In recent months, with the arrival of ISO\/IEC 42001, hundreds of articles, posts and opinions have proliferated on \"AI governance\", \"AI management systems\" and \"how to implement responsible AI\". Problem: analysing many of them, most confuse governance with management, or even use both terms as synonyms, which they are not. This confuses the reader and creates noise in the industry.<\/p>\n\n\n\n
Understanding the difference between AI governance and AI management is critical<\/strong> for any organisation that wants to comply with standards, prepare for audits, or align with the European AI Act.<\/p>\n\n\n\n For this reason, we want to provide you with a rigorous, technical overview based on international standards<\/strong>, so that you have a clear understanding of:<\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n In the business context, governance<\/strong> and management<\/strong> are complementary but radically different functions. Governance is the responsibility of senior management<\/strong> and is responsible for:<\/p>\n\n\n\n <\/p>\n\n\n\n On the other hand, management is the responsibility of the management and operational teams<\/strong> and is responsible for:<\/p>\n\n\n\n <\/p>\n\n\n\n Therefore, management systems are responsible for operationalising governance.<\/p>\n\n\n\n <\/p>\n\n\n\n ISO\/IEC 38507 is part of the ISO 38500 family (IT governance) and its purpose is to guide senior management in the governance of AI within the organisation.<\/strong><\/p>\n\n\n\n ISO 38507 establishes principles for:<\/p>\n\n\n\n <\/p>\n\n\n\n and applies them to AI to ensure that corporate decisions on technology are safe, ethical and aligned with the corporate purpose. Therefore, ISO 38507 defines what<\/em> senior management should decide regarding AI, but does not<\/strong> go into detail on \"how\" it should be managed internally.<\/p>\n\n\n\n <\/p>\n\n\n\n This is where the ISO\/IEC 42001 standard \u201cAI Management System \u2014 Requirements\u201d<\/strong> comes in, representing the organisational and certifiable counterpart to the governance principles defined by ISO 38507.<\/p>\n\n\n\n ISO 42001 requires:<\/p>\n\n\n\n <\/p>\n\n\n\n This is organisational management<\/strong> in its purest form, not strategic governance. But be careful, because ISO 42001:<\/p>\n\n\n\n <\/p>\n\n\n\n A simple way to look at it is that ISO\/IEC 42001 is for a management system, like ISO 9001 or ISO 27001, but applied to the use, development, and\/or deployment of AI.<\/p>\n\n\n\n <\/p>\n\n\n\n It should be noted that ISO 38507 establishes governance <\/strong>(what senior management must decide), while ISO 42001 is responsible for operationalising that governance <\/strong>(through policies, processes, controls and records).<\/p>\n\n\n\n As is the case with other normative pairs.<\/p>\n\n\n\n <\/p>\n\n\n\n It is important to understand that ISO 42001 serves to manage the use, development, and\/or deployment of AI, but does not address technical aspects. For this purpose, there are many other ISO standards, including the following:<\/p>\n\n\n\n <\/p>\n\n\n\n Therefore, it is important to clear up the confusion that exists between AI management and governance, so that the truth, expressed with professional rigour and based on international standards, is that:<\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n\n
Common mistake: Talking about government and management as if they were the same thing<\/strong><\/h4>\n\n\n\n
\n
\n
What standard covers AI governance<\/em>? \u2014 ISO\/IEC 38507<\/strong><\/h4>\n\n\n\n
\n
Which standard covers the organisational management<\/em> of AI? \u2014 ISO\/IEC 42001<\/strong><\/h4>\n\n\n\n
\n
\n
How do ISO 38507 and ISO 42001 fit together?<\/strong><\/h4>\n\n\n\n
And what about the more technical aspects of AI?<\/strong><\/h4>\n\n\n\n
\n
\n
Three layers, three functions, three levels of different but related standards<\/strong><\/h4>\n\n\n\n