Understanding ISO/IEC 42001: How the Plan-Do-Check-Act (PDCA) Cycle Powers AI Governance

Written By Zoe Lowes

“AI is moving faster than your policies, and regulators are watching. The companies that master governance now will set the rules for everyone else.”

Meet ISO 42001, Your AI Governance Operating System

AI is moving fast and so are the risks. ISO/IEC 42001 is the world’s first international standard designed specifically to help organizations get ahead of AI’s challenges. Think of it as your blueprint for trustworthy AI, one that balances innovation with risk management, ethics, and compliance so you can move fast without breaking things that matter.

At its heart is the powerful Plan–Do–Check–Act (PDCA) cycle, a proven engine for continuous improvement. But here’s the twist, ISO 42001 applies PDCA directly to AI. That means you don’t just launch AI systems and hope for the best, you plan them, evaluate them, monitor them, and adapt them as risks evolve. Best of all, it integrates seamlessly with familiar frameworks like ISO 27001, so it scales with you instead of creating more complexity.

How ISO 42001 Works with ISO 27001

If your organization already follows ISO 27001 for information security, you’re halfway to ISO 42001 compliance. The two standards are built on the same Plan–Do–Check–Act cycle and share a common management system structure. This means:

  • Shared foundation: Your existing ISMS policies, risk assessment process, and governance committees can support AI risks with minimal extra effort.

  • Aligned controls: Many ISO 27001 controls (like access management, incident response, and data protection) are directly relevant to AI systems. ISO 42001 simply adds AI-specific considerations such as model governance, bias monitoring, and transparency requirements.

  • One integrated system: Rather than managing AI risk separately, you can expand your ISMS to cover AI governance, streamlining evidence collection, audits, and management reviews.

The result? AI risk management becomes part of your organization’s overall governance strategy, strengthening both security and compliance in a single, unified framework.

The Plan-Do-Check-Act (PDCA) Cycle: The Engine Behind ISO 42001

The Plan–Do–Check–Act cycle isn’t new, it’s a decades-old method originally developed for quality management. It’s been used in ISO standards like ISO 27001 (information security) for years because it works. It creates a loop of planning, executing, measuring, and improving.

ISO 42001 takes this proven approach and applies it to AI governance, turning AI oversight into a continuous improvement cycle rather than a one-time compliance task.

  • Plan: Define the scope of your AI systems, identify risks (ethical, security, compliance), and set measurable objectives.

  • Do: Implement the policies, controls, and training needed to govern AI safely and effectively.

  • Check: Monitor model performance, review risks, and run audits to see what’s working and what isn’t.

  • Act: Adjust controls, update documentation, and improve processes so your governance keeps pace with changing risks.

This cycle ensures AI governance stays relevant as your models, data, and regulations evolve, keeping your organization ahead of both risks and compliance demands. Let’s break it down. 

Plan: Laying the Groundwork for AI Governance

The “Plan” phase is where your AI governance program takes shape. You start by looking at the big picture:

  • Business context & use cases: What AI systems do you have? What problems are they solving?

  • Stakeholder expectations: What will regulators, customers, and internal teams need to see to trust your AI?

Next, you run a risk and opportunity assessment  not just for technical glitches but also:

  • Ethical risks like bias and discrimination

  • Operational risks like system failures or model drift

  • Security risks such as data breaches or adversarial attacks

  • Compliance risks tied to emerging regulations

The outcome is a clear AI governance policy that sets out your ethical principles: fairness, transparency, and accountability and defines measurable goals like bias-reduction targets or explainability benchmarks.

You also lock in KPIs, budget, and clear accountability assigning named roles like AI ethics officer or compliance lead so governance doesn’t stay on paper but becomes operational reality.

Finally, you map your risks to the 39 control objectives in Annex A of ISO 42001, covering data management, model governance, and monitoring. This becomes the blueprint you execute in the next phase.

