This article is aimed at insurers and banks. It is not for those developing or hosting algorithmic systems for others.
If you’re thinking about ISO certification, it helps to ask yourself why. Are you after better governance? Is it for a regulator? Or maybe you're hoping for a bit of a guarantee?
Perhaps your board or your auditors are pushing for certification. It is sometimes seen as a kind of shortcut to show that good practice is in place, even if only on paper.
ISO/IEC 42001 is a new standard for managing AI systems. It sets out what an AI management system should include (the requirements), with pointers on how to set it up, keep it running, and make it better over time.
For banks and insurers, using the standard has its benefits. But having the certificate doesn’t guarantee safer models or fair outcomes. This previous article explains why that is in a bit more detail.
A certified organisation has shown that it has processes in place, at a point in time. But how well those processes work is about what people do, day to day. Certification alone doesn't guarantee that you will avoid problems.
We've seen this before with ISO 27001 (the standard for Information Security Management Systems). Many certified companies have still found themselves dealing with serious security breaches. The controls were (presumably) in place at the time of the certification. But then things changed, leading to insider threats, expired credentials, cloud misconfigurations, and poorly enforced access controls.
Take Okta, the identity management provider. They had a security breach in 2023. Customer names, emails, and contact details were exposed. They held ISO 27001 certification at the time.
That same logic applies to ISO 42001. It’s not about holding the piece of paper, it’s about using the good practices in the standard. Like regular reviews, clear accountability, and critical thinking about where your AI could go wrong.
It can help build discipline: things like knowing who owns AI governance, keeping track of model assumptions, and tracing how data moves around and is used. It can make it easier to report what you're doing, increasing transparency, and aligning with what regulator's expect.
You could choose to put your energy (and resources) elsewhere:
These kinds of checks can give you clearer, more direct, real-world assurance than a certificate.
So, for banks and insurers, maybe the real question isn't whether ISO 42001 is useful. It's whether getting certified actually gives you more than simply following the standard's guidance, in your own context.
Disclaimer: The info in this article is not legal advice. It may not be relevant to your circumstances. It was written for specific contexts within banks and insurers, may not apply to other contexts, and may not be relevant to other types of organisations.