Back to blog
AI Governance & Risk

AI governance readiness: ISO/IEC 42001 and the EU AI Act in practice

AI systems are moving from experiment to operation. We compare ISO/IEC 42001, AI risk management frameworks and the EU AI Act obligations that organisations are already being asked about.

Ask Gareth Editorial Published 22 April 2026 Updated 9 July 2026 8 min read
ISO/IEC 42001 EU AI Act AI risk
AI governance readiness: ISO/IEC 42001 and the EU AI Act in practice

The AI governance stack, quickly

There are three things buyers and regulators are asking about right now: an AI management system (ISO/IEC 42001), an AI risk management approach (NIST AI RMF and its ISO/IEC 23894 sibling) and legal obligations (the EU AI Act, sector regulators and emerging UK guidance). They overlap, but they are not interchangeable.

ISO/IEC 42001 — the management system

42001 is structured like ISO 9001 or 27001. It expects you to scope your AI activities, understand context and interested parties, run risk assessments, define controls, evidence competence and continually improve. It is a good backbone if you already run integrated management systems.

EU AI Act — the legal obligation

The Act classifies AI systems by risk. Most B2B and internal systems land in the limited or minimal risk categories, but any use in HR, credit, education, essential services or safety-critical contexts is likely high-risk. High-risk systems require documented risk management, data governance, human oversight, transparency and post-market monitoring.

Where they overlap

  • Risk management — 42001's Annex A controls map cleanly to EU AI Act Article 9.
  • Data governance — 42001's data quality controls support Article 10.
  • Human oversight — both frameworks require documented oversight roles and thresholds.
  • Post-market monitoring — 42001's monitoring, measurement and analysis clause supports Article 72.

What to do now

Inventory your AI systems, classify them against the EU AI Act risk categories, and pick a governance framework that scales. For most organisations, an ISO/IEC 42001-shaped management system with the EU AI Act as its compliance obligation register is a defensible starting point.

Take it to the community

Have a question on AI Governance & Risk?

Post it publicly in the Ask Gareth community. Vetted contributors and peers answer — moderated for quality.

General information only. Ask Gareth is a knowledge and community platform. Content is not client-specific legal, regulatory, accreditation, certification or professional advice. Ask Gareth is not a certification body, accreditation body or regulator. See our full disclaimer.
Talk to us

Not sure where to start?

Ask a question

Ask Gareth

Post a public question inspired by this article. Category is captured for routing.