The ISO 42001 Episode

Introduction to the Guest and Topic:
The podcast host, Allie Krings, introduces Walter Haydock, the founder of StackAware. StackAware is a company that assists AI-powered businesses, particularly in the healthcare industry, with managing their cybersecurity, compliance, and privacy risks. The main topic of discussion is the new international standard, ISO 42001.

What is ISO 42001?:

ISO 42001 is an international standard for governing the use of artificial intelligence. It acts as a framework and playbook for organizations to build and implement an AI management system, which includes a set of rules, policies, and controls for the development, deployment, and operation of AI systems.

Who is the Standard For?:

• ISO 42001 is highly flexible and can be applied to any organization that uses AI.

• This includes companies that develop their own AI models, those that heavily use third-party AI systems, and even major cloud providers. For example, StackAware uses third-party AI and is certified, while AI developer Anthropic is also certified.

Do You Have to be Certified?:

Certification is not mandatory to benefit from the standard. Organizations can use ISO 42001 as a framework to guide their AI governance and achieve a state of “readiness” without undergoing a formal external audit. Notably, a new law in Colorado recognizes compliance with ISO 42001 as a “safe harbor” in certain situations.

Will ISO 42001 Become the Global Baseline?:

It is likely to become the global baseline for AI governance. While the European Union is developing its own AI Act, its harmonized standards are not expected to be finalized until the end of 2025, giving ISO 42001 a significant head start.

Common Struggles in Implementation:

One of the most critical and challenging aspects of implementing a management system like ISO 42001 is securing buy-in from top management. Executive leadership must be involved in approving objectives, signing off on policies, and dedicating the necessary resources for the compliance project to succeed.

How to Get Started with AI Governance:

• Develop a Policy: The first step is to create a clear policy that outlines the acceptable and unacceptable uses of AI for all employees.
  

• Create an Inventory: Compile a comprehensive list of all AI systems and models used within the organization, including any unapproved “shadow AI” tools that employees might be using.
  

• Conduct a Risk Assessment: Perform a thorough risk assessment on all inventoried AI systems to identify potential challenges and ensure they align with the organization’s AI policy.