Julian Adams, British Standards Institution

Introduction to the blog series

As AI continues to evolve and become more integrated in our lives, it is increasingly important to ensure that organizations are using AI in a responsible manner and to establish public trust in AI systems. Against this context, the world’s first AI Management System standard – ISO/IEC 42001:2023—Information technology—Artificial intelligence—Management system, was launched in December 2023.

BSI recently conducted qualitative research with early adopters of the standard to ascertain how organizations are implementing ISO/IEC 42001. A total of 16 in-depth interviews were conducted amongst compliance officers, information security managers, engineers, technical leads and technical advisors.

The key findings are being shared in a series of four blogs, drawing on organizations’ experiences of working with the standard to date.

The first post in the series, found below, looks at the main benefits of implementing ISO/IEC 42001 reported by the organizations we engaged with. The following three blog posts will build on this by looking at:

• • Part II: Lessons from businesses on using ISO/IEC 42001 to identify and manage AI risk
  • Part III: Lessons from businesses on implementing ISO/IEC 42001 in practice
  • Part IV: Lessons from businesses on enabling responsible use of AI systems with ISO/IEC 42001

Part I: Five key benefits of implementing ISO/IEC 42001

Determining the value of the management system framework

Early adopters were asked what they saw as the key benefits of the standard. Overall, they noted that the standard provides organizations with a framework for AI governance and risk management. The framework was seen to provide a structured process for organizations to follow, along with reassurance that they are doing the right thing.

Specifically, five key benefits of adopting the framework surfaced:

1. To foster customer trust

Organizations are aware that customers are increasingly enquiring about organizations’ processes and procedures to manage the risks from AI systems.

They argue that implementing the standard will help to reassure customers and foster trust. Moreover, many organizations argue that compliance to the standard would help to differentiate their business and help provide them with long-term competitive edge.

2. To benchmark best practice

Organizations feel the standard helps to demonstrate what good looks like in terms of what is required to be compliant with the standard.

Whereby, organizations are clear what constitutes industry benchmarks of ethical and secure AI standards. They note that the standard ensures that businesses do not need to develop their own, potentially unproven, management system frameworks, but can instead use the standard’s framework as the basis of their approach.

3. To inform gap analysis

Organizations emphasize that the standard helps inform the systematic review of AI systems and that it provides them with a checklist to assess their AI management status against the requirements of the standard.

Many organizations acknowledge the challenge of identifying the vast array of AI use cases and feel the standard helps to formally identify use cases that might otherwise be overlooked in terms of opportunity.

For organizations with relatively mature processes for managing cybersecurity and AI risk, the standard is valued as a mechanism to guide and validate existing systems and processes.

4. To drive operational efficiencies

Organizations are concerned with the cost of developing, implementing and maintaining an AI Management System. As such, senior executives are keen to see a tangible business case which demonstrates return on investment.

To this end, organizations are looking at ways in which AI systems can be used to automate time-consuming and repetitive tasks to free up employees for more complex, strategic and human-centric tasks.

Organizations argue that operational efficiencies are only possible with good data governance. Many organizations have mature governance structures and, as such, AI governance is an extension of existing structures. Organizations can refer to Annex A in the standard and the clauses on ‘data for AI systems’ which detail controls for data deployment, acquisition, quality, provenance, and preparation of data. Additionally,

ISO/IEC 5259-1:2024 provides guidance on data quality for analytics and machine learning.

5. To facilitate regulatory compliance

Organizations anticipate that governments will increasingly introduce regulatory requirements for AI. Encouragingly, organizations also believe that the standard can act as a gateway to facilitate compliance with such regulations.

A case for certification

Inextricably linked to the above is the question of certification. Currently, ISO/IEC 42001 the only certifiable AI standard in the world. Although the standard is relatively new to market, most organisations believe it is likely they will seek certification to it as the standard matures. Certification is seen to affirm an organization’s mandate to use AI responsibly by demonstrating to employees, customers and suppliers the organization’s commitment to responsible AI systems.

What’s next in the Lessons from Business blog series?

The next blog in the series looks at how organizations are using the standard to help identify and mitigate the risk of AI systems and technologies.