TL;DR
ISO 42001 requires a documented AI policy that is approved by senior leadership, communicated across the organization, and reviewed regularly.
- The policy must address fairness, privacy, security, accountability, transparency, and human oversight as minimum content requirements.
- A policy that is aspirational but not operational will be flagged as a non-conformity in a certification audit.
- 6clicks provides pre-built AI policy templates aligned to ISO 42001 requirements, reducing drafting time and ensuring coverage.
- If your organization uses AI but has no formal AI policy, you are already non-compliant with ISO 42001.
Every ISO 42001 certification journey starts with a question: what exactly does our AI policy need to say? A documented AI policy is one of the first things an auditor will ask for, and one of the most common reasons organizations fail their Stage 1 review. Getting it right from the start saves significant remediation effort.
ISO 42001 Clause 5.2 requires top management to establish, implement, and maintain an AI policy. The policy is the foundation of your entire Artificial Intelligence Management System (AIMS). Without it, there is nothing to build governance controls against.
The policy also signals to the organization, its customers, and its regulators that AI is being governed intentionally. Under ISO 42001, an effective AI policy is the first visible output of leadership commitment to responsible AI.
ISO 42001 does not prescribe specific policy language, but it sets clear requirements for what the policy must achieve. A compliant AI policy must:
In practice, this means your policy must explicitly address the following domains:
Fairness and non-discrimination
The policy must commit to identifying and mitigating bias in AI systems, ensuring that AI outputs are fair and do not discriminate against individuals or groups based on protected characteristics.
Privacy and data governance
The policy must address how the organization handles personal data used in AI systems, covering collection, processing, retention, and the rights of subjects. This should align with applicable privacy regulations, including the General Data Protection Regulation (GDPR) and domestic privacy laws.
Security and resilience
The policy must commit to protecting AI systems from misuse, manipulation, and unauthorized access, covering both the AI models themselves and the data they process.
Accountability and human oversight
The policy must define who is responsible for AI governance decisions, how AI-related incidents are escalated, and the conditions under which human oversight overrides AI outputs.
Transparency and explainability
The policy must commit to ensuring that AI system behavior can be explained to affected individuals and stakeholders to the extent technically and organizationally feasible.
6clicks provides pre-built AI policy templates aligned to ISO 42001 requirements, covering all mandatory content areas and structured for operational use, not just documentation compliance.
If you are building an AIMS, see our ISO 42001 solution overview and how Hailey AI accelerates mapping, gap analysis, and evidence workflows. The platform enables policy approval, distribution, and acknowledgment workflows, version control, and review scheduling. When your auditor asks for your AI policy, 6clicks gives you a complete, evidenced audit trail from draft through to leadership approval. For a detailed implementation guide, download the ISO 42001 checklist or read how to automate ISO 42001 compliance. Explore integrations to connect your evidence sources.
Get a preview with this interactive demo:
Start with a compliant AI policy. Explore how we build safe AI by exploring the 6clicks platform or book a demo to learn more.