Contact us

AI Governance vs. AI Management: the truth that nobody tells you

In recent months, with the arrival of ISO/IEC 42001, hundreds of articles, posts and opinions have proliferated on "AI governance", "AI management systems" and "how to implement responsible AI". Problem: analysing many of them, most confuse governance with management, or even use both terms as synonyms, which they are not. This confuses the reader and creates noise in the industry.

Understanding the difference between AI governance and AI management is critical for any organisation that wants to comply with standards, prepare for audits, or align with the European AI Act.

For this reason, we want to provide you with a rigorous, technical overview based on international standards, so that you have a clear understanding of:

  • what AI governance is,
  • what AI management is,
  • which standard relates to each thing,
  • and how they all fit together within a coherent organisational system.

Common mistake: Talking about government and management as if they were the same thing

In the business context, governance and management are complementary but radically different functions. Governance is the responsibility of senior management and is responsible for:

  • seting principles and values,
  • defining expectations, boundaries, and vision,
  • assessing strategic, ethical and social impacts,
  • assuming ultimate responsibility for decisions,
  • and ensuring that the organisation behaves consistently.

On the other hand, management is the responsibility of the management and operational teams and is responsible for:

  • converting governance into policies, processes and controls,
  • documenting roles, responsibilities, and procedures,
  • monitoring the execution of activities,
  • keeping records and evidence,
  • assessing risks on an ongoing basis,
  • auditing, reviewing and improving processes.

Therefore, management systems are responsible for operationalising governance.

What standard covers AI governance? — ISO/IEC 38507

ISO/IEC 38507 is part of the ISO 38500 family (IT governance) and its purpose is to guide senior management in the governance of AI within the organisation.

ISO 38507 establishes principles for:

  • responsibility,
  • strategy,
  • acquisition,
  • performance,
  • compliance,
  • human behaviour

and applies them to AI to ensure that corporate decisions on technology are safe, ethical and aligned with the corporate purpose. Therefore, ISO 38507 defines what senior management should decide regarding AI, but does not go into detail on "how" it should be managed internally.

Which standard covers the organisational management of AI? — ISO/IEC 42001

This is where the ISO/IEC 42001 standard “AI Management System — Requirements” comes in, representing the organisational and certifiable counterpart to the governance principles defined by ISO 38507.

ISO 42001 requires:

  • responsible AI policies,
  • procedures for the use, development and implementation of AI,
  • AI risk assessment,
  • documented human supervision,
  • criteria for accepting tools and suppliers,
  • ethical, legal and operational controls,
  • records and traceability,
  • training,
  • performance indicators,
  • mandatory internal audit,
  • management review,
  • continuous improvement.

This is organisational management in its purest form, not strategic governance. But be careful, because ISO 42001:

  • is NOT for training models.
  • does NOT regulate AI engineering or MLOps.
  • does NOT cover aspects of the development life cycle, AI software quality or data quality for AI, which are covered by ISO 5338, ISO 25059 and ISO 5259 respectively.

A simple way to look at it is that ISO/IEC 42001 is for a management system, like ISO 9001 or ISO 27001, but applied to the use, development, and/or deployment of AI.

How do ISO 38507 and ISO 42001 fit together?

It should be noted that ISO 38507 establishes governance (what senior management must decide), while ISO 42001 is responsible for operationalising that governance (through policies, processes, controls and records).

As is the case with other normative pairs.

And what about the more technical aspects of AI?

It is important to understand that ISO 42001 serves to manage the use, development, and/or deployment of AI, but does not address technical aspects. For this purpose, there are many other ISO standards, including the following:

  • ISO/IEC 5338 – Defines the life cycle processes for the development of AI software.
  • ISO/IEC 25059 – Determines a quality model for AI systems
  • ISO/IEC 5259 – Defines a quality model and metrics for assessing the quality of data used in AI
  • ISO/IEC 29119-11 – Defines guidelines for testing AI-based systems

Therefore, it is important to clear up the confusion that exists between AI management and governance, so that the truth, expressed with professional rigour and based on international standards, is that:

  • ISO 38507 governs AI from senior management.
  • ISO 42001 manages AI within the organisation.
  • There are also technical standards to ensure the quality of the data, software and lifecycle processes used to develop AI systems.

Three layers, three functions, three levels of different but related standards

At I2SC, we work with AI governance and management standards, as well as the other technical standards presented in this post. If you are interested in learning more about any of them within your organisation, contact us.

Anterior
Siguiente