The EU AI Act tells you what you must do. ISO/IEC 42001 tells you how to run the system that does it. Here is the difference, why both matter, and where Irish organisations are getting it wrong.
Most Irish organisations preparing for the EU AI Act treat it as a single compliance problem: read the regulation, classify the systems, document the controls, file the paperwork. That mindset works for one-off compliance exercises. It does not work for AI.
The reason is structural. The EU AI Act tells an organisation what it must achieve — risk classification, oversight, transparency, accountability. It does not tell the organisation how to operate the management system that delivers those outcomes year after year. That gap is exactly what ISO/IEC 42001 fills. And it is the gap most organisations have not yet noticed.
What ISO/IEC 42001 actually is
ISO/IEC 42001:2023 is the international management system standard for artificial intelligence. It was published in December 2023 and is the first ISO standard specifically for AI management systems. Conceptually, it sits in the same family as ISO 27001 (information security), ISO 9001 (quality), and ISO 14001 (environment): an evidential framework for running a managed system, with documented policies, defined accountabilities, internal audit, management review, and continuous improvement.
The standard is not a regulation. There is no statutory requirement to be certified. But it is rapidly becoming the operational answer to a question regulators, boards, and clients are all asking simultaneously: how do you actually run AI responsibly, and can you prove it?
The structure follows the standard ISO management-system pattern. A defined scope. Documented policies. Risk and impact assessment. Roles, responsibilities, and decision rights. Operational controls covering the lifecycle of AI systems — from selection and design to deployment, monitoring, and retirement. Internal audit. Management review. Records of corrective action when something goes wrong.
Where it differs from earlier ISO standards is in the AI-specific control set. Annex A of 42001 lists 38 controls covering issues that have no analogue in the older standards: bias and fairness, robustness and reliability, transparency and explainability, human oversight, AI system impact assessment. These are not bolted on. They are the substance of the standard.
What the EU AI Act actually requires
The EU AI Act is European law. It applies directly across all member states from August 2026 onwards, with Ireland's AI Office of Ireland responsible for enforcement. It is not a management standard. It is a market regulation with prohibitions, classifications, obligations, and fines up to €35 million or 7% of global turnover.
The Act classifies AI systems into four risk tiers — unacceptable, high, limited, minimal — and attaches obligations proportionate to each. High-risk systems carry the heaviest obligations: conformity assessment, technical documentation, post-market monitoring, human oversight, data governance, transparency, accuracy, robustness, cybersecurity.
What the Act does not specify is the management system that produces and sustains compliance. It tells you that you must conduct a fundamental rights impact assessment. It does not tell you how to operate the team, the process, and the evidence trail that ensures the assessment is done consistently, kept current, and demonstrably linked to operational decisions. That is a management-system problem, and management-system problems are solved by management-system standards.
Where they overlap, and where they do not
The overlap is significant. Both frameworks demand AI risk and impact assessment. Both require documented roles and accountabilities. Both expect operational controls across the AI lifecycle. Both insist on human oversight and transparency. An organisation that has implemented ISO/IEC 42001 properly will have approximately 70–80% of what the EU AI Act demands as a by-product.
The gap is in the details. ISO 42001 does not classify AI systems against the EU's specific four-tier model. It does not embed the prohibitions on biometric categorisation, social scoring, and predictive policing. It does not specify the technical documentation pack the EU requires for conformity assessment. It does not address the Act's distinctive obligations on general-purpose AI models.
The reverse is also true. The EU AI Act does not require an internal audit programme. It does not require management review. It does not require corrective and preventive action procedures. It tells you what the controls must do. It does not tell you how to operate, evidence, audit, and improve them.
For an Irish organisation deploying high-risk AI, this means the two frameworks are complementary rather than substitutable. ISO 42001 gives the management system. The EU AI Act gives the regulatory specification it must satisfy. An organisation can comply with the EU AI Act on paper without a management system — but the moment something changes, the moment a new AI system is deployed, the moment a regulator asks for evidence of continuous oversight, the absence of a management system becomes visible.
Where Irish organisations are getting it wrong
Three patterns recur in the conversations we have had with Irish boards and executives over the past twelve months.
The first is treating EU AI Act compliance as a documentation exercise. A consultancy produces a policy pack, the policy pack is filed, the documentation is held in case of a regulator visit. Twelve months later, the AI estate has changed — new tools are in use, old ones have been retired, the inventory is out of date, the impact assessments are stale, and the policy pack is a museum piece. This is the predictable failure mode when there is no management system underneath.
The second is treating ISO/IEC 42001 as optional. Because there is no legal requirement to be certified, organisations defer the conversation. They assume EU AI Act compliance can be achieved without the standard. Technically, they are correct. Practically, they then spend two or three times longer building the same management infrastructure ad hoc — and without the external assurance an ISO-aligned framework provides to clients, partners, and regulators.
The third is treating the two frameworks as adversarial. Boards sometimes ask whether they should prioritise ISO certification or EU AI Act compliance. The framing is wrong. The Act is non-negotiable for any organisation in scope. The standard is the practical operating model that makes the Act compliable, year on year, as the AI estate evolves.
Why this matters now
Three forces are converging. The first is regulatory: Ireland's AI Office becomes operational on 1 August 2026, and the Act's high-risk provisions follow on a staggered timetable thereafter. The second is commercial: large enterprises and public-sector buyers are starting to ask suppliers for ISO 42001 alignment or certification as a procurement gate. The third is operational: AI estates are growing fast and informally, and the organisations without a management system are losing visibility of their own exposure.
The window for getting ahead of all three is narrow. Building a managed system around an AI estate is significantly easier when the estate is small. Six months from now, the same exercise is harder. Eighteen months from now, organisations that did not act will be retrofitting a management system to a tangle of AI use that no one fully owns.
What we do with this
The Acuity governance work has always been built around an operational management-system logic. That is the work — not policy documents, but the structures, accountabilities, audit cadence, and review processes that make AI governance actually function inside an organisation. Aligning that work explicitly to ISO/IEC 42001 has been the natural next step.
In May 2026 the firm completed ISO/IEC 42001:2023 Lead Auditor certification with Mastermind Assurance — the senior auditing credential for the standard. The credential matters less than what it represents: a verified, independent benchmark against which AI governance frameworks can be assessed. For Irish clients, this means three concrete things.
First, governance frameworks Acuity designs are now explicitly ISO/IEC 42001-aligned out of the box. Second, organisations seeking a path toward eventual certification have an aligned starting point rather than a retrofit. Third, internal audits and readiness reviews are conducted to the same standard that an external certification body would apply, so when the time comes, there are no surprises.
The EU AI Act sets the obligation. ISO/IEC 42001 builds the operating system that delivers on it. Most Irish organisations are still focused exclusively on the first. The ones that recognise the second are the ones that will still be compliant in 2028, 2030, and beyond — without rebuilding from scratch every time the AI estate changes.