TL;DR: Enterprises are spending 37% more time on AI risk management than last year as ownership gaps, manual evidence gathering, and rising audit expectations slow governance at the pace AI now demands, according to OneTrust. ISO 42001 is becoming the practical test of whether AI programmes can produce trustworthy, traceable, and accountable controls without stalling delivery.
NHIMG editorial — based on content published by OneTrust: Scale AI Responsibly Through ISO 42001 Readiness With OneTrust + AWS
By the numbers:
- Recent research shows a 37% increase in time spent managing AI risk compared to last year, driven by unclear ownership, inconsistent processes, and mounting audit expectations.
- Across 1,250 IT leader responses, one theme stands out: legacy governance cannot keep up with AI, according to OneTrust's 2025 AI-Ready Governance Report.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
Questions worth separating out
Q: How should organisations prepare AI programmes for ISO 42001 readiness?
A: Start by defining ownership, evidence, and review workflows before chasing certification.
Q: Why do AI governance programmes fail when they rely on manual evidence collection?
A: Manual evidence collection breaks at scale because it fragments the record across tools and teams, which slows audits and weakens accountability.
Q: How do security teams know if AI governance is working?
A: Look for evidence that access decisions are reviewable, permissions are revocable, and exceptions are not becoming permanent.
Practitioner guidance
- Build AI governance workflows that emit evidence automatically Replace manual screenshots and ad hoc documentation with workflows that capture approvals, lineage, monitoring outputs, and policy decisions as part of normal operation.
- Assign explicit ownership for AI policy decisions Define who approves model use, who reviews exceptions, who signs off on evidence, and who owns remediation when controls fail across business, security, and risk teams.
- Link technical AI controls to governance records Connect model evaluation, guardrails, observability, and secure agent development to policy artefacts so every operational control can be traced to an accountability record.
What's in the full article
OneTrust's full blog covers the operational detail this post intentionally leaves for the source:
- AWS and OneTrust control mappings for ISO 42001 readiness across technical and governance workflows
- Examples of model cards, AI Bills of Materials, and audit evidence automation in the source article
- The specific readiness challenges the vendor says arise at ad hoc, defined, integrated, and scaled maturity stages
- How the OneTrust and AWS integration is positioned to reduce manual documentation and approval bottlenecks
👉 Read OneTrust's analysis of ISO 42001 readiness for AI governance →
ISO 42001 readiness and AI governance gaps: what teams are missing?
Explore further
ISO 42001 readiness is really a governance consistency problem, not a certification problem. The article shows that organisations are not struggling because the standard is vague, but because ownership, evidence, and review are fragmented across teams. That fragmentation is what turns AI governance into manual overhead instead of a control system. Practitioners should treat ISO 42001 as a test of operating discipline, not a badge to chase.
A question worth separating out:
Q: Who is accountable when an AI system moves data outside policy?
A: Accountability should sit with the team that owns the AI workflow, the data it touches, and the credentials that enable it. If governance stops at authentication, ownership becomes blurred. Clear accountability means mapping the data path, the action scope, and the approving function before deployment.
👉 Read our full editorial: ISO 42001 readiness exposes the gap between AI speed and governance