Deloitte highlights importance of AI governance as ISO 42001 gains relevance for businesses

As artificial intelligence continues to be adopted across business functions and customer-facing technologies, Deloitte notes that the need for stronger governance and risk management around AI is becoming more important than ever.

Against this backdrop, ISO/IEC 42001, released in December 2023 by the International Organization for Standardization, is emerging as a key framework to help organisations build trustworthy, transparent and accountable AI systems.

As businesses explore the potential of generative AI and other advanced AI applications, they are also facing growing concerns around accuracy, bias, data privacy, cybersecurity and regulatory compliance.

These concerns are no longer limited to technology teams alone, but are increasingly becoming boardroom matters, particularly as organisations seek to scale AI responsibly while maintaining stakeholder confidence.

ISO 42001 provides a structured management system standard for AI governance and risk management across the AI lifecycle.

It covers key areas such as governance structures, accountability, risk assessment, transparency, fairness, and mechanisms to support compliance with evolving legal and regulatory requirements.

For organisations looking to adopt AI more confidently, the standard offers a practical way to strengthen internal oversight while demonstrating readiness to customers, regulators and other stakeholders.

From a Deloitte perspective, the significance of ISO 42001 lies not only in certification, but in what it represents.

It signals that an organisation is taking a more disciplined and sustainable approach to managing AI-related risks while also building the foundations for long-term trust.

As AI becomes more embedded in business operations and decision-making, this kind of maturity will become increasingly important.

Commenting on the growing relevance of structured AI governance, Vengadasalam Balagobi, Cyber and Technology Risk Head and Information Security Leader at Deloitte Sri Lanka & Maldives, said “AI adoption is accelerating across industries, but so are the associated risks.

Organisations need to move beyond experimentation and focus on building structured governance around how AI systems are developed and used.

Frameworks such as ISO 42001 provide a practical starting point to strengthen oversight, manage risks effectively, and build trust with stakeholders.”

The relevance of this standard is also tied to the broader global regulatory direction.

AI-related requirements are continuing to evolve across jurisdictions, and many of the areas covered by ISO 42001 align with wider regulatory and governance expectations.

For businesses, this means that early alignment with such a framework can support not only risk management, but also future readiness.

Another strength of ISO 42001 is that it can build on capabilities many organisations may already have in place.

Existing controls and processes around data governance, information security, privacy, enterprise risk management and internal audit can often serve as a starting point.

This gives organisations an opportunity to assess what already exists, identify any gaps, and strengthen coordination across teams involved in AI development, deployment and oversight.

Vengadasalam Balagobi, Cyber and Technology Risk Head and Information Security Leader at Deloitte Sri Lanka & Maldives, added:

“Organisations should take a structured approach when strengthening AI governance.

This includes assessing existing capabilities across governance, security and compliance, establishing clear ownership of AI risk management responsibilities, and ensuring there is sufficient evidence to demonstrate that AI systems are operating effectively and sustainably over time.”

As conversations around AI move from experimentation to enterprise adoption, governance will play a critical role in determining how confidently organisations can scale these technologies.

ISO 42001 offers a timely framework for businesses seeking to balance innovation with accountability, while building trust in how AI is designed, deployed and monitored.

Deloitte remains committed to supporting organisations as they navigate the evolving AI landscape, strengthen governance practices, and build systems that are trusted, resilient and fit for a rapidly changing business environment.

About Deloitte Sri Lanka and Maldives

Deloitte Sri Lanka and Maldives is a multi-disciplinary professional services firm that is part of the Deloitte network.

Deloitte offers a range of services, including Audit & Assurance, Tax, Strategy, Risk & Transactions, and Technology & Transformation.

Deloitte is among the largest professional services networks globally, with a presence in over 150 countries and comprising more than 450,000+ professionals.

Image caption
Vengadasalam Balagobi
Cyber and Technology Risk Head and Information Security Leader
Deloitte Sri Lanka & Maldives