The AI governance stack, quickly
There are three things buyers and regulators are asking about right now: an AI management system (ISO/IEC 42001), an AI risk management approach (NIST AI RMF and its ISO/IEC 23894 sibling) and legal obligations (the EU AI Act, sector regulators and emerging UK guidance). They overlap, but they are not interchangeable.
ISO/IEC 42001 — the management system
42001 is structured like ISO 9001 or 27001. It expects you to scope your AI activities, understand context and interested parties, run risk assessments, define controls, evidence competence and continually improve. It is a good backbone if you already run integrated management systems.
EU AI Act — the legal obligation
The Act classifies AI systems by risk. Most B2B and internal systems land in the limited or minimal risk categories, but any use in HR, credit, education, essential services or safety-critical contexts is likely high-risk. High-risk systems require documented risk management, data governance, human oversight, transparency and post-market monitoring.
Where they overlap
- Risk management — 42001's Annex A controls map cleanly to EU AI Act Article 9.
- Data governance — 42001's data quality controls support Article 10.
- Human oversight — both frameworks require documented oversight roles and thresholds.
- Post-market monitoring — 42001's monitoring, measurement and analysis clause supports Article 72.
What to do now
Inventory your AI systems, classify them against the EU AI Act risk categories, and pick a governance framework that scales. For most organisations, an ISO/IEC 42001-shaped management system with the EU AI Act as its compliance obligation register is a defensible starting point.
Have a question on AI Governance & Risk?
Post it publicly in the Ask Gareth community. Vetted contributors and peers answer — moderated for quality.

