Skip to content
All articles
ISO 42001 8 min read· by Lars Zimmermann

ISO 42001: Not Paperwork, If You Understand Responsibility

ISO 42001 sounds like a binder full of forms. It is not, once you treat the standard as lived responsibility rather than paper. From audit practice.

In short

ISO/IEC 42001 only turns into paperwork when you treat it as a box-ticking exercise instead of lived responsibility. At its core, the standard forces three questions: which AI do we use, what can go wrong, and who is accountable for it? The right sequence is process and responsibility first, then the evidence. Documentation is not bureaucracy when it guides a decision in day-to-day operations and protects you when things go wrong.

Auf Deutsch lesen: deutsche Fassung

"ISO 42001? Just another binder no one ends up reading." I hear this a lot when I talk to managing directors about the AI standard. And honestly, I understand it. Anyone who has ever lived through a standards rollout that ended with a shelf full of documents no one ever touches again has every reason to be sceptical. But that is not the standard. That is a poor translation of the standard into day-to-day operations.

ISO/IEC 42001 has been, since December 2023, the first international standard for AI management systems. On paper it looks unwieldy. At its core, though, it does something very down-to-earth: it forces you to answer three questions that any managing director ought to be able to answer anyway. Which AI do we use, what can go wrong in the process, and who is accountable for it?

Why ISO 42001 sounds like paperwork

The bad reputation rarely comes from the standard itself. It comes from the way it is often introduced. A consultant turns up, brings a collection of templates, fills in fields, prints a binder and is gone again. What remains is a document that formally ticks off every requirement and changes not a single decision in day-to-day operations.

That is the real paperwork: documentation built for the audit rather than for the business. It costs time, it costs money, and when it matters it protects no one, because it has nothing to do with reality. Approach a standard like that and you end up with exactly what you feared: bureaucracy with no benefit.

Governance is not paperwork. Governance is risk control. Whether it feels like one or the other is decided not by the documents, but by whether someone actually carries the responsibility.

What the standard really wants: to organise responsibility

If you strip ISO 42001 of its requirements and look at the core, it is not about paper. It is about responsibility. Who decides which AI is used in the organisation? Who checks whether an AI system disadvantages people? Who notices when a model starts producing nonsense, and who is then allowed to switch it off?

These are not documentation questions. They are leadership questions. The standard merely demands that you do not leave them to chance, but assign them to a role, a process, a traceable decision. An AI system with no clear owner is a gap in an audit. In day-to-day operations it is a risk no one notices until it is too late.

  • Who holds the mandate to decide on AI use, visibly, not just informally?
  • What risks does each system carry for customers, employees and the organisation?
  • Which controls from Annex A of the standard fit your operations, and do they actually work?
  • Do employees know what they are allowed to do with AI and what they are not?

Anyone who can answer these four questions honestly has already lived most of the standard, with no binder at all. Whatever documentation comes afterwards is merely recording what already applies. The sequence is decisive: clarify the responsibility first, then write it down. Do it the other way round and you produce paper no one lives by.

The difference: lived or filed away

In audits I see both. An AI policy can be a living document or a dead one. It is dead when it sits as a PDF on a server and no one in the business knows it. It is alive when I ask the production manager, "What do you do if the component camera wrongly clears a part?" and he gives the answer off the top of his head, because it is part of his working day.

A concrete example: a business uses an AI tool that pre-sorts job applications. Filed away means there is a line in the risk register, "HR AI, checked". Lived means there is a person who reads back over every pre-selection, a documented check for discrimination, and a clear route by which a rejected applicant can obtain an explanation. The first will not survive any serious audit. The second protects the organisation against a discrimination claim that is just waiting to become expensive.

The same difference applies to the AI in quality control, to the chat assistant in sales, to the AI-supported ERP. It is not the document that decides whether you have your AI under control. Lived responsibility decides it.

The nice thing about it: the difference is quick to spot. I do not need three days to sense whether AI governance is lived or merely filed away. I ask the people who work with the system a few simple questions. If the answer comes straight out of daily work, the system is embedded. If someone first has to go looking for a folder, it is theatre for the audit. At this point employees rarely dress things up; they simply show how it really works.

When documentation protects you and when it is merely ballast

Now you will say: but I do have to document something. True. ISO 42001 requires evidence. The only difference is what for. Documentation is not an end in itself. It is your insurance for the day something goes wrong.

Imagine one of your organisation's AI systems makes a wrong decision, a customer is misclassified, a component is wrongly cleared, an application is unfairly screened out. When someone then asks, "How could that happen?", your documentation decides whether you have an answer or just a shrug. Anyone who can show who checked what and when is on solid ground. Anyone with nothing is liable.

Documentation is not bureaucracy when it protects you in a crisis. It only becomes ballast when it is written for no one but the auditor.

