1. What is an AIMS?

In recent years, the development and deployment of artificial intelligence (AI) systems have accelerated rapidly worldwide. AI is becoming integrated into our lives, not only as organizations utilize it to improve and enhance their business but also as AI systems are increasingly used in various everyday situations. As the social impact of AI grows, ensuring its appropriate, responsible, and trustworthy use has become critical. In this context, the need for a management system to serve as a foundation for safe and secure AI systems is growing, based on the understanding that it is crucial to appropriately develop, provide, and utilize safe and secure AI systems.

Management systems are one of the proven ways to provide assurance to interested parties. For example, certification to Information Security Management Systems (ISMS) is widely used in B2B transactions and government procurement as evidence that an organization has established and operates a system to manage information security risks in line with an international standard.

Applying these same principles to AI, international standardization efforts have been undertaken by ISO (the International Organization for Standardization) to establish requirements for AI management systems, resulting in the publication of ISO/IEC 42001 “Information technology — Artificial intelligence — Management system” in December 2023.

ISO/IEC 42001 is an international standard that specifies requirements for organizations to establish, implement, maintain, and continually improve an Artificial Intelligence Management System (AIMS). It is intended for use by organizations that develop, provide, or use AI‑based products or services, with the objective of supporting the responsible development and use of AI systems throughout their operations.

The structure of ISO/IEC 42001 aligns with that of other management system standards, including ISO/IEC 27001 for Information Security Management Systems. In addition to common management system requirements, the standard provides requirements specific to organizations involved in the development, provision, and use of AI systems.

The AIMS defined in ISO/IEC 42001 does not impose limitations based on industry sector or organizational size. It is applicable across all sectors and organizational contexts by classifying stakeholders into six defined roles (see “Organizational Roles in AI Management”). A single organization may assume multiple roles depending on the nature of its activities. Key features distinguishing it from other management systems include:

When developing an AIMS according to ISO/IEC 42001, it is essential to understand AI concepts and terminology as defined in ISO/IEC 22989 (JIS X 22989) “Information technology — Artificial intelligence — Artificial intelligence concepts and terminology”. Although ISO/IEC 42001 applies to any organization that provides or uses products or services utilizing AI systems regardless of its size, type, or nature, organizations need to identify their specific roles—as defined in ISO/IEC 22989—when developing their AIMS.

As with ISMS requiring risk assessment and taking appropriate measure for inforamtion security, an AI management system adopts a risk based approach. Organizations are required to assess risks associated with the development, provision, and use of AI systems and to take appropriate measures (controls) to address those risks.

ISO/IEC 42001 provides a set of reference “controls” as indicators for risk measures. By comparing the risk measures based on the results of the risk assessments by the organizations with those specified in ISO/IEC 42001, organizations can evaluate whether their risk measures are comprehensive and whether any necessary controls have been overlooked.