Clause 9 is where ISO/IEC 42001:2023 stops asking what you built and starts asking how you know it works. Monitoring, internal audit, and management review — three subclauses, all designed to surface the gap between ‘we have a policy’ and ‘we have evidence.’
Clause 8 is where the AI management system stops being a stack of documents and starts having to run. Art Meta walks you through operational planning and control, the recurring risk assessment, risk treatment, and the genuinely novel AI system impact assessment — the one subclause in ISO 42001 that asks you to think about the humans on the other end.
Clause 7 of ISO/IEC 42001:2023 governs the unglamorous machinery of an AI management system — resources, competence, awareness, communication, and documented information. Art Meta walks through what the standard actually asks for, and why this is the clause where most implementations quietly collapse.
Clause 6 of ISO/IEC 42001:2023 asks you to plan actions against risks and opportunities, then set measurable AI objectives and figure out how to achieve them. Art Meta walks you through what that actually means — and why AI risks are not quite like the ones you’ve been managing since ISO 27001.
Clause 5 of ISO 42001 asks top management to demonstrate leadership and commitment to the AI management system. Art Meta walks through what that actually requires — policy, roles, and the fine tradition of recycled Annex SL language.
Welcome back. You’ve made it to Clause 4, which means you have survived the Scope (Clause 1), the Normative References
Welcome back to our meticulous, clause-by-clause walkthrough of ISO/IEC 42001:2023 — the international standard for AI management systems that you’ve
Ah, Clause 2. The normative references section. In virtually every ISO management system standard ever published, this is the page
Welcome to the first installment of what I have grandly titled The ISO 42001 Annotated Companion for People Who Will