Roles, Responsibilities and Authorities Explained for ISO 42001
ISO 42001 Clause 5.3
Roles for AI cut across the organisation - technical, operational, legal and ethical. Clause 5.3 requires those roles to be deliberately assigned, not assumed.
ISO 42001 Clause 5.3 - Roles, Responsibilities and Authorities Explained
Clause 5.3 sets the expectation that AI accountability is explicit. It complements Annex A.3.2, which provides the equivalent control for the responsible approach to implementation, operation and management of AI systems.
What ISO 42001 Clause 5.3 requires
Top management must make sure the responsibilities and authorities for relevant roles in the AI management system are assigned and communicated. Top management must assign responsibility and authority for two specific things - making sure the AI management system conforms to the requirements of the standard, and reporting on the performance of the AI management system to top management.
The roles that need to be assigned
The standard does not list every role that must be filled, but the implementation guidance under Annex B.3.2 sets out the areas where defined roles and responsibilities are typically needed. These include AI risk management, AI system impact assessments, asset and resource management, security, safety, privacy, AI development, AI performance monitoring, human oversight, AI supplier relationships, the demonstration of legal compliance, and data quality management across the AI system life cycle.
For most organisations, these areas are not new and the roles already exist. The work at Clause 5.3 is to make sure the AI dimension of each role is explicit. The data protection officer will already have responsibility for personal data, but the AI management system needs that responsibility to extend to AI systems that process personal data. The information security officer will already cover security threats, but AI-specific threats such as model poisoning need to be in their remit. The procurement function will already manage suppliers, but AI suppliers introduce additional considerations around training data, model performance and downstream use.
The two assigned responsibilities
Top management must specifically assign two responsibilities. The first is making sure the AI management system conforms to the requirements of ISO 42001. This is typically the role of the AI management system lead or the integrated management system lead where the management system is integrated. The second is reporting on the performance of the AI management system to top management. This is often the same person, and the reporting is normally delivered through the management review under Clause 9.3.
Communication of roles
Roles and responsibilities must be communicated. In practice this means making sure the people in each role understand what is expected of them, and that the wider organisation knows who to go to with AI-related concerns. This is supported by the IMS1 Manual/IMS1 Sub-procedure responsibilities section, role descriptions, induction materials and the visible publication of the management organisation chart.
When auditing Clause 5.3, I look for documented evidence that responsibilities and authorities have been assigned and communicated. This is usually evidenced through the IMS1 Manual section on responsibilities, role descriptions, organisational charts and the names recorded against AI-specific activities in the management system documentation.
I also expect the assigned reporter on AI management system performance to be identifiable and to have actually reported. The management review minutes are the most common place this evidence appears.
The integration question matters here. An organisation with an existing IMS lead under ISO 9001 or ISO 27001 can extend that role to cover the AI management system rather than creating a separate AI lead. Many organisations do exactly this. The key is to make the AI dimension explicit in the role description and to give the person the authority and resources to discharge it.
Where the organisation is large or AI is central to its activities, a dedicated AI governance role can be more appropriate. The standard does not require either approach, but the choice should reflect the scale and risk of AI use.
Our IMS lead role expanded to cover the AI management system. We did not need a new role and we did not need to hire. We did add a section on AI to the role description so the responsibilities were explicit, and we made sure the IMS lead has access to the technical leads who run the AI systems day to day.
Practical Compliance Guidance
The IMS1 Manual Section 2.2 Responsibilities/IMS1-2-2-1 Responsibilities sets out the responsibilities of the IMS lead, top management and other key roles in the management system, including the AI-specific responsibilities for monitoring effectiveness and reporting performance. The same section can be extended to cover the additional AI roles needed depending on the organisation's scope.
The following alphaZ documents support compliance with ISO 42001 Clause 5.3.
| alphaZ document | How to use it |
|---|---|
| ISO 42001 AI Management System Toolkit | The full toolkit containing the AI management system documentation including the P-120 AI Policy and the AI-specific registers, assessments and forms. |
| F-IMS40 AI Process Register | Records the AI systems within scope and the responsibilities allocated for each, providing evidence that roles have been assigned. |
| F-Q3 Management Review | Provides the format for the AI management system performance reporting that must be assigned under Clause 5.3. |
Note - all the above files can be downloaded with an alphaZ subscription.
