Welcome back to the part of the series I have been quietly looking forward to, in the same resigned way one looks forward to the bit of a long flight where they finally turn the cabin lights back on. We have at last reached Clause 10 — Improvement, the closing clause of the main body of ISO/IEC 42001:2023. It is short. It is structurally familiar. And it is the clause where the standard, having spent ninety pages explaining how to set up an AI management system, takes a breath and says: and now you do this forever.
Clause 10 is where the AIMS officially becomes a treadmill. If Clause 9 was the part where you measured whether the system was doing anything, Clause 10 is the part where you are obliged, in writing, to act on whatever you found. Yes, even the awkward findings. Yes, even the ones that imply someone senior has been wrong about something for eighteen months.
What Clause 10 Actually Says
Clause 10 is, by ISO standards, almost rude in its brevity. It contains two subclauses: 10.1 Continual improvement and 10.2 Nonconformity and corrective action. There is no 10.3, no matter what your favourite blog post says. ISO 42001 follows the modern Annex SL high-level structure, which trimmed the older “General / Nonconformity / Continual” trinity down to a tidy two. If you find yourself searching for a third subclause, the issue is not your eyesight. The issue is that you are reading documentation written for ISO 9001:2015 and have wandered into the wrong room.
10.1 — Continual Improvement
Clause 10.1 reads, in essence: the organisation shall continually improve the suitability, adequacy and effectiveness of the AI management system. That is the whole substantive sentence. ISO has the rare gift of saying very little while implying very much, and 10.1 is a textbook example.
The three adjectives are not decorative. Suitability means the AIMS still fits the organisation it lives inside — the context, the AI uses, the risk landscape, the regulatory environment. Adequacy means it covers what it needs to cover at sufficient depth. Effectiveness means it actually achieves the AI objectives you set under Clause 6.2 and the impact-management aims you committed to under Clause 6.1.4. To improve the AIMS continually is to keep all three of those properties moving in the right direction, in light of what you learn from monitoring (9.1), audits (9.2), management reviews (9.3), and the world’s habit of changing without consulting you first.
The clause is deliberately silent on how. There is no mandated improvement methodology — no Plan-Do-Check-Act diagram in the body of the standard, no Six Sigma, no required cadence. You are simply expected to do it, demonstrably, and to retain the evidence. The standard is, in this respect, the management-system equivalent of a well-bred dinner-party host: it does not tell you which fork to use, but will absolutely notice if you fail to use one.
10.2 — Nonconformity and Corrective Action
Clause 10.2 is the substantive engine of Clause 10, and the place where the prose becomes uncharacteristically prescriptive. When a nonconformity occurs — meaning the AIMS, an AI system within scope, or a process has failed to meet a requirement — the organisation shall:
(a) react to the nonconformity, which means take action to control and correct it, and deal with the consequences. (b) evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it does not recur or occur elsewhere, by reviewing and analysing the nonconformity; determining its causes; and determining whether similar nonconformities exist or could potentially occur. (c) implement any action needed. (d) review the effectiveness of any corrective action taken. (e) make changes to the AIMS, if necessary.
The clause then closes with the requirement that corrective actions shall be appropriate to the effects of the nonconformities encountered, and that the organisation shall retain documented information as evidence of the nature of the nonconformities, any subsequent actions taken, and the results of any corrective action.
If you have read Clause 10.2 of any other Annex SL standard — ISO 9001, ISO 27001, ISO 14001, ISO 45001 — you have read this clause already. The word “AI” barely appears. What does change is the scope of what counts as a nonconformity, because the AIMS is monitoring not just a management system but the AI systems that sit inside it. A model whose accuracy drifts past a documented threshold is now a nonconformity. A bias metric that breaches its commitment is a nonconformity. A failed impact assessment under Annex A is a nonconformity. A vendor incident that affects a third-party AI system within your scope is, you guessed it, a nonconformity.
What It Means in Practice
Practically, an organisation living inside Clause 10 needs three connected pieces of machinery. First, a nonconformity register — a single, auditable record of every issue raised against the AIMS or against an in-scope AI system, with date, source (audit, monitoring, complaint, regulator, model evaluation, incident), description, severity, owner, and status. Second, a corrective action process with the five (a)–(e) steps wired in: containment, root-cause analysis, action, effectiveness check, and AIMS update. Third, a continual-improvement loop that takes everything Clause 9 produced — metrics, audit findings, management-review outputs, lessons from corrective actions — and feeds it into a roadmap of changes to the AIMS itself. Most organisations already have something resembling the first two, in service of ISO 27001 or an ISO 9001 quality system. Almost none of them have the third.
The 9 → 10 handshake is the part organisations underestimate. A management review under 9.3 is supposed to produce decisions and actions for continual improvement (9.3.3). Clause 10.1 is where those decisions become real. If your management-review minutes contain elegant phrasing about “opportunities to enhance maturity” but your nonconformity register, corrective-action backlog, and AIMS change log contain nothing traceable back to those minutes, you do not have a Clause 10 system. You have a quarterly book club for executives.
What’s New, or At Least Mildly Surprising
Most of Clause 10 is, structurally, a polite copy-and-paste from the rest of the Annex SL family. The novelty is not in the clause; it is in what feeds it.
The first surprise: AI nonconformities have a much wider surface area than IT or quality nonconformities. A model can fail in production without failing any test. A system can become discriminatory through a perfectly intentional, well-documented training pipeline. A third-party AI tool can change behaviour because a vendor pushed an update on a Tuesday. Clause 10.2 expects all of these to be detectable, recordable, investigable, and correctable — and Clause 9.1 expects you to have the monitoring in place to find them in the first place. Many organisations will discover that their existing nonconformity processes were calibrated for “the build broke” and not for “the model is slowly becoming worse at a thing we never measured.”
The second surprise: continual improvement of an AIMS includes the AIMS itself, not merely the AI within it. If your impact assessment template missed a category of harm in 2024 and you only noticed in 2026, the corrective action is not just to revise the assessments — it is to revise the template, retrain the people who use it, and update the AIMS. Improvement, in 42001, is reflexive. The system is meant to learn about itself. You will be tempted to skip this. Auditors will not.
The third, quietest surprise: the standard does not let you outgrow it. There is no Clause 10 finish line. Continual improvement, by definition, has no terminal state. An AIMS that has been “optimised” and “finalised” is, by the standard’s own definition, no longer conforming. This is faintly comic, and entirely deliberate.
Closing
And so we reach the end of the main body of ISO/IEC 42001:2023. Ten clauses, three of them substantive, seven of them mandatory. You have established context, asserted leadership, planned, supported, operated, evaluated, and now — improved. Forever. Continually. With evidence retained.
Next in the series, we descend into Annex A, the standard’s reference list of control objectives and controls. Thirty-eight of them, across nine sections, each one a small piece of homework that someone in your organisation will, at some point, sigh and own. I will see you there. Try to be excited.