In this decade, AI will be to businesses what Excel was: indispensable. But, like Excel, you have to know how to use it.

Currently, the use of Artificial Intelligence (AI) in companies has grown exponentially. Predictive models, machine learning algorithms, generative AI, virtual assistants, and autonomous agents are transforming processes, products, and services. However, this growth has also given rise to a worrying phenomenon: Shadow AI.

Shadow AI refers to the uncontrolled or unauthorised use of AI solutions within an organisation, outside the supervision of IT or risk management. These practices can lead to biased decisions, loss of control over data, regulatory non-compliance, and cybersecurity vulnerabilities.

What is ISO/IEC 42001?

The ISO/IEC 42001:2023 standard establishes the requirements for implementing an Artificial Intelligence Management System (AIMS). It is designed to help organisations manage the specific risks of using AI, ensuring that its applications are safe, reliable, transparent, explainable and accountable.

Like other ISO management standards (such as ISO 27001 for information security), ISO 42001 proposes a structure based on continuous improvement (PDCA cycle: Plan, Do, Check, Act) that enables organisations to:

• Assess and mitigate ethical and technical risks associated with the use of AI.
• Define clear roles and responsibilities.
• Establish governance policies on data, models, and automated decisions.
• Document and monitor the life cycle of AI systems.

The value of an AI services catalogue

One of the most powerful tools for combating Shadow AI under ISO 42001 is the official AI services catalogue. This catalogue should include:

• Approved models (e.g., language models, computer vision, etc.).
• Validated algorithms and their areas of application.
• Authorised generative AI (such as text, image or code generators).
• Autonomous agents or virtual assistants, along with their operational limitations.
• Quality control, privacy, explainability, and security associated with each system.

This catalogue not only allows for the standardisation of AI use within the organisation, but also ensures that all solutions comply with the ethical, regulatory and quality principles defined by the company.

Benefits of ISO 42001 against Shadow AI

Adopting ISO 42001 enables companies to:

• Eliminate silos and avoid AI developments that are not aligned with corporate objectives.
• Centralise AI oversight, increasing traceability and transparency.
• Reduce legal and reputational risks by demonstrating regulatory compliance.
• Promote responsible innovation, building trust among customers, partners, and employees.

Conclusion

Shadow AI poses a real threat to organisations seeking to leverage artificial intelligence ethically and securely. The implementation of ISO/IEC 42001 not only provides a solid framework for managing AI in a comprehensive manner, but also facilitates the creation of a controlled, transparent AI ecosystem that is aligned with the organisation's values.

In the age of artificial intelligence, having a management system such as that proposed by ISO 42001 is not just a competitive advantage: it is a strategic necessity.