IBM "(A)i on GRC - ISO 42001"

Dec 1, 2025 

John Flack - IBM i Engineer / GRC & Quantitative Risk Specialist                                                        has written the "(A)i on GRC" which has explored ISO / IEC 27001 clause by clause translating one of the world’s most influential governance frameworks into the language of IBM i security, audit, and modernization.

There was an ISO / IEC 27001 posting on this blog on Oct 21st, 2025 which can be found here

John states "ISO 27001 gave us a blueprint for control: how to protect data, ensure confidentiality, and maintain integrity." 

If ISO 27001 secures the system, ISO 42001 governs the intelligence that system produces. 

ISO 42001 is defined as:                                                                                                                        "The first international management system standard for artificial intelligence (AI), providing a framework for organizations to develop, deploy, and manage AI systems responsibly and securely. It helps organizations establish a governance system for AI, ensuring ethical use, managing risks, and promoting transparency and accountability throughout the AI lifecycle. The standard is applicable to any organization involved with AI systems, whether they are providers or users."
                                                                                                                                     
Key aspects of ISO 42001  AI Governance: 
It provides a structured approach to AI governance, helping organizations to comply with legal and regulatory requirements.  
      
Risk Management: It helps organizations identify and assess risks associated with AI systems, such as bias and security vulnerabilities, and implement strategies to mitigate them.       
                                                                                                                                                              Ethical and Responsible Use: The standard promotes the responsible and ethical use of AI by ensuring systems are explainable, auditable, and free from unfair bias.                                                                                              

Lifecycle Management: It provides guidance for managing AI systems across their entire lifecycle, from design and development to deployment and operation.       
                                                                                                                                                            Continuous Improvement: It includes processes for monitoring, auditing, and continuously improving AI systems to maintain compliance and reliability.      
                                                                                                                                                          Compatibility: ISO 42001 is built on the same high-level structure as other management system standards, such as ISO 27001 (information security) and ISO 9001 (quality management), allowing for seamless implementation alongside them. 
                                                                                                                                                                    In order, the clauses are: (Right click to open each clause in a new tab).

Context of the Organization 

Leadership and Accountability 

Planning for AI Governance 

Support as the "Infrastructure of Intelligence" 

Operations & "Governance in Motion" 

Performance Evaluation & When Governance Audits Itself 

The "Hard Edge" of Real Governance