The Audit-Ready AI Function: Governing AI Under ISO 42001 and the EU AI Act.
Regulation Has Arrived — With Audit Expectations Attached
The EU AI Act's obligations are now phasing in: prohibitions and AI literacy duties took effect in February 2025, general-purpose AI obligations in August 2025, and the high-risk system requirements land through 2026-2027. ISO/IEC 42001 has rapidly become the reference management-system standard, with certification increasingly requested in enterprise procurement. The NIST AI Risk Management Framework anchors US expectations, and sectoral regulators — from financial supervisors to privacy authorities — are asking the same underlying question: can you evidence how your AI systems are governed? Policies alone no longer satisfy anyone.
Start With the Inventory You Probably Don't Have
Most organisations cannot produce a complete list of the AI systems they operate — including models embedded in procured software, shadow deployments by business teams, and generative AI used informally. An AI inventory is the foundational control: every system recorded with its purpose, owner, data inputs, model provenance, and a risk classification mapped to the EU AI Act's tiers. In our experience the first inventory exercise typically surfaces two to three times more AI use than leadership expected, and the unmanaged majority sits in third-party tools — which is precisely where regulators and auditors look first.
Controls That Generate Evidence
An audit-ready AI function designs controls so that evidence accumulates as a by-product of operation, not as a year-end scramble. That means: documented pre-deployment risk assessments with sign-off; bias and performance testing with retained results and thresholds; human-oversight mechanisms that log interventions; data governance covering training and input data lineage; incident registers for model failures and drift events; and supplier assessments for procured AI with contractual rights to model documentation. Each control should name an owner, a frequency, and the artefact it produces — the same discipline applied to financial controls for two decades.
The Assurance Trajectory
AI assurance is following the path ESG assurance took: voluntary attestations first, procurement-driven certification second, regulatory mandates third. Boards should get ahead of the curve by commissioning a readiness assessment against ISO 42001 and the AI Act now, remediating the inventory and control gaps it finds, and deciding deliberately which systems justify certification. Organisations that build the evidence trail early will treat the first mandatory audit as a formality; those that wait will discover that retrofitting governance onto deployed AI is far harder than designing it in.