Glossary
AI governance & ISO/IEC 42001 glossary
Plain-language definitions of the terms behind ISO/IEC 42001, the EU AI Act and responsible AI — for teams building an AI management system. Each entry links to where the concept is put to work.
- AI Management System (AIMS)
- ISO/IEC 42001
- AI governance
- High-risk AI
- EU AI Act
- AI impact assessment
- AI risk assessment
- Statement of Applicability (SoA)
- Annex A controls
- Human oversight
- AI system lifecycle
- Data provenance
- Bias and fairness
- Model card
- AI incident
- Third-party AI risk
- AI provider / developer / deployer
- GPAI (general-purpose AI)
- Internal audit (ISO/IEC 42001)
- Management review
- Continual improvement
- NIST AI RMF
Definitions
Key terms, explained
The vocabulary of AI governance, defined clearly:
AI Management System (AIMS)
- An AI Management System (AIMS) is the set of policies, roles, processes and controls an organisation uses to develop, deploy and use AI responsibly. ISO/IEC 42001 is the international standard that defines what an AIMS must contain. Learn more
ISO/IEC 42001
- ISO/IEC 42001:2023 is the world's first international standard for an AI Management System. It gives organisations a certifiable framework to manage AI risk, impact, data, transparency and human oversight. Learn more
AI governance
- AI governance is the practice of directing and controlling how an organisation develops and uses AI — assigning accountability, managing risk and impact, and ensuring AI is used lawfully, safely and transparently. Learn more
High-risk AI
- High-risk AI refers to AI uses that can significantly affect people's rights, safety or access to services — such as hiring, credit scoring or medical devices. The EU AI Act designates specific high-risk categories with binding obligations. Learn more
EU AI Act
- The EU AI Act is the European Union's comprehensive AI law, taking a risk-based approach from prohibited practices to high-risk obligations. High-risk duties apply from December 2027 after the 2026 Digital Omnibus. Learn more
AI impact assessment
- An AI impact assessment evaluates how an AI system could affect individuals, groups and society — including indirect or disproportionate effects. It asks who could be harmed, and how, before deployment. Learn more
AI risk assessment
- An AI risk assessment identifies and scores what could go wrong with an AI system — across governance, legal, privacy, data, technical, operational and societal risk — against defined criteria. Learn more
Statement of Applicability (SoA)
- The Statement of Applicability is the central ISO/IEC 42001 document listing every Annex A control, whether it applies, the justification, the owner and the evidence. It's the most examined document in an audit. Learn more
Annex A controls
- Annex A of ISO/IEC 42001 is a reference set of about 38 controls across nine areas — policy, organisation, resources, impact, lifecycle, data, information, use and third parties — that organisations select and implement. Learn more
Human oversight
- Human oversight means keeping a person meaningfully able to review, intervene in or override an AI system's decisions — especially where those decisions affect people's rights, safety or finances. Learn more
AI system lifecycle
- The AI system lifecycle is the full span of an AI system's life — concept, data, design, development, validation, deployment, monitoring, change and decommissioning — each stage with its own governance controls. Learn more
Data provenance
- Data provenance is the documented origin and history of the data used to train or run an AI system — its sources, transformations and lineage — needed to demonstrate quality and lawful use. Learn more
Bias and fairness
- Bias and fairness assessment evaluates whether an AI system's data or outputs systematically advantage or disadvantage identifiable groups, and documents the metrics, findings and mitigations. Learn more
Model card
- A model card is a structured document describing an AI model — its purpose, data, performance, limitations and intended use — so that users and auditors can understand and govern it. Learn more
AI incident
- An AI incident is an event where an AI system causes or risks harm, error, or a compliance breach. ISO/IEC 42001 requires a severity-classified response process with evidence preservation. Learn more
Third-party AI risk
- Third-party AI risk is the governance obligation that remains when you use AI you didn't build — foundation models, APIs or datasets. Accountability for outcomes stays with the deploying organisation. Learn more
AI provider / developer / deployer
- These are the roles ISO/IEC 42001 and the EU AI Act recognise: providers build and supply AI, developers engineer it, and deployers put it into use. Each role carries different obligations. Learn more
GPAI (general-purpose AI)
- General-purpose AI (GPAI) refers to broadly capable models — like large language models — that can be adapted to many tasks. Under the EU AI Act, GPAI models carry their own transparency and documentation duties. Learn more
Internal audit (ISO/IEC 42001)
- An internal audit is an independent check that the AI management system conforms to ISO/IEC 42001 and actually operates. Its findings drive corrective action and feed management review. Learn more
Management review
- Management review is the top-management event where leadership reviews AIMS performance, risks, audit results and improvements — the moment accountability for AI governance is exercised. Learn more
Continual improvement
- Continual improvement is the ongoing process of making the AI management system better over time, driven by audits, incidents, monitoring and lessons learned. Learn more
NIST AI RMF
- The NIST AI Risk Management Framework is a voluntary US framework (Govern, Map, Measure, Manage) for trustworthy AI. It complements ISO/IEC 42001, which adds a certifiable management system. Learn more
From definitions to a working AI management system
The toolkit turns these concepts into ready-to-use policies, registers and assessments — the full ISO/IEC 42001 document set.