Understanding the Needs and Expectations of Interested Parties for ISO 42001 AI Management
ISO 42001 Clause 4.2
The interested parties for AI extend beyond customers and regulators to include the individuals and groups affected by AI decisions, even when they are not direct users.
ISO 42001 Clause 4.2 - Understanding the Needs and Expectations of Interested Parties
Clause 4.2 follows directly from the context analysis at Clause 4.1 and feeds into the scope at Clause 4.3. It is the standard's mechanism for making sure the organisation has identified everyone who has a stake in the AI management system and has decided which of their needs and expectations the management system will address.
What ISO 42001 Clause 4.2 requires
The clause has three connected requirements. The organisation must determine the interested parties that are relevant to the AI management system, the relevant requirements of those interested parties, and which of those requirements will be addressed through the management system. The standard adds a note that interested parties can have requirements related to climate change.
Interested parties for an AI management system
Identifying interested parties is an exercise that ISO 42001 takes more seriously than most other management system standards, because AI systems often affect people who are neither customers nor employees nor regulators in any traditional sense. The standard recognises a category called AI subjects, which covers the data subjects whose data trains or feeds AI systems and the people whose lives are affected by AI decisions even when they have no direct relationship with the organisation.
For an AI deployer, the typical interested parties include the AI system provider, the customers and end users who interact with the AI system, the employees who operate or oversee it, the data subjects whose information is processed, regulators with jurisdiction over AI or the affected sector, and the wider public who may be affected by the AI system's outputs. For an AI developer, the list extends further to include downstream deployers, the suppliers of training data, and the technical communities that contribute to or rely on the AI system.
Determining their requirements
Once the interested parties have been identified, the organisation must determine their relevant requirements. These are not always written down. They can be drawn from contracts, regulatory instruments, customer expectations, industry codes of practice, ethical frameworks the organisation has signed up to, and the reasonable expectations of affected individuals about how AI will be used.
Relevant requirements for AI commonly include transparency about when AI is being used, the right to challenge automated decisions, fairness in outcomes, security of personal data, and accountability for adverse effects. These requirements often originate in legislation such as the UK GDPR, the Equality Act 2010, or sector-specific regulations, but can also come from industry standards, customer contracts, or the organisation's own commitments.
Deciding which requirements are addressed by the management system
Not every requirement of every interested party can be addressed through the AI management system, and the standard does not expect that. The organisation must decide which requirements will be addressed and document that decision. Requirements that are out of scope of the management system can be addressed through other mechanisms - legal compliance functions, contract management, customer service, or standalone regulatory programmes - but the choice should be deliberate and recorded.
The interested parties register often gets longer for ISO 42001 than people expect. AI subjects are the category that catches organisations out. If you are running a recruitment AI tool, the interested parties include not just your hiring managers and the candidates who apply, but the candidates whose CVs the model was trained on, even if they were never told. The standard expects you to think about this.
The decision about which requirements to address through the management system needs to be visible. An auditor wants to see the rationale, not just the conclusion. If an organisation has decided that a particular requirement is out of scope, the auditor will want to understand how that decision was made and where the requirement is being addressed instead.
When auditing Clause 4.2, I expect the interested parties register to be specific and current. A list that simply names categories - customers, employees, regulators - is not enough. The auditor wants to see named interested parties, their specific requirements, and the management system response.
For AI systems specifically, I look for evidence that the organisation has identified the AI subjects and considered their interests. This is the most common gap I see in practice. Organisations are good at identifying their commercial counterparties but slower to recognise the affected individuals who are not party to any contract.
We added two categories to our register when we extended it for ISO 42001. The first was the workforce, because the inspection AI affects how line operators do their job. The second was the customer, because the AI ultimately decides what gets shipped. Both were already on the register for other reasons, but the AI angle gave us new things to record about each.
Practical Compliance Guidance
The IMS1 Manual Section 1.3 Context, Company Profile and Scope of Operations/IMS1-1-3-1 Context-Scope will reference how interested parties for the AI management system are recorded. The dedicated F-IMS22 Interested Parties Register provides a structured place to list each party, the relationship, the requirements identified, and the management system response.
The following alphaZ documents support compliance with ISO 42001 Clause 4.2.
| alphaZ document | How to use it |
|---|---|
| ISO 42001 AI Management System Toolkit | The full toolkit containing the AI management system documentation including the AI Policy, procedure, related forms and registers and the AI risk assessment. |
| F-IMS22 Interested Parties Register | Records the interested parties relevant to the management system, their relevant requirements, and the management system response to those requirements. |
| F-IMS40 AI Process Register | Records the AI systems within scope, which helps identify the interested parties affected by each AI system. |
| F-Q110 AI System Impact Assessment | Identifies the individuals and groups affected by each AI system, which feeds the interested parties analysis. |
Note - all the above files can be downloaded with an alphaZ subscription.
Frequently Asked Questions
UK Legislation
The following UK legislation establishes requirements held by interested parties of an AI management system. Organisations outside the UK should identify the equivalent legislation applicable in their jurisdiction.
- Data Protection Act 2018
- UK GDPR (retained EU law)
- Equality Act 2010
- Digital Markets, Competition and Consumers Act 2024
