Skip to content
Vol. I · No. 251
Mon · 8 Jun
A Daily Lexicon of Trustworthy Data
No. 251
251·02 · Business Sense RequiredNo. 251 · 8 Jun 2026 · 2 min

ISO gave AI a management system. It did not define your training data.

A management system can preserve discipline. It cannot supply the missing vocabulary.

EvidenceThe EditorReality Tax

ISO/IEC 42001 is a useful artifact for organizations trying to govern AI as an operating discipline. It is not a magic certificate that turns unowned data into governed data.

ISO describes ISO/IEC 42001:2023 as an international standard for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System. It frames AI governance as policies, objectives, processes, risk management, traceability, transparency, and reliability. In other words: a system, not a slogan.

That matters because AI programs keep pretending governance begins at the model boundary. It does not. The inputs have names, sources, purposes, retention rules, owners, exceptions, and dispute paths before the model ever sees them. A management system can require those things to be documented and reviewed. It cannot make the organization agree that 'customer', 'case', 'account', or 'ground truth' means the same thing across the teams feeding the system.

This is where certification theater tries to enter. A certificate can prove that a process exists. It cannot prove that the definition it carries is the right one, current one, or owned one. That is not a criticism of the standard. It is a reminder that a standard is strongest when the boring local nouns have already been written down.

Watch the implementation documents, not the badge. The valuable evidence is the register of AI systems, data assets, purposes, controls, exceptions, and accountable owners. If the implementation cannot point to the person who owns the training-data definition, the management system is holding a blank space very neatly.

The takeaway

ISO/IEC 42001 can structure AI governance, but the controlled vocabulary underneath still has to be authored, approved, and owned.

The claim, mapped

  1. ISO/IEC 42001:2023 specifies requirements and guidance for an Artificial Intelligence Management System within an organization.

    supports01

  2. ISO presents the standard as a framework for managing AI risks and opportunities, including traceability, transparency, and reliability.

    supports01

  3. NIST treats ISO/IEC 42001 as part of a broader AI governance control landscape that must be mapped to risk-management practices, not just purchased as a badge.

    context02
Sources
01
ISO — ISO/IEC 42001:2023 — Information technology — Artificial intelligence — Management system2023-12 · Tier 1 · primaryISO describes ISO/IEC 42001 as a standard for establishing, implementing, maintaining, and improving an AI management system.
02
National Institute of Standards and Technology — NIST AI RMF to ISO/IEC 42001 Crosswalk2026-05 · Tier 1 · primaryNIST maps AI RMF concepts to ISO/IEC 42001 controls, reinforcing that AI management work depends on documented purpose, risk, and review practices.
Mark this entry
Marginalia · 0 notes

No notes yet. The margin is open.

Sign in to add a note. The margin is moderated — we keep it useful, not cruel.

Related entries
Business Sense Required
New AI rules ask you to govern data you never classified. The bill comes due first.

The obligation assumes an inventory the organization skipped. The inventory is the project.

Owner Missing
NIST Asked Where the Data Came From; The Pipeline Went Quiet

The Generative AI Profile treats provenance as a control — but admits most builders cannot say what they trained on.

Owner Missing
OMB put AI governance on the calendar. The data definition still needs a chair.

A board can convene the right people. It still has to make one of them responsible.