ISO 42001: Governance of AI Management and Third-Party Risk

Mitratech’s Sarah Hemmersbach reports that artificial intelligence is transforming industries at an unprecedented rate. However, without effective governance, the risks can outweigh the benefits. For legal operations and compliance professionals, ISO 42001 is emerging as a standard for responsible AI management and third-party risk governance.

The ISO/IEC 42001 standard was published in 2023 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It establishes requirements for creating, implementing, and continually improving AI management systems.

The ISO standard adheres to the well-established Plan-Do-Check-Act framework and aligns with existing ISO standards for information security, privacy, and AI risk management. While voluntary, ISO 42001 supports compliance with regulatory mandates, such as the European Union’s AI Act, and frameworks like the National Institute of Standards and Technology’s AI Risk Management Framework.

It integrates ethical and risk-based principles into core business processes, helping organizations meet regulatory requirements and demonstrate accountability. Its importance is especially significant in third-party risk management, where vendors, suppliers, and partners increasingly deploy AI systems, raising concerns about fairness, transparency, and data handling.

The ISO standard enhances third-party oversight by requiring organizations to evaluate supplier governance practices, monitor continuous changes to AI models, and ensure transparency around explainability and ethical safeguards. It also recommends stronger contractual provisions related to incident response and data use, as well as assessments of subcontractors’ reliance on AI.

Best practices for aligning AI governance and third-party risk with ISO 42001 include defining the scope of internal and external AI use, documenting controls through statements of applicability, and applying consistent risk assessment criteria across vendors. Continuous monitoring of vendor AI systems, supported by updated intake forms with AI-specific questions and the development of an AI supplier code of conduct, helps maintain oversight.