The rule of thumb from my audit practice: every document that guides a decision in day-to-day operations is worth its weight in gold. Every document that exists only to place a tick is wasted time. The standard demands the first. Bad advice produces the second.

And it is not only about liability. Dead paperwork costs money every month, hours that employees spend maintaining documents no one uses. Lived governance turns that around: it saves time, because responsibilities are clear and no one trips over the same question twice. The most expensive option is not the clean standards rollout. The most expensive is the half-hearted one, plenty of paper, little effect, and still no answer when it matters.

Why this matters right now

There is a reason this distinction is becoming important right now: the EU AI Act turns "we handle AI responsibly" into something you have to prove. Anyone using AI in sensitive areas, personnel, quality assurance, creditworthiness assessment, increasingly faces an obligation to provide evidence. ISO 42001 is the most structured way to meet that obligation without getting lost in it. But only if you understand the standard as an operational matter. As a box-ticking exercise it serves no purpose whatsoever, other than to cost money.

This is exactly where many mid-sized companies stumble: they hear "obligation to provide evidence" and think of yet more bureaucracy. In fact it is the opposite. Anyone who builds their AI from the outset with clear roles and traceable decisions has the evidence almost as a by-product. Anyone who lets it slide and only reacts under pressure builds paper in a hurry that neither protects the business nor convinces in an audit. Prevention is simply cheaper here than aftercare.

How paperwork becomes operational reality

The way out of the paperwork is no trick. It is a sequence. Do not start with the document, start with the process. Process first. Then the role. Then the evidence. In that order, a dry requirement becomes something your business genuinely needs.

Take a single requirement of the standard, say "there must be a risk assessment for AI systems." Instead of filling in an empty template, sit down with the people who use the system every day and ask: what can concretely go wrong here? Who does it affect? How do we notice? What do we do then? The document that ultimately emerges is then not paper for the auditor. It is the answer to a question you had to ask yourself anyway.

Start small. You do not have to build the whole management system in a single day. Take the one AI system that has the greatest impact in your business or carries the greatest risk, and work it through cleanly: who is responsible, what risks exist, which control applies, where documentation lives. Once that one system is in place, you have understood the method. You then transfer the rest step by step. That way governance grows with the business instead of overwhelming it, and it is precisely this sequence that separates a standard that carries weight from one that merely fills shelves.

If you go about it this way, something surprising happens: the audit becomes easy. Because an auditor, and I sit on that side of the table, does not check whether your folders look nice. He checks whether you know what you are doing, why you are doing it, and who is accountable for it. Anyone who has lived that has nothing to memorise before the audit. They only have to show how they work anyway.

One last thought from practice: no one expects perfection. Audit-ready does not mean having every answer ready. It means being able to show honestly where you stand, where you do not yet, and what is planned next. An openly named gap with a plan is worth more in an audit than a perfect-looking folder with no substance. That is why lived governance is, in the end, also the more relaxed option: you have nothing to fake.

ISO 42001 is not paperwork. It only becomes so when you treat it as a box-ticking exercise instead of what it is: a framework that makes your responsibility visible and manageable. AI without governance is like a machine without a guard, it runs until it injures someone. The standard is the guard. Whether it feels like bureaucracy or like safety is up to you.

Share: LinkedIn E-Mail

Frequently asked questions

Is ISO 42001 only for large companies?+

No. The smaller the business, the less bureaucracy it needs; the system scales with your AI use. The core is responsibility, and a managing director carries that regardless of company size. A small mid-sized firm often gets by with a few, genuinely lived documents.

Do I really need a lot of documents for ISO 42001?+

Fewer than most people think. You need the documents that guide real decisions in day-to-day operations, not a shelf full of templates. Quality over quantity: a living inventory of your AI systems is worth more than twenty pages of formally correct but dead policies.

What is the most common mistake during implementation?+

Starting with the document instead of the process. When templates are filled in for the audit rather than for the business, you produce dead paper that protects no one when it matters. The right sequence is: clarify process and responsibility first, then document.

Does ISO 42001 slow my AI project down?+

Done properly, it makes it safer, not slower. The questions the standard forces are ones you would have to answer after the first incident at the latest, better before than after. What slows you down is not the standard, but poorly set-up bureaucracy around it.

Author & expert review: Lars Zimmermann · ISO/IEC 42001 Senior Lead Auditor & Senior Lead Implementer · ISO/IEC 27001 Lead Auditor & Lead Implementer (PECB)

Last updated: 16 July 2026. Researched and reviewed to the best of our knowledge; not a substitute for individual legal advice.

Sources & further reading

Questions about your own case?

In a free 15-minute intro call we assess where you stand on ISO 42001, ISO 27001 and the EU AI Act, honestly and without a sales pitch.

Continue reading