SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

What is Your ISO 42001 AI Role?

ISO Certifications

Since being published in December 2023, a lot of people are still wrapping their heads around the ISO 42001 standard. While designed to help all organizations who provide, develop, or use artificial intelligence (AI) products and services do so in a trustworthy and responsible manner with the requirements and safeguards that the standard defines—including defining your AI role.

Yes, while this new framework for an AI management system (AIMS) does bear some familiarity with other management system standards (MSS) in that it’s structured around clauses 4-10 with an annex of controls designed to mitigate identified risks, it does feature one unique component—to achieve compliance with ISO 42001, you must determine your role with respect to the AI systems within scope.

Such a distinctive requirement deserves some closer attention, and as an experienced ISO Certification Body, we’re going to help break it down for you.

In this blog post, we’ll delve into the different AI roles and how you can determine yours so that when you move forward with ISO 42001 certification, you’ll be able to navigate this requirement more easily.

The Importance of Your AI Role in ISO 42001

 

If you’re currently or have been ISO 27701 certified, this concept may seem a little familiar—that standard also has a requirement asking organizations to determine their role. (Being a standard focused on privacy, ISO 27701 asks organizations to define that based on how they interact with personally identifiable information (PII)—whether that be in a Processor and/or Controller role.)

In both cases, correctly defining this role is crucial, as properly establishing this organizational context and scope will be key in setting your organization up for success during initial certification—from determining the applicability (and the extent of the applicability) of the requirements and controls within ISO 42001 to performing the risk assessment through the correct lens / point of view to establishing appropriate organizational objectives as it relates to the AIMS.

What are the Different ISO 42001 AI Roles?

 

So then, where to start?

In ISO 42001, the mandate for determining your AI role is contained within one of the foundational clauses (4.1), which is more generally focused on the identification and establishment of the influencing factors—e.g., internal and external issues—that affect your ISO 42001 scope and, therefore, its ability to achieve the intended results / objectives of the AIMS.

(In our experience, organizations generally scope their ISO certifications around customer-facing systems / services since it’s usually their customers who request the organization’s becoming certified. That being said, you are free to scope your management system more broadly as well.)

Now then, to determine your role, you should first familiarize yourself with the different options, and you can do that by referencing the detailed description of AI roles within ISO 22989—a standard that establishes terminology and describes concepts in the field of AI. Here’s a high-level figure of all of the different AI roles defined within that document:

What is Your ISO 42001 AI Role Chart

AI Producer vs. AI Provider in ISO 42001

 

At Schellman, we believe the majority of our clients—being service providers (e.g., software-as-a-Service (SaaS) providers, managed service providers (MSPs), data center and cloud hosting providers, etc.)—will sit in the AI Provider role, but there could also be circumstances where those organizations could be AI Producers as well.

So, here are more details on those two categories, and their differences—AI Producer and AI Provider—including important nuance regarding the latter:

Role

Details

AI Producer

ISO 22989 Definition: AI Producers are broadly defined as “an organization or entity that designs, develops, tests, and deploys products or services that use one or more AI system.”

Translation: AI Producers are AI developers, or those organizations that are developing AI services and products (e.g., creators / designers of AI models, model implementers, model verifiers, etc.).

Example: Organizations like OpenAI, Anthropic, Google DeepMind, AI21 Labs, and Mistral AI would all fall into this category.

AI Providers encompass both AI Platform Providers and AI Product or Service Providers,
and there are key differences between these roles.

ISO 22989 Definition: AI Providers are broadly defined as “an organization or entity that provides products or services that uses one or more AI systems—so, the role of “AI Provider” encompasses AI Platform Providers and AI Product or Service Providers.”

AI Provider – AI Platform Provider

Translation: AI Platform Providers provide services that enable users to produce AI services and products.

Example(s): Google Cloud’s AI Platform, Amazon SageMaker, among others—i.e., providers of platforms that can be utilized for organizations to build, train, and deploy machine learning (ML) models—would be considered AI Platform Providers.

AI Provider –
AI Product / Service Provider

Translation: The role of AI Product / Service Provider would apply to:

 

  • Organizations developing AI in-house and / or organizations using third-party sourced AI within their service offerings
  • Organizations that provide AI services or products that are either directly usable by an AI customer / user or can be integrated into a system using AI together with non-AI components.

Example: Organizations that provide SaaS offerings that utilize AI to execute certain tasks, whether such AI is developed internally or leveraged from third-party sources.

So then, organizations that are both developing AI models and providing such technologies as a component of their service offerings to end-users would be considered both AI Producers and AI Providers (AI Service / Product Providers), so it is possible that your organization could qualify as multiple of these aforementioned roles.

The AI Customer Role in ISO 42001

Compare to ISO 27017

ISO 27017 similarly distinguishes between cloud service providers (CSPs) and cloud service customers (CSCs) with separate extended controls and implementation guidance for each.

As defined by ISO 27017, CSPs—e.g., AWS—are suppliers of services to their customers (CSCs, or acquirers). However, a CSC can also act as a CSP if it’s in turn building a SaaS application on top of AWS cloud infrastructure to an end-user (i.e., the CSC’s customers).  

In our experience seeing organizations align their ISO 27001 certifications to ISO 27017, they do so in the CSP role since that is the downstream role where their services directly interact with their customers—the end user—as opposed to the upstream relationship with their CSP.  

Given that nuance within the AI Provider role, you may be wondering how the AI Customer role potentially fits in—here's the difference.

If an organization is leveraging AI from third-party sources—e.g., OpenAI—they are technically an AI Customer of OpenAI, and if they are using OpenAI’s GPT technology to integrate into the services they provide to their clients, they would now fall into the AI Provider category (as a Product / Service Provider).

But if—as in this scenario—you’re both, what does that mean for your ISO 42001 certification? You’ll likely want to focus on your AI Provider role, given that's the downstream role that directly interacts with your customers. Here’s why: If you are both an AI Customer and Provider and focus your ISO 42001 scope on the latter role, there's an Annex A control objective (A.10) that focuses on how organizations ensure that its usage of services / products provided by suppliers aligns with their approach for responsible use and development of AI systems—so, it would cover your AI Customer relationship.

(Similar scenarios might exist where your organization is also an AI Partner, Subject, and Relevant Authority, though we believe those use cases will be rarer in applicability—still, more information on those specific roles can be found in ISO 22989.)

Next Steps for Your ISO 42001 Certification

 

Now that the standard has been published, many organizations are beginning preparation for ISO 42001 certification in the interest of proving their artificial intelligence can be trusted. One crucial aspect of that prep—and overall compliance—will be to establish your role concerning the AI systems in scope, and now that you know a bit more about it, that should be easier to accomplish.

As you do get started in building your AIMS, keep in mind that ISO 42001 was designed with a harmonized structure that allows for integration with other MSS such as ISO 27001, ISO 27701, and/or ISO 9001regarding these three in particular, they’re referenced several times within the ISO 42001 standard as there are unique tie-ins to AI risk management from a security, privacy, and quality perspective. So if you’re already certified against one of those standards, it may benefit you to investigate the potential benefits of integration and the enhanced alignment that comes with it.

To learn more about those nuances—or to explore a potential ISO 42001 gap assessment to gain more confidence ahead of certification—contact us today.

About DANNY MANIMBO

Danny Manimbo is a Principal with Schellman based in Denver, Colorado. As a member of Schellman’s West Coast / Mountain region management team, Danny is primarily responsible for leading Schellman's AI and ISO practices as well as the development and oversight of Schellman's attestation services. Danny has been with Schellman for 10 years and has over 13 years of experience in providing data security audit and compliance services.