Glossary

AI governance & ISO/IEC 42001 glossary

Plain-language definitions of the terms behind ISO/IEC 42001, the EU AI Act and responsible AI — for teams building an AI management system. Each entry links to where the concept is put to work.

Definitions

Key terms, explained

The vocabulary of AI governance, defined clearly:

AI Management System (AIMS)

An AI Management System (AIMS) is the set of policies, roles, processes and controls an organisation uses to develop, deploy and use AI responsibly. ISO/IEC 42001 is the international standard that defines what an AIMS must contain. Learn more

ISO/IEC 42001

ISO/IEC 42001:2023 is the world's first international standard for an AI Management System. It gives organisations a certifiable framework to manage AI risk, impact, data, transparency and human oversight. Learn more

AI governance

AI governance is the practice of directing and controlling how an organisation develops and uses AI — assigning accountability, managing risk and impact, and ensuring AI is used lawfully, safely and transparently. Learn more

High-risk AI

High-risk AI refers to AI uses that can significantly affect people's rights, safety or access to services — such as hiring, credit scoring or medical devices. The EU AI Act designates specific high-risk categories with binding obligations. Learn more

EU AI Act

The EU AI Act is the European Union's comprehensive AI law, taking a risk-based approach from prohibited practices to high-risk obligations. High-risk duties apply from December 2027 after the 2026 Digital Omnibus. Learn more

AI impact assessment

An AI impact assessment evaluates how an AI system could affect individuals, groups and society — including indirect or disproportionate effects. It asks who could be harmed, and how, before deployment. Learn more

AI risk assessment

An AI risk assessment identifies and scores what could go wrong with an AI system — across governance, legal, privacy, data, technical, operational and societal risk — against defined criteria. Learn more

Statement of Applicability (SoA)

The Statement of Applicability is the central ISO/IEC 42001 document listing every Annex A control, whether it applies, the justification, the owner and the evidence. It's the most examined document in an audit. Learn more

Annex A controls

Annex A of ISO/IEC 42001 is a reference set of about 38 controls across nine areas — policy, organisation, resources, impact, lifecycle, data, information, use and third parties — that organisations select and implement. Learn more

Human oversight

Human oversight means keeping a person meaningfully able to review, intervene in or override an AI system's decisions — especially where those decisions affect people's rights, safety or finances. Learn more

AI system lifecycle

The AI system lifecycle is the full span of an AI system's life — concept, data, design, development, validation, deployment, monitoring, change and decommissioning — each stage with its own governance controls. Learn more

Data provenance

Data provenance is the documented origin and history of the data used to train or run an AI system — its sources, transformations and lineage — needed to demonstrate quality and lawful use. Learn more

Bias and fairness

Bias and fairness assessment evaluates whether an AI system's data or outputs systematically advantage or disadvantage identifiable groups, and documents the metrics, findings and mitigations. Learn more

Model card

A model card is a structured document describing an AI model — its purpose, data, performance, limitations and intended use — so that users and auditors can understand and govern it. Learn more

AI incident

An AI incident is an event where an AI system causes or risks harm, error, or a compliance breach. ISO/IEC 42001 requires a severity-classified response process with evidence preservation. Learn more

Third-party AI risk

Third-party AI risk is the governance obligation that remains when you use AI you didn't build — foundation models, APIs or datasets. Accountability for outcomes stays with the deploying organisation. Learn more

AI provider / developer / deployer

These are the roles ISO/IEC 42001 and the EU AI Act recognise: providers build and supply AI, developers engineer it, and deployers put it into use. Each role carries different obligations. Learn more

GPAI (general-purpose AI)

General-purpose AI (GPAI) refers to broadly capable models — like large language models — that can be adapted to many tasks. Under the EU AI Act, GPAI models carry their own transparency and documentation duties. Learn more

Internal audit (ISO/IEC 42001)

An internal audit is an independent check that the AI management system conforms to ISO/IEC 42001 and actually operates. Its findings drive corrective action and feed management review. Learn more

Management review

Management review is the top-management event where leadership reviews AIMS performance, risks, audit results and improvements — the moment accountability for AI governance is exercised. Learn more

Continual improvement

Continual improvement is the ongoing process of making the AI management system better over time, driven by audits, incidents, monitoring and lessons learned. Learn more

NIST AI RMF

The NIST AI Risk Management Framework is a voluntary US framework (Govern, Map, Measure, Manage) for trustworthy AI. It complements ISO/IEC 42001, which adds a certifiable management system. Learn more

From definitions to a working AI management system

The toolkit turns these concepts into ready-to-use policies, registers and assessments — the full ISO/IEC 42001 document set.