AI risk management is not like other risk – this is how ISO 42001 approaches it

Many organisations already have established risk management processes. They identify risks, assess likelihood and impact, implement actions and follow up through audits and management reviews.

But artificial intelligence challenges several of the assumptions that traditional risk management is built on.

It is precisely for this reason that ISO 42001 places such emphasis on AI risk management. The standard builds on familiar principles from management systems, but also acknowledges that AI introduces risk factors that many organisations have not previously had to manage.

Traditional IT systems generally do what they are programmed to do. If a rule or process is defined, the system will follow it.

AI systems work differently.

They are typically built on statistical models that learn patterns from large volumes of data. The result is that the outcome is not always as predictable as in traditional software. The system can produce different answers to the same question, change behaviour over time or draw conclusions that are difficult to explain fully.

This does not mean that AI is necessarily dangerous. But it does mean that the risk must be assessed differently.

When leaders think about technology risk, it tends to focus on availability, security and data protection.

For AI, these remain important, but the risk landscape is broader.

Organisations must also consider questions such as:

• Can the AI model produce incorrect or misleading responses?
• Can it introduce bias or discrimination?
• Could employees become overly reliant on AI-generated recommendations?
• Is it clear who is accountable when AI is used in decision-making processes?
• Can the system be used in ways it was not originally intended for?

These are risks that often affect people, business processes, reputation and regulatory compliance at least as much as the technology itself.

Another important difference is that AI risk is rarely static.

A machine on the factory floor works much the same way tomorrow as it did yesterday. Many AI solutions, on the other hand, evolve continuously.

Underlying data changes. Suppliers update models. New use cases emerge. Employees begin using tools in ways that differ from what was originally planned.

ISO 42001 therefore emphasises continuous monitoring and evaluation, not just a one-off assessment before the system is deployed.

Risk management becomes an ongoing activity.

A central principle in ISO 42001 is that risk lies not only in the technology, but in how the technology is used.

The same AI model can represent very different levels of risk depending on its purpose.

A chatbot that helps employees draft emails presents an entirely different risk profile from a system used as decision support in recruitment, credit assessment or healthcare.

This means that effective AI risk management requires the organisation to understand:

• Where AI is used
• Who is affected by its use
• Which decisions AI influences
• What the consequences of errors could be

This perspective runs throughout the whole of ISO 42001.

A recurring theme in the standard is the importance of human oversight.

Many organisations introduce AI to streamline work processes, but streamlining must not lead to accountability becoming unclear.

Leaders must be able to answer questions such as:

• Who owns the process?
• Who approves the results?
• Who is accountable if something goes wrong?

ISO 42001 therefore requires the organisation to define roles, responsibilities and decision-making authority in connection with the use of AI.

Technology can support people. It does not relieve the organisation of responsibility.

One of the most common mistakes organisations make is treating AI as a purely IT project.

ISO 42001 takes a different view.

The standard places AI within the organisation’s existing governance model. AI should be assessed in the same way as other matters that affect the organisation’s objectives, risk exposure, compliance and reputation.

An AI management system therefore often involves functions beyond IT alone:

• Leadership
• Professional departments
• Compliance and quality
• Data protection and information security
• HR
• Risk management

The goal is not to control the technology itself, but to govern how the organisation uses it.

For leaders already working with quality, internal control, information security or compliance, much of the thinking in ISO 42001 will feel familiar.

What is new is not necessarily the methodology.

What is new is that AI introduces risks that require different assessments from those applied to traditional systems and processes — and that systematic AI risk management therefore becomes a core competence for organisations in the years ahead.

Organisations that succeed with AI in the coming years will likely be those that manage to combine innovation with governance. Not because regulation demands it, but because trust, accountability and control become ever more important as artificial intelligence is adopted in business-critical processes.

We help organisations with advisory services, establishment and further development of AI management systems. Get in touch to find out how we can help you!