Royaal Project

ISO 42001 in 2026: Why AI Governance Is the Compliance Discipline Most Boards Are Underestimating

Roy Zopfi

Ask any Dutch executive whether their company “uses AI” and the answer is usually a careful “yes, a little, in marketing.” Then walk through the toolset that operations, finance, HR and customer service rely on, and the picture changes.

Lead-scoring inside the CRM. Anomaly detection in the accounting platform. CV screening in the recruitment tool. Generative writing assistants embedded in Microsoft 365 and Google Workspace. Forecasting modules in the ERP. Browser extensions summarising contracts. IDE assistants writing production code. Tier-one chatbots responding to customers in the brand’s voice.

This invisible AI estate is the operating reality of nearly every mid-market organisation in the Netherlands. And under the EU AI Act, almost all of those use cases place the company in the role of deployer — with obligations that exist whether or not the deployment was ever formally approved.

The question that boards underestimate is not “are we ready for the AI Act?” It is “do we know what we are actually deploying?” That is a governance question, not a technology question. And governance questions are best answered with a management system.

What ISO/IEC 42001 actually is

ISO/IEC 42001:2023 is the international standard for an AI Management System (AIMS). It follows the familiar high-level structure used by ISO 9001, 14001 and 27001, so any organisation already operating a certified management system will recognise its architecture: leadership commitment, context analysis, risk and opportunity assessment, operational controls, performance evaluation and continual improvement.

What is different is the subject matter. ISO 42001 focuses specifically on the controls, processes and responsibilities required to develop, provide or use AI systems responsibly. It introduces requirements around AI risk assessment, AI impact assessment, lifecycle management, data quality, transparency, human oversight and supplier governance.

It is important to be clear about what ISO 42001 is not. It is not a certificate that proves AI Act compliance. It is not a technical specification. It is not a list of forbidden technologies. It is a management system — a structured way of organising the decisions, evidence and responsibilities that surround AI in your organisation, so that those decisions stand up to scrutiny from regulators, auditors, clients and your own board.

How ISO 42001 lines up with the EU AI Act

The AI Act and ISO 42001 were not designed in lockstep, but they overlap in highly useful ways. For a deployer, four areas show particularly strong alignment.

First, the obligation to maintain awareness of AI use. The AI Act expects deployers to know which AI systems they operate and for what purpose. ISO 42001 demands an AI inventory and impact assessments — the operational mechanism that produces and maintains that knowledge.

Second, risk classification. The AI Act distinguishes between unacceptable, high-risk, limited-risk and minimal-risk systems, each with different obligations. ISO 42001’s risk and impact assessment process provides the methodology to make those classifications repeatable and defensible.

Third, human oversight and accountability. The AI Act requires named oversight for high-risk systems. ISO 42001 builds the ownership structure — who reviews, who approves, who escalates — into the management system itself.

Fourth, supplier governance. Most organisations deploy AI that someone else developed. The AI Act allocates responsibilities between providers and deployers. ISO 42001 introduces controls for supplier evaluation, contract requirements and ongoing monitoring that make those responsibilities operational rather than theoretical.

In short: the AI Act tells you what to do. ISO 42001 helps you build the system that does it consistently.

Five practical steps to lay the foundation

A full ISO 42001 implementation in a mid-sized organisation typically takes nine to fifteen months. But the foundation can be laid in the first ninety days, and that foundation is what protects you in the meantime. Five steps tend to do most of the work.

1. Build the AI inventory

List every AI-enabled tool, feature and workflow currently in use across the organisation — including the ones nobody officially approved. The first version is always incomplete. That is fine. It becomes the baseline.

2. Classify each use case

For each entry, identify the business purpose, the data involved, the human oversight in place, and an initial AI Act risk category. This conversation almost always surfaces tools nobody realised were AI-driven, and a handful of use cases that quietly need to be reconsidered.

3. Assign named ownership

Every AI use case needs a named accountable owner — not a department, an individual. Without this, every later control becomes optional.

4. Run lightweight impact assessments

For the highest-risk use cases, document what could go wrong, what mitigations are in place and what residual risk the organisation is accepting. This is what an auditor or regulator will eventually ask for.

5. Publish a policy — and actually train people on it

A simple, written AI acceptable-use policy and a short training cycle that explains it to the people who actually use these tools every day. Policy without training tends to age into wallpaper.

These five steps do not deliver an ISO 42001 certificate. They do, however, deliver the evidence base that every certification project, every AI Act inquiry and every client due-diligence questionnaire from 2026 onward is going to depend on.

The business case is not “compliance”

Framing ISO 42001 as a compliance project tends to slow it down. Boards approve compliance budgets reluctantly. They approve risk-and-opportunity decisions far more readily.

The actual business case for an AI management system rests on four concrete benefits. Internal control: you cannot improve what you cannot see, and most organisations cannot see their AI estate. Procurement and customer trust: enterprise buyers and Dutch public-sector tenders are starting to ask AI governance questions in their RFPs, and “we are working on it” is not a winning answer. Insurability: cyber and professional indemnity insurers are beginning to underwrite AI exposure, and a recognised management system is the cleanest evidence available. Speed: a documented governance structure makes it faster, not slower, to adopt new AI tools, because the route from idea to approved deployment is mapped.

Where to start

If you already operate ISO 9001, 14001 or 27001, ISO 42001 will feel familiar — the integration points are deliberate. If you do not, ISO 42001 can be implemented standalone, and many SMEs are choosing this route as their first formal management system precisely because AI is where the boardroom attention sits.

Either way, the work begins with the same question: where, exactly, do you use AI today, and who is accountable for each use? If your organisation cannot answer that question on a single page, that page is your first deliverable.

At Royaal Project we help Dutch SMEs and corporates design and implement AI governance that satisfies ISO 42001 and EU AI Act expectations — anchored in your existing management systems where possible, and built to be lived rather than filed.

Curious how your current AI footprint maps against ISO 42001 and the AI Act? Book a no-obligation introductory call via royaalproject.com and we will walk you through it.

This article is provided as general advisory guidance and reflects common best practice. It does not constitute legal advice. Specific obligations under the EU AI Act, ISO/IEC 42001 and other Dutch and EU regulations should be assessed in light of your organisation’s circumstances.