Most organizations operating AI today already hold ISO 27001. The natural assumption is that certification covers their AI operations. It does not. And the gap is not a detail. It is the point.
## The common belief
The assumption that shapes most compliance roadmaps is substitution: if we have 27001, we have security; if we have security, we have AI security. The certificate travels by inertia to cover whatever the organization does next.
That logic breaks at the point where AI systems start behaving in ways that traditional information assets do not.
## Where 27001 stops covering what AI actually does
27001 protects information assets. Its control set, risk model, and audit methodology were built around a specific question: how does the organization keep confidentiality, integrity, and availability of the information it holds? The CIA triad is the lens.
AI operations introduce three categories of risk that the triad does not fully resolve.
### 1. Risk to the people affected by AI outputs
27001 protects the organization and, indirectly, the individuals whose data it holds. It does not frame risk in terms of what an AI system’s decisions do to the people those decisions affect. An HR screening model that systematically rejects qualified candidates from certain groups is not producing a confidentiality breach, an integrity failure, or an availability issue. It is producing harm. The ISMS has no native way to register that risk.
### 2. Risk from how the model behaves, not from who attacks it
27001 risk assessment is threat-based: identify threats, identify vulnerabilities, assess impact. AI systems fail through mechanisms that have no threat actor: drift, degraded training data, spurious correlations, distribution shift. A model can produce dangerous outputs without anyone attacking it. The 27001 risk model does not look for that mode of failure.
### 3. Risk across the lifecycle, not just the perimeter
The 27001 lifecycle of an information asset is classification, storage, transmission, and disposal. The AI lifecycle is design, training, validation, deployment, monitoring, retraining, and retirement. Each stage introduces different risks, and several (training data governance, monitoring for drift, post-deployment behavior) have no clear 27001 control assigned.
> 27001 was designed for a world where systems do what they are told. AI systems often do not, and the ISMS has no vocabulary for that difference.
>
## Reframing the question
The question most compliance teams ask is “Which 27001 controls cover our AI risks?” The better question is “What categories of AI risk does our ISMS have no control for, and where do we address them?”
Honest answers usually include impact on affected parties, model-level risk assessment, training data governance, human oversight design, and post-market monitoring. All of these are covered natively in ISO 42001 and addressed indirectly, if at all, in 27001.
## The structural shift
Regulators and procurement buyers are already signaling the shift. The EU AI Act distinguishes explicitly between information security obligations (which 27001 addresses) and AI management obligations (which 42001 addresses). The NIST AI Risk Management Framework separates AI-specific risks from general cybersecurity risks. Enterprise vendor questionnaires have started asking for AI-specific attestations separate from the security attestation.
The direction is clear: 27001 remains necessary, but it is no longer sufficient for organizations whose operations materially involve AI.
## What this means for your organization
Inventory your AI systems inside the 27001 scope document. The first step is visibility. Many organizations discover that their certified 27001 scope statement does not mention AI at all, which creates an ambiguity about what the certificate actually covers in practice.
Map your AI-specific risks explicitly. Take your current risk register and add the categories 27001 does not natively cover: impact on affected individuals, model behavior over time, training data provenance, third-party AI components. The gap will be visible quickly.
Treat 42001 as the natural extension, not a competitor. The two standards share the Harmonized Structure. An organization with a mature 27001 ISMS can typically layer 42001 on top with significantly less effort than building 42001 from scratch. Brochure 15 in this series covers the migration path in detail.
> 27001 protects the information you hold. 42001 protects the people affected by the decisions you make with that information. Operating AI responsibly requires both, in that order.
>
—
Ready to extend your ISMS into AI governance?
📩 [[email protected]](mailto:[email protected]) · 🌐 [zertia.ai](http://zertia.ai)
–
