In a previous blog post - What Is ISO/IEC 42001 and Why Should You Care About It? - I explained about the standard and what it means for organisations. In this post I want to dig into something more practical: how artificial intelligence is actually used in organisations today, and how ISO 42001 applies in practice.
AI is now embedded in so many tools, platforms and services that it is often invisible. In fact, many people and businesses are using AI without even realising it. That makes governance even more important, because ISO 42001 doesn’t just apply to those building AI models from scratch. It also applies to the organisations that deploy, adapt, or rely on AI tools to get work done.
What Does ‘Using AI’ Mean Under ISO 42001?
When we talk about an organisation ‘using AI,’ it tends to fall into two categories.
The first is direct use, where an organisation develops or deploys an AI tool for its own operations or for external customers. Think of chatbots that handle customer queries, fraud detection systems used by banks, or recommendation engines on streaming platforms. These are obvious examples where an organisation is consciously building or embedding AI into its products or services.
The second is indirect use, which is often more subtle. This is where businesses rely on third-party AI embedded inside vendor platforms or cloud services. For example, a sales team might use a CRM platform that includes AI-driven lead scoring to predict which opportunities are most likely to convert. Or a HR team might use training software that recommends personalised learning modules for employees. These are AI-driven functions, but because they are part of off-the-shelf products, many organisations forget they are still ‘using AI’ and still carry responsibilities for how those systems are applied.
Both direct and indirect uses bring risks, and both fall under the scope of ISO 42001.
Real-World Examples: AI Risk in Recruitment and Chatbots
Take recruitment as an example. Many teams are already leaning on AI to sift through CVs and applications, narrowing down a long list of candidates to the ones who appear to be the best fit. The benefit is obvious: less time wasted on irrelevant applications. But there are also risks. What if the AI model reflects historical bias? What if candidates are unfairly excluded without explanation? ISO 42001 helps organisations address these issues by setting expectations around fairness, bias management and explainability, so that decisions can be trusted.
Or consider the chatbots that now appear on almost every website. At first glance these look like low-risk AI tools. They ask a customer what they need, guide them through a scripted set of options, and perhaps hand them off to a human agent if needed. But even here there are questions. How do customers know their data is being handled responsibly? How does the organisation ensure that the chatbot isn’t giving out misleading information or simply deflecting people away from real support? Once again ISO 42001 provides the framework to put accountability and safeguards in place.
It is worth remembering that the standard does not only apply to commercial AI developers. It applies to anyone using AI in their operations. And the line between using and developing is not always as clear as it sounds. For instance, if a business takes a large language model like ChatGPT and fine-tunes it with company-specific data to answer staff queries, that is no longer ‘just using’ AI off the shelf. That is shaping how the system works, which moves you further into the territory of responsibility and governance.
How to Map Your AI Use
So how do you get started? The first step is to actually map out where AI is being used in your organisation. It is easy to focus on the obvious in-house models, but the bigger challenge is spotting embedded AI inside the SaaS tools and platforms you already pay for. A good starting point is to create an AI register, which is essentially a simple inventory of where AI shows up in your business.
For example, marketing teams often rely on email platforms that automatically optimise subject lines or send times using machine learning. Finance departments might use fraud detection features in payment platforms. That is AI at work, even if no one thinks of it that way. Once you start to look, you realise AI is woven into more processes than you might expect.
An AI register helps you see the whole picture. From there you can classify each use case by risk, decide which ones need more oversight, and make sure they align with your business objectives.
Building a Framework for Responsible AI Governance
Of course, the real challenge is not just identifying AI but using it responsibly. Responsible use means being transparent about when AI is involved, assessing the risks before deployment, and keeping clear lines of accountability. It also means setting limits on how much trust you place in automation. AI can assist decision-making, but humans need to remain in the loop, particularly where outcomes affect people’s rights, safety, or livelihoods.
The opposite of responsible use is all too common. Black-box systems that make decisions without explanation. Organisations that overpromise what AI can do and underdeliver when it fails. Or tools rolled out without any thought to bias, misinformation, or unintended consequences.
ISO 42001 is designed to close that gap. It encourages organisations to look at the bigger picture, not just whether the AI is accurate or efficient, but whether it is fair, transparent and accountable. It asks you to think about the impact on employees, customers, regulators, and society as a whole. In doing so, it helps you move from casual adoption to structured, auditable use.
Conclusion: Moving from AI Adoption to Governance
AI is part of everyday business operations, whether you are aware of it or not. That means governance is not optional. By helping organisations identify, assess and manage their AI use, ISO 42001 turns responsible AI from a vague aspiration into something practical and concrete.
Those who start now will not only be better prepared for upcoming regulations like the EU AI Act, but they will also be in a stronger position to build trust with customers and stakeholders. Responsible AI is quickly becoming a differentiator. ISO 42001 is the foundation to make it happen.
If you’d like to explore how ISO 42001 could apply to your organisation, or need support mapping and governing your AI use, get in touch - we’d love to help.
Photo by David Herron on Unsplash
Lucia Turner
Penny Yap
Andrei Draghiciu