Do: Putting Your AI Controls and Processes Into Action

The “Do” phase is where strategy becomes execution. This is where AI governance moves from paper to practice. You start by deploying the controls defined in the Plan phase. This includes:

  • Data quality management: validating datasets, tracking lineage, and ensuring they meet integrity standards

  • Model validation and testing:  stress-testing for bias, drift, security vulnerabilities, and performance under edge cases

  • Explainability and traceability: implementing logging mechanisms so AI decisions can be reviewed and explained

  • Security and resilience: hardening models, APIs, and pipelines against attacks and unauthorized access

Role-based training ensures everyone involved knows their responsibilities, understands key risks, and can spot red flags early. At the same time, comprehensive documentation is created and maintained. Every model, dataset, risk assessment, and validation result is logged, building an evidence trail that supports transparency, audits, and regulatory reviews.

Finally, real-time monitoring and feedback loops are set up to detect model drift, anomalous behavior, or ethical concerns. When issues arise, clearly defined incident response workflows route them to the AI governance team for rapid resolution. The result: governance becomes operational and measurable, with risks actively managed, not just written down.

Check: Measuring and Auditing Your AI Governance in Action

The “Check” phase is where you turn monitoring data into insight. It’s about asking: Are our controls actually working? Here’s what happens in this phase:

  • Performance & risk reviews: Evaluate your AI systems against the KPIs set during the Plan phase e.g. bias reduction targets, explainability scores, incident rates.

  • Internal audits: Conduct structured reviews to confirm that controls from Annex A are implemented correctly and consistently.

  • Drift & anomaly analysis: Use monitoring logs to detect unexpected changes in model performance, data quality, or outcomes that could introduce risk.

  • Stakeholder feedback: Collect input from users, customers, and impacted teams to surface real-world issues automation might miss.

The goal of this phase is to catch problems early before they become incidents and to build a data-driven picture of how mature and trustworthy your AI program really is.

Act: Closing the Loop and Driving Continuous Improvement

The “Act” phase is where lessons turn into lasting improvements. After monitoring and auditing results in the Check phase, this is when you step back, evaluate what worked and what didn’t, and update your AI governance program accordingly. Common activities in this phase include:

  • Updating controls and policies based on audit findings, incidents, or regulatory changes.

  • Tuning models or retraining them when monitoring reveals drift, bias, or performance degradation.

  • Refreshing risk assessments to account for new AI use cases, emerging threats, or stakeholder concerns.

  • Driving management reviews so leadership stays informed and approves key changes to your governance strategy.

The goal is simple: keep your AI systems trustworthy over time. By treating governance as a continuous cycle rather than a one-time project, you make sure your organization is ready for evolving risks, regulations, and business needs.

From Compliance to Confidence: Why Plan-Do-Check-Act Matters

The Plan–Do–Check–Act cycle’s iterative nature is especially well-suited to AI governance, given the field’s rapid evolution and inherent uncertainties. It encourages a proactive stance helping organizations anticipate and prevent problems rather than simply reacting to them.

Embedding AIMS within PDCA aligns AI governance with broader risk management and quality frameworks, optimizing efficiency while building stakeholder trust.

By adopting ISO 42001 and its AIMS framework, your organization can build AI systems that are transparent, fair, and accountable. You’ll be better equipped to manage ethical, operational, and compliance risks proactively, demonstrating to stakeholders a strong commitment to responsible AI governance.

Moreover, ISO 42001 enables seamless integration of AI governance into existing management systems and fosters a culture of continuous improvement through the PDCA cycle.

Not Sure Where to Start?

If ISO 42001 sounds like a big lift, you’re not alone, most organizations are still figuring out how to approach AI governance. To make it easier, we’ve created an ISO/IEC 42001 Readiness Assessment Checklist. Use it as a practical first step to scope your effort, prioritize actions, and start conversations with your leadership team. [Download the ISO/IEC 42001 Readiness Checklist here]

Zoe Lowes
Next

MHM Celebrates 5 Years in Business and Over 300 Clients!