Letter from guest editor

Antonina Burlachenko

Head of Quality and Regulatory Consulting, Star

AI governance: How can tech leaders scale safely at speed

AI governance is the framework that ensures AI systems are developed, deployed and monitored responsibly. It turns the values society expects from business – like fairness, transparency and accountability – into practical policies and measurable actions.

Done well, AI governance provides:

• Clarity on how AI is being developed and used across your organization
• Guardrails to ensure compliance with ethical and regulatory standards
• Trust from users, partners and regulators that your AI practices are transparent, robust and secure

What is AI Management System

ISO 42001:2023 is the world’s first international standard for AI Management Systems (AIMS). It provides a practical, structured approach for organizations to govern AI responsibly at scale. Built on the same continuous improvement model as ISO 9001 and ISO 27001, it helps companies define AI policies, assess risk, embed ethical principles into workflows and ensure transparency and accountability across the AI lifecycle. 

While not yet legally required, it’s quickly becoming a benchmark for trustworthy AI – especially in regulated and high-risk sectors that handle sensitive and confidential consumer data like healthcare. For CTOs, CIOs and product leaders, ISO 42001 offers a blueprint that translates AI related ambitions into a measurable, auditable capability.

What sets AIMS apart from traditional governance frameworks is its emphasis on controls specific to AI technology, and implementation for a specific product shall be embedded from the start, not layered on as an afterthought. It’s designed to integrate directly into your product development and engineering workflows, allowing AI governance to scale with innovation rather than slow it down.

A strong AIMS enables:

• Cross-functional accountability by clearly defining roles and responsibilities across product, engineering and compliance
• Risk-based decision-making through the identification and mitigation of AI-specific risks across the entire lifecycle
• Continuous improvement using real-world feedback, audits and monitoring to refine policies, models and controls over time

The good thing is that AIMS doesn’t require a full system overhaul. It can be layered into existing governance structures like your QMS (Quality Management System), ISMS (Information Security Management System) or DevSecOps pipelines. This makes it both practical and powerful – especially for tech leaders operating in complex or highly regulated environments.

How to implement AIMS: 6 recommended steps

There isn’t a one-size-fits-all approach to AI governance—but ISO 42001:2023 offers a clear starting point. We recommend the following six steps when building a structured and scalable AIMS:

1. Define the organizational context and scope: Start by identifying where governance is needed most. For complex portfolios, this might mean focusing on a single high-risk product or use case. Analyze internal and external factors to understand where AI creates the most impact and risk.
2. Define AI policy and objectives: Create a formal AI policy that aligns with your company’s values and existing policies. Set clear, measurable AI objectives, such as reducing bias or managing GenAI usage in professional settings. Make sure to take into account relevant local AI regulations (like EU AI Act).
3. Conduct an AI impact and risk assessment: Understand how your AI systems affect your organization, people, and society overall. Use standards like ISO/IEC 23894:2023 and ISO 42005 to assess impact, then evaluate risks based on severity and likelihood. Your assessment should include technical, ethical and operational risks.
4. Draw up a statement of applicability: This is your governance blueprint. It documents which controls you’ve implemented, which ones you’ve excluded (and why), and how each maps back to your objectives and risk areas.
5. Document and implement missing processes: For each control area, develop clear processes – with inputs, outputs, responsibilities and monitoring metrics. Train employees on these processes to ensure consistent execution.
6. Implement AIMS and monitor process and execution: AIMS is a continuous improvement system, based on the Plan-Do-Check-Act cycle. Regularly monitor effectiveness, gather internal and external feedback, and adjust your approach as needed.

Securing AI models across the entire lifecycle

Securing AI models requires a comprehensive, lifecycle-based approach that addresses risks from the earliest stages of development through deployment and monitoring. Vulnerabilities can emerge during feature engineering, where poor data quality can lead to issues like leakage, poisoning or bias. Validating inputs, detecting outliers and injecting noise into sensitive datasets help reduce these risks. The choice of algorithm also impacts security – more interpretable models like decision trees can be easier to exploit. Strengthening model robustness through adversarial testing and filtering noisy inputs can significantly improve resistance to attacks.

Beyond development, deployed AI systems face threats like model stealing, input manipulation and security misconfiguration. Attackers may query models to reverse-engineer them, making techniques like rate limiting, output obfuscation and watermarking critical. At runtime, systems must be monitored continuously using Security Information and Event Management (SIEM) platforms and anomaly detection to flag suspicious activity.

Security must also extend to the infrastructure layer. Tools like Terraform and Chef help to enforce configuration standards, manage credentials securely and maintain version-controlled backups.

Privacy by design

AI governance also requires a strong stance on data privacy. As models process more personal and behavioral data, businesses must take a proactive role in protecting user rights and managing consent. This is especially urgent for enterprises in healthcare, financial services, public sectors or other consumer-facing environments that handle vast amounts of sensitive data. 

Privacy by design means embedding privacy into every phase of development – from data collection to deployment. This includes:

• Collecting only necessary data and limiting retention
• Enabling default privacy settings and transparent consent mechanisms
• Encrypting data at rest and in transit
• Giving users control over how their data is used
• Conducting regular privacy impact assessments to identify risks early

Google is a good example – to train AI without pulling user data into a central server, it uses federated learning on-device. This reduces data privacy risk while still enabling learning at scale. It’s a clever example of embedding both innovation and compliance into the system design itself.

Strong governance also means practicing good machine learning. CIOs can no longer afford “black box” models. Implementing explainable AI (XAI), fairness metrics and bias audits not only reduces legal and reputational risk – it directly improves customer trust, engagement and brand loyalty.

The real risk isn’t moving too slowly, it’s about scaling AI with a governance system that can keep up. As generative AI goes mainstream, innovation will accelerate – but so will scrutiny. In a world where trust is currency, consumers will gravitate toward organizations that can demonstrate their AI practice as responsible and compliant.