ModelCharter

ISO 42001 Explained: The AI Management System Standard

ISO certification standards representing the ISO 42001 AI management system

Photo: qmicertification design / Pexels

ISO/IEC 42001 is the first international standard specifically for AI management systems. Published in 2023, it gives organisations a structured way to govern AI: setting objectives, managing risk, and demonstrating responsible use. Unlike ISO 27001 (which covers information security broadly), 42001 is built around the particular characteristics of AI, things like data quality, model transparency, and the shifting regulatory landscape.

Deployer or provider: which duties apply to you?

ISO 42001 distinguishes between AI providers (organisations that develop or supply AI systems) and AI deployers (organisations that use AI systems built by others). Most small and mid-sized businesses are deployers. That's significant: deployer duties are less intensive than provider duties. You're not being asked to document how a model was trained; you're being asked to have a policy for how you use it safely.

The four things the standard requires from deployers

A documented AI policy aligned to your risk context; a register of AI systems in use (what they do, who uses them, what data they process); controls for the risks those systems create; and records that demonstrate your governance is active, not just on paper. These map directly to ModelCharter's three artefacts: a generated usage policy, an AI tool directory, and an attestation trail.

ISO 42001 versus the EU AI Act

The two are complementary, not competing. The EU AI Act is law: it sets mandatory obligations with enforcement teeth. ISO 42001 is a voluntary standard that provides a management system framework for meeting those obligations. Many organisations pursuing EU AI Act compliance find that implementing ISO 42001 structures their approach and produces the documented evidence regulators want to see. If you're working towards one, you're already partly working towards the other.

Where to start without a dedicated team

You don't need a compliance function to begin. Start with three core artefacts: an AI usage policy (which documents your stance and controls), a register of approved tools (which gives you visibility and risk ratings), and staff attestation records (which prove your governance is active). ModelCharter handles all three. Once those are in place, the gap to full ISO 42001 alignment is smaller than you'd think.

Put this into practice

Generate a free AI usage policy for your team, then see which of your tools are safe to use.

Open the generator