ISO/IEC 42001 AI Management System Specialist

Internal-audit-grade operating skill for ISO/IEC 42001:2023. Three decisions, no executive AI strategy:

1. Where are the AIMS gaps against Clauses 4–10? — coverage scoring per clause + remediation priority
2. What's the AI risk register, and which controls treat each risk? — Annex A.2–A.10 control mapping per ISO 23894 risk method
3. What's the Clause 9.2 internal audit plan? — 12-month schedule with scope, frequency, auditor independence checks

This skill is NOT a chief-ai-officer-advisor replacement. CAIO decides whether to build/buy a model and what business risk to accept. This skill operates the management-system discipline that captures those decisions in audit-ready evidence.

This skill is NOT an EU AI Act compliance skill. ISO 42001 is a voluntary management-system standard; EU AI Act is binding product-safety regulation. They overlap (a high-risk AI system per Article 6(2) of the AI Act typically requires the QMS in Article 17, which ISO 42001 can satisfy in part) but the artefacts differ. See compliance-team-eu-ai-act for Article-level conformity assessment.

This skill is NOT a substitute for ISO 23894 + 38507. 42001 is the management system; 23894 is the AI risk methodology that feeds Clause 6.1; 38507 is the governance lens. The ai_risk_register_builder.py tool implements the 23894 process; treat the references as the methodology bridge.

Keywords

ISO 42001, ISO/IEC 42001:2023, AI Management System, AIMS, AI governance, AI risk management, ISO 23894, AI risk assessment, ISO 38507, AI compliance, AI audit, internal audit AI, Annex A controls, AI risk register, AI policy, AI impact assessment, conformity declaration, AI lifecycle, AI risk treatment, NIST AI RMF, NIST AI Risk Management Framework, ISACA AI audit, BSI AIC4, AI assurance, responsible AI, AI ethics governance, AI system inventory, third-party AI risk, AI vendor management, AI change management, AI incident management

Quick Start