ISO 42001: What Indian Enterprises Are Missing Beyond the Badge

KPMG in India just received ISO 42001 certification. India's IT leaders are fast-tracking their own governance programmes. Most of them could not answer basic questions about what the standard actually requires — and I say that having sat across from enough of them to see the pattern.

I am a certified ISO/IEC 42001 Lead Implementer. The moment I ask what an organisation's AI risk register covers, or how they have defined the boundary of their AI management system, the room tends to go quiet. The acronym is known. The substance is not.

What ISO 42001 actually is

ISO/IEC 42001 is the international standard for AI Management Systems, published in 2023. Think of it as ISO 27001 — but for AI rather than information security. It provides a structured framework for organisations to responsibly develop, deploy, and govern artificial intelligence.

It is a management system standard. That means documented processes, assigned ownership, internal audits, and continual improvement cycles. It is not a one-day workshop, a vendor assessment, or a consultant's deliverable pack. The scope, the risk classification methodology, the human oversight procedures — these have to exist inside the organisation.

The shortcut most organisations are taking

Hire a consultant. Generate the documentation. Pass the audit. Frame the certificate. Six months later, nobody inside the organisation can explain what changed or what the AI management system actually covers.

I have watched this pattern play out with data protection compliance after PDPB conversations started. Same approach, same result. The documentation exists. The internal capability does not. When the auditor or regulator asks a follow-up question that was not on the standard questionnaire, there is no one in the room who can answer it.

What the certificate does not tell you

It does not tell your employees what to do when an AI tool produces a biased output affecting a customer. It does not define who owns the decision when an AI recommendation conflicts with human judgement. It does not tell your procurement team what questions to ask a vendor about their model training data.

These are governance problems, not documentation problems. No amount of ISO 42001 paperwork solves them unless the internal capability to think about AI risk has been built.

What actually works

Build the governance capability internally first. Your AI project leads need to understand what constitutes an AI system under the standard. Your risk team needs to know how to score AI-specific risks differently from conventional IT risks. Your leadership needs to be able to explain the scope of the AI management system in plain language — not just point at the certificate.

Enterprise AI is moving from pilot to production. Production AI without governance is how you end up in a regulatory conversation you were not prepared for. The EU AI Act is in force. India's own digital governance frameworks are evolving. Organisations treating ISO 42001 as a badge rather than a management commitment will find themselves explaining that to regulators and enterprise clients sooner than they expect.

If you are serious about ISO 42001 and not just the certificate, start with internal capability — not external paperwork. Our ISO 42001 readiness programme is built around this principle. Or book a call and we can talk through where your organisation currently sits.