AI governance
What is ISO 42001, and how do you get ready for it?
ISO 42001 is the international management-system standard for artificial intelligence. Getting ready means putting in place the policies, roles, risk processes and evidence an independent auditor would expect to see. In practice you start with three things: an honest inventory of where AI is used, clear accountability for it, and a repeatable way to assess and treat AI risk. You do not need a finished AI strategy to begin. You need ownership and records. This guide explains what the standard covers, who needs it, and the first practical steps to take.
Murikah
Independent assurance and AI governance
If your organisation already uses AI in ways that affect customers, money or compliance, readiness is not a research project. It is a short list of decisions, written down and acted on. Here is what the standard asks for, who it is really aimed at, and where to begin.
What ISO 42001 is, and is not
ISO 42001 is a management-system standard, not a technical test of any single model. It does not certify that an algorithm is accurate. It certifies that your organisation has a sound, repeatable way to govern AI: clear ownership, risk assessment, controls over how AI is built or bought, monitoring, and human oversight.
That distinction matters. You do not pass by buying a tool. You pass by running a system, and being able to show it.
Who needs it
The organisations that benefit most are the ones where AI carries real consequences: lenders using models in credit decisions, insurers and fintechs scoring risk, and any organisation making automated decisions about people. If a regulator, a partner or your own board is starting to ask how you govern AI, that is the signal to get ready.
The readiness steps
Readiness is mostly turning informal practice into a system. A sensible order:
Build an AI inventory
List where AI is used, by whom, and for what decisions. You cannot govern what you cannot see, and most organisations are surprised by how much is already in use.
Run risk and impact assessments
For each meaningful use, assess what could go wrong, for the organisation and for the people affected, and decide how you will treat that risk.
Set model and vendor governance
Decide how AI is approved before it goes live, how third-party AI is vetted, and who signs off. Much of your AI now comes from vendors, so vendor governance is central.
Stand up the management system
Assign accountability, write the few policies you actually need, and define how decisions are escalated and reviewed.
Keep the evidence
Record the judgements as you make them. The evidence is what turns good intentions into something an auditor, or a board, can rely on.
This is the same discipline behind ISO 42001 and AI-governance readiness in our assurance work.
How long it takes, and what it costs
Honestly, it depends on the size of your AI footprint and how mature your existing governance is. An organisation with ISO 27001 habits and a small number of AI uses can be ready in a few focused months. The cost is mostly time and attention, not licences. Beware anyone who quotes a fixed price before seeing your AI inventory.
How Murikah helps
We run ISO 42001 readiness reviews and AI-governance assessments, and we can build the management system with you through Advisory, then track the work in Assurance OS. If data protection is part of the picture, read our guide to the Kenya Data Protection Act.
This is general information, not legal advice. For obligations specific to your organisation, take advice tailored to your situation.
Frequently asked questions
What is ISO 42001?
ISO/IEC 42001 is the international standard for an AI management system. It sets out how an organisation should govern the way it develops, buys and uses AI: the policies, the roles, the risk processes, and the evidence that it all works. Like other ISO management standards, it is built around leadership, risk-based thinking and continual improvement, and it can be independently certified.
Is ISO 42001 mandatory?
No. ISO 42001 is voluntary. Organisations pursue it because customers, boards or regulators want assurance that AI is being governed properly, not because a law requires the certificate. In Kenya, the Data Protection Act and the advancing AI Bill create related obligations, and ISO 42001 is a practical way to show you are meeting the spirit of them.
How do we get ready for ISO 42001?
Start by listing where AI is actually used in your organisation, then name who is accountable for it, then agree how you assess and treat AI risk. From there you map your current practice to the standard, close the gaps, and keep the evidence an auditor will ask for. It is mostly about turning informal habits into a system you can show.
How is ISO 42001 different from ISO 27001?
ISO 27001 governs information security: keeping data confidential, available and intact. ISO 42001 governs artificial intelligence: how AI systems are chosen, built, monitored and kept fair and accountable. They overlap and share habits, so an organisation with ISO 27001 has a head start, but ISO 42001 adds AI-specific concerns such as model risk, bias and human oversight.
Book a demo
Put this into practice
Book a demo and we will map this to your organisation, your regulator and your board.