Ryan Boyes, Senior Security Administrator at Galix. Artificial intelligence (AI) is already embedded in many business environments through public tools like ChatGPT and through AI functionality built into existing software platforms. While adoption is accelerating, governance and regulation are still catching up. This is creating growing pressure on organisations to understand how AI is being used, what risks it introduces and how those risks should be managed.ISO 42001 addresses this gap by providing a structured framework for AI governance, helping organisations assess risk, define responsibility and manage AI use in a controlled and accountable way. As international regulation evolves and clients place more scrutiny on AI usage, a proactive approach puts businesses in a stronger position than those that wait for legislation to force change.Although South Africa does not yet have standalone AI legislation, regulation is already developing internationally. The European Union’s (EU) AI Act is one example, and similar frameworks are expected to emerge in other regions over time. In practice, this means a South African firm that processes EU residents’ data through a logistics platform, a financial services portal or even a cloud-based HR system, could already fall within scope of the EU Act’s requirements.For South African organisations, this is important regardless of whether local legislation arrives. AI systems and data flows are not limited by geography, and businesses may already be using international AI platforms, working with overseas clients or processing information across jurisdictions. As regulatory requirements develop, organisations will increasingly be expected to demonstrate how AI is governed and how associated risks are being managed.ISO 42001 provides a way to address this before legislation becomes mandatory. Like ISO 27001 and ISO 27701, it provides a recognised framework that organisations can align to and eventually certify against. This allows businesses to establish governance structures early, rather than having to retrofit controls later under commercial or regulatory pressure.One of the central requirements of ISO 42001 is the concept of an AI impact assessment. This involves understanding how AI systems could affect the organisation, its employees, its customers and the wider operating environment before implementation takes place.In some cases, this may involve data privacy or security concerns. In others, it may relate to operational impact, job displacement, skills shortages or the use of external AI providers. The objective is not to block AI, but to ensure organisations understand what they are introducing before they introduce it. A manufacturing company deploying an AI quality-control system, for instance, should consider not only whether the technology works, but whether it introduces bias in decisions, what happens when it fails and which employees need retraining as a result. This is particularly relevant in South Africa, where organisations may face skills shortages while simultaneously adopting increasingly complex AI technologies.Businesses also need to understand where AI systems are hosted, what information is being shared with them and whether employees are using approved tools or public platforms that are not managed by the business. Without this visibility, organisations may only identify problems after a data breach, operational issue or compliance failure has already occurred.Most organisations already have employees using AI tools in some form, whether for document generation, analysis, customer interaction or administrative tasks. The challenge is that this often happens without formal governance or visibility.One common risk this introduces is employees using public AI platforms without understanding how organisational information is being handled. Consider a consultant who pastes a confidential client proposal into ChatGPT to improve the wording, or a finance team member who uploads a budget spreadsheet to get an AI-generated summary. Confidential reports, client information or internal assessments may be uploaded into external AI systems without clear controls over where that information is stored or how it is used.Without this visibility, organisations may only identify risks after a breach, governance issue or operational failure has already occurred. This is why AI governance cannot be treated separately from information security and privacy management. If organisations do not understand what information is being processed through AI systems and how that information is protected, they cannot effectively manage the associated risks.ISO 42001 addresses this by requiring organisations to identify what AI systems are being used, define how they are approved and managed, and assess the risks linked to their use. This aligns closely with the security, privacy and information management controls already covered by ISO 27001 and ISO 27701. As a result, for organisations that already have ISO 27001 and ISO 27701 in place, ISO 42001 becomes significantly easier to implement because many of the foundational governance structures already exist. Security management, information classification and privacy controls can then be extended to include AI-specific governance and impact assessments.Regulatory requirements around AI are likely to increase over the next few years, particularly as governments and international regulators place more emphasis on accountability, transparency and data governance. At the same time, clients and partners are beginning to ask more questions about how organisations use AI and what controls are in place.ISO 42001 provides organisations with a structured way to manage AI use. It helps businesses understand how AI is being used, identify risks early and put governance structures in place before regulation or commercial pressures force a reactive scramble.Like ISO 27001 and ISO 27701, ISO 42001 is not just about certification. It is about creating governance processes that can be applied consistently and maintained over time. Working with cyber security and compliance specialists can help organisations interpret the framework in the context of their business, identify gaps and implement controls that support both operational and compliance requirements.