger basis for audits, document management and systematic improvement work — including documentation that stands up to external audit scrutiny.

Document management, properly implemented, transforms documentation from an archive into something more. It becomes an active management tool that supports shared practice, reduces the risk of errors and provides a solid foundation for quality work in the organisation’s day-to-day operations.

Marte Sunde

Marte Sunde

Business Consultant

Marte Sunde is a Business Consultant for Certain QMS, specialising in quality management and HSE systems. She works at the intersection of operational practice and digital solutions, helping organisations implement and improve management systems that ensure compliance, structure, and continuous improvement.