Enabling AI adoption with ISO 42001

As AI becomes integrated into more customer-facing technologies, organizations are recognizing that these tools can introduce risks like inaccuracy and bias, concerns around data privacy and cybersecurity, and challenges with responding to a fragmented US and global regulatory regime.

In Deloitte’s State of Generative AI in the Enterprise survey, respondents indicated that the top two barriers to developing and deploying Generative AI (GenAI) were worries about complying with regulations (38% of respondents, up 10% from one year prior) and difficulty managing risks (32% of respondents, up 6% from one year prior)¹. These concerns will likely be amplified by the advancements of GenAI and agentic AI use cases expected over the next few years.

In response to the need for guidance and leading practices around AI risk management, the International Organization for Standardization (ISO) Council published its ISO/IEC 42001:2023(E) Information technology — Artificial intelligence — Management system standard (“ISO 42001”)² in December 2023. ISO 42001 provides a framework for AI governance and risk management across the AI development life cycle, including the following areas:

• Governance structures to establish oversight and accountability
• Risk management protocols to identify, assess, and mitigate potential risks and impacts
• Guidelines to design AI systems that are transparent, fair, and unbiased
• Compliance mechanisms to maintain adherence to evolving legal and regulatory standards

Organizations that achieve certification demonstrate how their AI management systems have a way to not only identify and mitigate risks, but also show how they were built with resilience, scalability, and ongoing oversight, which can lead to better outcomes and transparency for their customers.

Certification to build customer trust

AI can be transformative for organizations, but it does not come without risk. Aligning to a standard demonstrates not only strong risk management but also the maturity of an organization’s AI program.

In Deloitte’s State of Generative AI in the Enterprise survey, 35% of respondents indicated that the biggest obstacle to GenAI’s potential marketplace adoption is mistakes or errors with real-world consequences, followed by bias and hallucinations.³ According to another study, while 87% of executives claim to have AI governance frameworks within their organizations, fewer than 25% have fully operationalized their enterprise governance.⁴ In such cases, certification becomes an indicator that these programs have been implemented and are operating effectively. Pursuing an ISO 42001 certification can provide differentiation in the near term and may become a common benchmark in the future.
 

How Deloitte can help

Leading organizations find value in working with Deloitte to recommend sustainable risk and compliance programs and proactively unlock AI’s value. We have assisted organizations as they manage risks related to AI for more than a decade, ranging from early machine learning adoption to—more recently—risks from GenAI and agentic AI technologies. We bring the combination of practical experience with AI development, as well as perspectives in large-scale risk and compliance programs across a variety of industries. Our services include the following:

• Readiness evaluations
• AI model testing
• Governance, risk, and compliance program development
• Tooling
• Talent
• Regulatory compliance
• Security risk
   

Contacts

¹ Jim Rowan et al., State of Generative AI in the Enterprise: Quarter four report, Deloitte, January 2025.
² International Organization for Standardization (ISO), ISO/IEC 42001 Information technology — Artificial intelligence — Management system (ed. 1), 2023.
³ Rowan et al., State of Generative AI in the Enterprise: Quarter four report.
⁴ IBM, “IBM study: AI spending expected to surge 52% beyond IT budgets as retail brands embrace enterprise-wide innovation,” press release, January 7, 2025.