ISO 42001 & the EU AI Act: the AI compliance time bomb
AI Governance & ISO 42001
It lands on my desk as if it were real work. A tidy document. The right logo, headings, words — “risk-based approach”, “AI system life cycle”, “impact assessment”. And underneath: “Could you review this for me?”
Within three paragraphs I know. This wasn’t thought through. This was generated. One prompt — maybe two. “Write me an AI policy compliant with ISO 42001.” Enter. Copy. Paste. Add logo. Forward. No prompt history. No model named. No adaptation to the actual organization. No sources. No risk assessment. Nobody thought about it. This is not efficiency. This is a time bomb with a logo on it, ticking louder than you think.
This isn’t only about companies. It’s about you and me.
For a long time I thought this was companies taking the shortcut. It is. But the real, quiet scandal sits closer to home: the analysts and consultants themselves. A growing part of our profession opens a tool, generates a deliverable — a policy, a risk assessment, a gap analysis, an audit report — and passes it on as their own work to a senior expert “for review”. The model does the analysis. The junior pastes. The senior signs. The client pays for expertise never delivered.
We have an industry that hires people for their judgment — and some have outsourced the judgment to a language model and pushed responsibility down to whoever signs. That isn’t consulting. That’s a pass-through with an invoice attached. And it’s nearly invisible: a generated gap analysis looks just as professional as one with three days of fieldwork. The difference is whether anyone can defend it when it matters.
The problem isn’t AI. The problem is AI without governance.
I’m no AI skeptic. I use these tools every day and they’re phenomenal. A model produces a first draft faster than any consultant. That’s a gain. But there’s a chasm between using AI as an accelerator within a controlled process and using AI as a replacement for the thinking itself. The first makes you better. The second makes you a pass-through that doesn’t realize it.
An AI management system is not a document. It’s a system. A system no one designed, understands, or can trace back to reality is not a management system. It’s scenery — and the moment the wall leans on it, it falls over.
What ISO 42001 actually asks (and what a prompt can’t deliver)
ISO/IEC 42001:2023 is the first certifiable international standard for AI management systems, published in December 2023. It contains 38 controls across nine control objectives: AI policy, internal organization, resources, impact assessment, the AI system life cycle, data, information for interested parties, responsible use, and third-party relationships. Almost none can be pulled from a chatbot without real work.
An AI impact assessment expects you to know which systems you use, which data flows in, who is affected and what harm could occur. A model knows nothing about your systems; it invents a plausible-sounding assessment from the average of the internet — fiction in the tone of fact. The life cycle of your AI systems requires management from design to decommissioning; a generated document describes one that doesn’t exist. Data governance asks which data feeds your systems, and whether you’re allowed to use it. Accountability asks who owns this and who escalates. The generated document describes all of this as if it exists — the illusion of compliance, more dangerous than none, because no one looks anymore for what’s missing.
The eight risks no one says out loud
⚠ 8 risks to manage now
- Hallucinations with a signature. Models invent clauses, standards and obligations that appear nowhere. In a document you commit to, that’s a liability.
- No traceability, no defense. Without prompt history, model or sources you can never show how a document came to be — the core of every auditable standard. “An AI wrote this and I don’t remember which” is a confession, not an answer.
- Generic policy that fits nothing. A generated document is the average of its training data; it fits no real organization and breaks at the first incident.
- A data breach in the name of compliance. Pasting contracts, client data or source code into a consumer tool to personalize it causes a breach yourself.
- Responsibility no one carries. Everyone points at the other; when it goes wrong, there’s no owner — just a chain of assumptions.
- The expert abused as an alibi. A generated document “for review” uses the expert to stamp a seal on something flawed from the ground up. Reviewers are not a washing machine for laundering generated text.
- The expertise that quietly rots away. If the junior never does the analysis, they never learn it. We outsource not just the work but the learning.
- A false sense of safety. The box is ticked, “AI compliance: done” — and everyone stops thinking about the real risks.
And the clock is ticking
The EU AI Act entered into force on 1 August 2024 and applies in phases. Don’t read the latest deferral as breathing room; read it as the last warning before the storm. AI Governance is not finished in one afternoon. It’s a capability you build — starting today.
How to do it right: AI as accelerator, not replacement
Let AI deliver the first stone, not the finished statue. Document how you use AI: model, version, prompt, sources — exactly the traceability the standard expects. Practice what you certify. Start with reality, not the document: inventory your AI systems first. Put the expert at the front to build with you, not at the back to tick a box.
And to my fellow analysts and consultants: your value isn’t in producing text — the model does that faster — but in the judgment behind it, in explaining why and daring to carry responsibility. That’s the part you must not prompt away.
My new rule: I don’t review the slop anymore
“I don’t review AI-generated slop anymore. I just send it back. AI-generated? Yes. But responsibility for the content lies with the author. Not the model. Not the reviewer.”
From now on, one simple rule: I don’t review AI-generated slop anymore. I just send it back. AI-generated? Yes, use the tools, they’re fantastic. But responsibility for the content lies with the author. Not the model. Not the reviewer. With whoever puts their name on it. A review is not a car wash for laundering generated text. That’s not harshness, it’s respect — for the craft, the client, and you. Because the day an auditor, regulator or judge opens that document, you stand there alone.
Finally
AI makes it harder than ever to see the difference between real work and the appearance of it. Don’t take the shortcut. AI Governance is not a formality you can prompt away — it’s the discipline with which you protect your organization and your profession. Not with one prompt. With a plan.
Unsure whether your AI compliance holds up? Book a call — let’s review it together before an auditor does.
Sources: European Commission; artificialintelligenceact.eu; SureCloud; ISO.org 42001; Hicomply.