One of the most important steps in any management system implementation is determining the correct scope. ISO 42001, the international standard for artificial intelligence management system (AIMS) is no different and in fact the extent to which you should consider the ‘context of the organisation’ under clause 4.2 is arguably more than other standards.
In addition to identifying the internal and external issues relevant to its purpose and ability to achieve the intended results of the AIMS, including technological trends, regulatory developments, and societal expectations regarding AI; organisations should also consider their “Role” relative to the AI Systems in scope. This exercise alone can have a significant impact on the required ISO 42001 certification audit time and therefore cost.
Identifying Your AI Systems
An important step in ISO 42001 implementation is identifying the AI systems within scope. While some AI systems will immediately spring to mind there are others that might not be as obvious.
Of course any AI system you are developing in-house either using your own model or a third party service should be included, but you should also consider where AI is used by your staff or as a component of an existing software system. For example Microsoft CoPilot is now integrated into Microsoft 365 apps, as is Google’s Gemini in the equivalents. You will also often find AI features within other SaaS apps that you might not be aware of.
Therefore it’s important to discover where AI is being used in these systems by engaging with relevant stakeholders throughout the business.
When you understand which systems are in scope you can then determine your organisation’s role, relative to those AI systems.
Thankfully ISO 42001 provides some guidance notes to define “Roles” which we will break down in the following sections.
Role: AI Providers
The role of an AI provider is probably the most obvious one. It includes developers, designers, operators, testers and evaluators of AI systems, as well as those providing AI-related services such as impact assessors, procurers and governance committees.
In short, any direct AI activity for example building an AI platform or offering an AI related service would fall into the AI providers role.
Role: AI Customers
AI customers as a role provides a secondary level of involvement for example buying an AI system off-the-shelf or utilising AI features of existing SaaS products.
This may also be considered an User of a AI system.
Role: AI Partners
An increasingly common role is that of AI partners which includes situations where AI technology is integrated into existing software products or systems.
It also includes data providers, for example providing a data feed for an AI model.
Role: AI Subjects
Drawing parallels with the principle of a ‘data subject’ in data protection legislation, AI subjects can include those individuals or organisations that are subject to a third party’s AI processing.
It’s important to assess this within the framework of your management system by reviewing both your own data that may be processed by AI systems and the data of individuals managed within your organisation
Role: AI Authorities
As AI systems develop and become more prevalent the regulatory burden increases giving rise to additional authorities, policymakers and regulators that need to be considered.
Documenting your AI Roles in ISO 42001
It’s likely that as you investigate your exposure to AI systems you will find one or more of these roles becomes applicable to you.
Within clause 4.1 understanding the context of your organisation, it can be useful to document your role(s) against each of the AI systems you’ve identified as being relevant. You may find the roles differ or that you have multiple roles against the same system.
In addition to this, clause 4.2 of ISO 42001, like all management systems standards, requires you to consider the needs and expectations of interested parties.
While this exercise will be far broader than just the roles identified above, you should ensure that any of the relevant roles you have identified are included in your assessment of interested parties.
Get Started with ISO 42001
Determining the scope of your artificial intelligence measurement system (AIMS) and the relevant roles related to AI systems is just the start of the process.
Assent Risk Management’s expert ISO 42001 consultants are experienced in implementing the standard and governing AI responsibly. We can guide you through the process of implementing a compliant management system and achieving ISO 42001 certification, often starting with a gap analysis exercise.
Note: A detailed description of each of the roles discussed above is provided by ISO/IEC 22989 Information technology — Artificial intelligence — Artificial intelligence concepts and terminology.
