5 Surprising Truths About AI Teams, According to the New ISO 42001 Standard

Most conversations about artificial intelligence focus on the technology—the models, the data, the algorithms. We debate model accuracy, data quality, and computational power. But as organizations race to implement AI, a groundbreaking new international standard reveals that the greatest risks may not be in the code, but in the competence of the people managing it.

The new standard, ISO 42001 for AI management systems, places an unprecedented emphasis on the skills and qualifications of the teams behind AI. It argues that without the right expertise, even the most sophisticated technology can lead to bias, harm, and regulatory failure. This article explores the most impactful and counter-intuitive truths from the standard's requirements on competence (Clause 7.2), revealing that your people are your most critical AI governance control.

1. AI Governance Isn't Just for Techies—It's a Team Sport

The standard makes it clear that managing AI risk is not solely the responsibility of the technical team. It requires organizations to ensure "multi-disciplinary competence," formally recognizing that a purely technical approach is insufficient for safe and ethical AI. Effective governance depends on a collaboration between different expert groups, including AI engineers, ethics reviewers, and auditors.

This is a crucial shift because it institutionalizes the idea that successful AI governance is a blend of technical, ethical, and oversight skills. It breaks down silos and ensures that everyone involved is properly qualified. For example, AI engineers are now expected to demonstrate competence not just in model building, but also in “data quality and bias awareness” and “secure and ethical AI design principles.” This ensures that the people building the AI, the people challenging its use, and the people verifying its controls are all qualified and working in concert.

🔍 Audit Principle: AI governance fails when decisions are made by people who do not understand the risks they control.

2. An Untrained Ethics Committee Is a "Red Flag," Not a Safeguard

Many organizations have established ethics committees to review AI projects. However, ISO 42001 raises the bar significantly. The role of an ethics reviewer is not passive; they are responsible for evaluating risks, reviewing impact assessments, and challenging AI use cases. To do this effectively, they need more than good intentions—they need specific, demonstrable skills.

The standard requires ethics reviewers to be competent in areas such as “Ethical AI principles,” “Human rights and fairness considerations,” “Bias and discrimination risks,” “Societal and stakeholder impact analysis,” and understanding the fundamental limitations of AI technology. Guidance for auditors of the standard is unequivocal on this point, identifying a critical "Audit Red Flag" as having "Ethics reviewers appointed without any training or understanding of AI impacts." This requirement transforms AI ethics from a philosophical debate into a professional discipline, preventing "ethics-washing" where an unqualified committee provides a veneer of oversight without the skills to meaningfully challenge a system's potential for harm.

3. Your AI Auditor Might Be a Bigger Risk Than Your AI

Under ISO 42001, auditors play a critical role in verifying that an organization's AI governance is effective and compliant. But what happens when the auditors themselves don't understand AI? A qualified AI auditor must demonstrate competence in “ISO/IEC 42001 requirements,” “AI governance and lifecycle concepts,” and nuanced “AI risk types (bias, hallucination, misuse, autonomy).” Without this specific expertise, the standard warns that audits are not just ineffective—they are dangerous.

According to guidance for the standard, audits conducted by unqualified personnel become:

• Superficial
• Inconsistent
• Technically misdirected
• Legally indefensible

An unqualified auditor can miss critical risks related to bias, data, or model behavior, giving leadership a false sense of security. This exposure is so severe that guidance for the standard cites audits by incompetent personnel as a “🔎 Major Nonconformity Example.” In essence, having the wrong auditor is not just a procedural flaw; it's a fundamental failure of governance that can expose the organization to significant legal and reputational damage.

4. You Can Get Help, But You Can't Outsource Accountability

Clause 7.2 recognizes that not every organization will have all the necessary AI expertise in-house. The standard explicitly allows organizations to address competence gaps by hiring external experts, such as AI ethics consultants or technical validation specialists.

However, this flexibility comes with a critical caveat. An "Audit Insight" from the standard's guidance makes a crucial distinction: "accountability cannot be outsourced."

The practical implication for leaders is clear: while you can and should bring in external expertise to fill gaps, your organization remains fully responsible for the decisions made and the outcomes produced by your AI systems. You cannot simply transfer the risk to a third-party consultant. Leadership must own the ultimate accountability for the safe and ethical performance of its AI.

5. AI Competence Has an Expiration Date

In the fast-moving world of AI, knowledge and skills quickly become obsolete. ISO 42001 addresses this by treating competence not as a one-time achievement, but as a continuous process. The standard requires organizations to treat competence as a dynamic capability, mandating that they regularly review needs as AI evolves, update skills when new risks emerge, and ensure ongoing learning for personnel in high-impact AI roles.

Auditors will expect to see evidence that competence is periodically reviewed, especially after an incident, an audit finding, or a major change to an AI system. This is a significant departure from traditional IT governance, where a certification might remain valid for years. The standard reframes AI competence as a dynamic capability that must adapt at the same speed as the technology itself.

Conclusion: Are Your People Ready for the AI Revolution?

The ISO 42001 standard delivers a clear and powerful message: technology alone cannot ensure responsible AI. The ultimate responsibility for designing, deploying, and overseeing AI safely and effectively rests on the shoulders of competent, well-trained, and multi-disciplinary teams.

As the standard's guidance concludes, "Responsible AI depends on competent engineers, informed ethics reviewers, and qualified auditors working together." It shifts the focus from what the AI can do to what the people governing it understand.

As your organization adopts more AI, is it spending as much time developing its people's competence as it is developing its technology?

Share This Article

Found this useful? Share it with your network: