An opinionated playbook for operationalising AI risk under ISO 42001 — the AI-specific threat taxonomy your register is missing, a scoring approach that works when likelihood is unknowable, and how the standard fits with ISO 27001 and the EU AI Act.
Michael McCarroll— Founder · 20+ yrs GRC, ISO 27001 lead implementer 18 min read Updated June 2026
Why AI broke the existing risk taxonomy
Information-security risk registers were built around a threat model where the attacker is external, the asset is data, and the control is a technical safeguard. AI changes all three. The "attacker" is sometimes the model itself producing a confidently wrong answer. The "asset" includes training data, model weights, prompts and outputs. The "control" is increasingly a human-in-the-loop check or a guardrail policy, not a firewall rule.
Bolting AI onto the existing cyber risk taxonomy hides the new risks. A risk titled "AI hallucination" landed alongside "Phishing of finance team" loses both the specificity and the scoring discipline that 42001 demands. AI needs its own family in your taxonomy, with its own sub-categories and its own scoring sub-criteria.
An AI-specific threat taxonomy
The seven families we use with clients running ISO 42001 alongside ISO 27001:
Foundation-model dependency, sub-processor opacity, model deprecation
Multi-vendor design, contractual SLAs, exit plans
Regulatory & reputational
EU AI Act non-conformity, discriminatory outcomes, transparency failures
Conformity assessment, DPIA/FRIA, disclosure
Adopt all seven families even if you only use AI in two places today. The taxonomy is what makes future risks land cleanly in the register instead of being misfiled under "IT".
Scoring AI risks on a 5×5 when likelihood is unknowable
The conventional 5×5 asks: how likely is this to happen in the next 12 months? For model hallucination that question is meaningless — it happens on every other request at some baseline rate. The trick is to replace likelihood with a rate-per-opportunity proxy that maps cleanly to the 1–5 scale.
Step 1
Pick the right denominator
For each AI risk family, choose the natural opportunity count: requests served, decisions made, training cycles run, vendor releases shipped. The denominator is what makes the rate comparable across risks.
Step 2
Define the 1–5 likelihood bands as rates
Example for model hallucination on customer-facing output: 1 = <0.1% of responses flagged, 2 = 0.1–0.5%, 3 = 0.5–2%, 4 = 2–10%, 5 = >10%. The numbers come from your evaluation harness, not from a workshop.
Step 3
Score impact in business terms, not technical terms
Impact still uses the standard register criteria (financial, regulatory, reputational, operational, safety). What changes is that "safety" and "regulatory" carry more weight for AI risks than for typical cyber risks, because the EU AI Act and equivalent regimes attach personal-rights consequences.
Step 4
Re-score on every meaningful change
A new model version, a new fine-tune, a new use case, a vendor policy change — each is a trigger to recalculate residual risk. AI risks are not stable; the register cannot pretend they are.
Mapping ISO 42001 to ISO 27001
The standards are designed to coexist. Annex A of ISO 42001 contains 38 controls that overlap meaningfully with ISO 27001 Annex A — and the rest sit in the gap that 27001 was never designed to cover. A pragmatic mapping:
Data governance for AI, model lifecycle, human oversight, transparency
Performance evaluation
Internal audit, management review
Model evaluation reports, bias and fairness testing
Improvement
Nonconformity & CAPA
AI-incident reporting, post-deployment monitoring
Where the EU AI Act lands on top
The EU AI Act categorises systems as unacceptable, high-risk, limited-risk or minimal-risk. For any high-risk system, the Act expects a documented risk-management process, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy/robustness/cybersecurity controls, and post-market monitoring. ISO 42001 gives you the management-system scaffold for almost all of it.
The practical 2026 pattern we recommend:
One AIMS built to ISO 42001 covers the whole organisation.
Per-system records sit inside the AIMS: classification under the Act, FRIA where required, evaluation reports, change log.
Risks roll up from each system into the corporate register so leadership sees the AI risk picture in one place.
The five-meeting cadence we recommend
Step 1
Weekly — AI change review
15 minutes. New AI use cases, new prompts in production, vendor model updates. Decide what enters the register.
Step 2
Fortnightly — risk review
30 minutes. Walk the AI risk family. New risks, residual movements, overdue treatments. Same agenda as the wider risk review; AI gets its own slot.
Step 3
Monthly — evaluation readout
60 minutes. Eval harness results, drift metrics, human-override rates per system. Updates the rate-based likelihood scores in the register.
Step 4
Quarterly — vendor & dependency review
60 minutes. Foundation-model roadmap changes, deprecations, pricing, sub-processor changes. Re-test the exit plan for the top-three model dependencies.
Run ISO 42001 risk management without inventing a new register
ISO-STANDARD.app supports the AI-specific taxonomy, rate-based likelihood scoring, asset-linked AI systems and the cross-mapping to ISO 27001 — so your AIMS and ISMS share one register instead of fighting over it.
ISO-STANDARD.app ships a ready-to-adopt ISO 42001 AI management workspace with the risk register, controls catalogue, policies and audit-ready exports already wired together — no spreadsheet sprawl, no consultant lock-in.
Prefer a conversation? Email hello@iso-standard.app — a real human responds within one business day.
Frequently asked questions
Do I need ISO 42001 if I already have ISO 27001?
ISO 27001 covers information security for AI systems (the confidentiality, integrity and availability of data and models). ISO 42001 covers the management of AI itself — fairness, transparency, human oversight, lifecycle accountability. They are complementary, not duplicative. If you build, deploy or significantly customise AI systems, 42001 is the right standard to add on top of 27001.
How do I score 'likelihood' for an AI risk like model drift or hallucination?
You do not — at least not the way you score a phishing attack. Use frequency proxies instead: how often does the model produce a flagged output per 1,000 requests, how often does a drift alert fire per month, how often does a human reviewer override the model. Likelihood becomes 'rate per opportunity', and the 5×5 still works.
Where do shadow AI and unsanctioned AI use sit in the register?
They sit as their own risk family under AI governance, not as an IT or HR risk. The threat is staff feeding sensitive data into consumer LLMs, building unofficial agents on top of corporate data, or making material decisions using ungoverned models. Treat with an acceptable-use policy, a sanctioned tools list, network controls, and a regular discovery scan.
How does the EU AI Act interact with ISO 42001?
The EU AI Act is the law; ISO 42001 is one of the management-system standards that helps you demonstrate compliance with it. A documented 42001 AIMS, applied to a high-risk AI system, gives you most of the governance, risk-management, data-governance and human-oversight evidence the Act expects. It is not automatic conformity — it is well-aligned ground.
What is the single biggest AI risk gap you see in 2026 risk registers?
Vendor model dependency. Organisations are deeply embedded in third-party foundation models (OpenAI, Anthropic, Google, Meta) whose pricing, terms, availability and behaviour they cannot control. This is a strategic and operational risk that almost no register captures — until the vendor changes a policy and a critical workflow breaks overnight.
