Time to skewer the ISO 42001 vs. EU AI Act straw man.

The two standards don't conflict, but rather:

ISO 42001 is the operating system that helps make EU AI Act compliance feasible.

The mistake I keep seeing is this:

People talk about ISO 42001 like it exists in a vacuum.

It doesn't.

ISO 42001 forces you to pull in real-world obligations.

(Including laws like the EU AI Act, but also every other applicable one.)

And here's why ISO 42001 helps with EU AI Act work:

Clause 4.1 is the first operational requirement.

It requires you to understand the organization’s context.

That includes:

-> Contractual obligations

-> Applicable legal requirements

-> Policies, guidelines, & decisions from regulators

So if the EU AI Act applies to you, it becomes part of the system design.

Not a separate spreadsheet.

Critically, ISO 42001 forces another key step:

Clause 6.1.1 requires taking what you learned in 4.1…

…and feeding it into your risk assessment process.

Meaning:

-> Legal obligations become risk inputs

-> Risk inputs become control decisions

-> Control decisions become evidence

What regulators, customers, and auditors care about.

Most "AI compliance" efforts fail for a simple reason:

They produce documents.

Not decisions.

ISO 42001 pushes you toward a repeatable system:

-> Clear ownership

-> Consistent risk logic

-> Defensible exceptions

-> Evidence you can produce on demand

-> Change control when AI systems (& laws) evolve

The last point is especially important because the EU AI Act's "harmonised standard" has not been approved yet and is YEARS behind schedule.

As of today, the AI Act's requirements for high-risk systems are scheduled to come online in 6 months WITHOUT an approved harmonised standard.

And let me get real with you: regulators don't really care whether the laws they write make sense or not.

𝗕𝗼𝘁𝘁𝗼𝗺 𝗹𝗶𝗻𝗲

ISO 42001 doesn't compete with (or replace) regulation.

It's how you turn regulation into working governance.

Without chaos, rework, and internal contradictions.