Clause 5: Leadership
Top management commitment, AI policy establishment, and defining roles, responsibilities, and authorities for AI governance.
Chapter Overview
Clause 5 establishes leadership requirements for the AIMS. Top management must demonstrate commitment, establish an AI policy, and ensure roles and responsibilities are defined. This clause is critical because without leadership support, AIMS implementation will fail.
Clause Structure
| Sub-clause | Title | Focus |
|---|---|---|
| 5.1 | Leadership and commitment | Top management accountability |
| 5.2 | AI policy | Policy establishment and communication |
| 5.3 | Organizational roles, responsibilities and authorities | Accountability structure |
5.1 Leadership and Commitment
Requirement
Top management shall demonstrate leadership and commitment with respect to the AI management system by:
- Ensuring AI policy and objectives are established and compatible with strategic direction
- Ensuring integration of AIMS requirements into business processes
- Ensuring resources needed for AIMS are available
- Communicating the importance of effective AI management
- Ensuring AIMS achieves its intended outcomes
- Directing and supporting persons to contribute to AIMS effectiveness
- Promoting continual improvement
- Supporting other relevant management roles to demonstrate leadership
Top management refers to the person or group of people who direct and control an organization at the highest level. This typically includes CEO, Board, Executive Committee, or equivalent leadership body.
Evidence of Leadership Commitment
| Requirement | Evidence Examples |
|---|---|
| Policy and objectives established | Signed AI policy, documented objectives |
| Integration into business | AI governance in business processes, job descriptions |
| Resources available | Budget allocation, staffing, tools procurement |
| Communication | Town halls, emails, training, internal comms |
| Achieving outcomes | KPIs, dashboards, performance reports |
| Supporting persons | Training, recognition, empowerment |
| Continual improvement | Improvement initiatives, feedback mechanisms |
Implementation Steps
- Brief top management on ISO 42001 requirements
- Obtain formal commitment (board resolution, executive sign-off)
- Allocate budget and resources
- Integrate AI governance into business planning
- Establish communication channels
- Include AI governance in management reviews
5.2 AI Policy
Requirement
Top management shall establish an AI policy that:
- Is appropriate to the purpose of the organization
- Provides a framework for setting AI objectives
- Includes a commitment to satisfy applicable requirements
- Includes a commitment to continual improvement of the AIMS
The AI policy shall:
- Be available as documented information
- Be communicated within the organization
- Be available to interested parties, as appropriate
Policy: High-level statement of intent and direction (WHAT and WHY)
Procedure: Detailed steps for implementation (HOW)
The AI policy should be strategic, not operational. It sets direction without prescribing detailed processes.
AI Policy Content
| Element | Description | Example Statement |
|---|---|---|
| Purpose alignment | Links to organization mission | "AI supports our mission to deliver innovative financial services" |
| Scope reference | What the policy covers | "This policy applies to all AI systems within our AIMS scope" |
| Principles | Core AI governance principles | "We commit to responsible, ethical, and transparent AI" |
| Compliance commitment | Meeting requirements | "We comply with all applicable AI regulations and standards" |
| Risk management | Approach to AI risks | "AI risks are systematically identified, assessed, and treated" |
| Continual improvement | Enhancement commitment | "We continually improve our AI governance practices" |
| Accountability | Responsibility statement | "All personnel are responsible for AI governance within their roles" |
Template: AI Policy
[ORGANIZATION NAME] AI POLICY
Purpose: This policy establishes [Organization]'s commitment to the responsible development, deployment, and use of artificial intelligence systems.
Scope: This policy applies to all AI systems within the scope of our AI Management System, including [specify scope].
Policy Statements:
1. We develop and use AI systems that are safe, reliable, and aligned with our organizational values
2. We identify, assess, and manage AI-related risks throughout the AI system lifecycle
3. We ensure transparency and explainability appropriate to the context of AI system use
4. We maintain human oversight of AI systems commensurate with their risk level
5. We protect the rights and interests of individuals affected by AI decisions
6. We comply with all applicable laws, regulations, and standards
7. We continually improve our AI governance practices
Responsibilities: All personnel involved in AI activities are responsible for adhering to this policy. Specific responsibilities are defined in supporting procedures and role descriptions.
Review: This policy is reviewed annually or when significant changes occur.
Approval: [Signature, Name, Title, Date]
5.3 Organizational Roles, Responsibilities and Authorities
Requirement
Top management shall ensure that responsibilities and authorities for relevant roles are assigned, communicated, and understood within the organization. Top management shall assign responsibility and authority for:
- Ensuring AIMS conforms to ISO 42001 requirements
- Reporting on AIMS performance to top management
AIMS Owner/Manager: Overall AIMS responsibility
AI Risk Owner: AI risk management oversight
AI System Owners: Accountability for specific AI systems
AI Ethics Lead: Responsible AI principles
Data Governance Lead: AI data quality and management
Internal Audit: AIMS audit function
RACI Matrix for AIMS
| Activity | Top Mgmt | AIMS Owner | AI System Owner | AI Developer |
|---|---|---|---|---|
| AI Policy approval | A | R | C | I |
| Risk assessment | I | A | R | C |
| Control implementation | I | A | R | R |
| Impact assessment | I | A | R | C |
| Internal audit | I | C | C | I |
| Management review | A | R | C | I |
| Incident response | I | A | R | R |
R=Responsible, A=Accountable, C=Consulted, I=Informed
Implementation Steps
- Define AIMS roles and responsibilities
- Create or update job descriptions
- Assign specific individuals to roles
- Communicate assignments
- Document in AIMS documentation
- Review periodically
Documented Information Requirements
Required:
• AI Policy (5.2)
Recommended:
• Roles and Responsibilities Document
• RACI Matrix
• Management Commitment Evidence (meeting minutes, budget approvals)
• Organization Chart showing AIMS roles
Sample Audit Questions
5.1 Leadership and Commitment:
• How does top management demonstrate commitment to AIMS?
• What resources have been allocated for AI governance?
• How is AI governance integrated into business processes?
• How does top management communicate the importance of AI governance?
• Show me evidence of management involvement in AIMS
5.2 AI Policy:
• May I see your AI policy?
• How was the policy approved and by whom?
• How is the policy communicated to employees?
• How do you make the policy available to interested parties?
• When was the policy last reviewed?
5.3 Roles and Responsibilities:
• Who is responsible for AIMS conformance?
• How are AIMS responsibilities communicated?
• Show me how roles are documented
• Who reports AIMS performance to top management?
• How do AI system owners know their responsibilities?
Common Nonconformities
| Type | Nonconformity | How to Avoid |
|---|---|---|
| Major | No documented AI policy | Create and approve AI policy |
| Major | Policy not approved by top management | Obtain formal approval signature |
| Major | No evidence of management commitment | Document meetings, decisions, resources |
| Minor | Policy not communicated to all relevant staff | Implement communication plan |
| Minor | Roles not clearly defined | Document in RACI or responsibility matrix |
| Minor | Policy not available to interested parties | Publish on website or share on request |
| Minor | No evidence of policy review | Document annual review |
1. Top management must actively demonstrate commitment, not just approve documents
2. AI policy is mandatory documented information
3. Policy must be communicated internally and available externally
4. Roles and responsibilities must be assigned, communicated, and understood
5. Someone must be responsible for AIMS conformance and reporting to management
6. Leadership sets the tone for AI governance culture
• Know what "top management" means in ISO context
• Remember AI policy must be "available as documented information"
• Understand the difference between policy (strategic) and procedure (operational)
• Know the specific requirements for policy content
• Be able to explain how leadership commitment is evidenced
• Remember that someone must report AIMS performance to top management