In my last article I wrote about Agent-to-Agent communication in Copilot Studio, and how multi-agent systems make it harder to explain who decided what when something goes wrong. A few people asked the obvious follow-up question. If the risk is real, what is the actual framework for managing it?
The honest answer for most organisations is ISO/IEC 42001. It comes up constantly in AI governance conversations, usually as a piece of jargon rather than something people have read. So here is what it actually asks of you, without the consultant-speak.
What it is
ISO/IEC 42001 was published in December 2023. It is the first international standard for managing AI, and it is certifiable, which means an organisation can be independently audited against it.
The thing it asks you to build is called an AI Management System, or AIMS. If that sounds abstract, it is the same idea as a quality management system under ISO 9001, or an information security management system under ISO 27001. It is a set of policies, processes, roles and records that together show your organisation runs AI deliberately rather than by accident.
If your organisation already holds ISO 27001 or ISO 9001, the shape of 42001 will feel familiar. It uses the same structure. You define your context, get leadership commitment, plan for risk, provide the right support and resources, operate, measure how you are doing, and improve. That is the whole cycle.
What it actually asks of you
Strip away the clauses and annexes, and the standard is asking you to be able to answer a handful of practical questions with evidence, not opinion.
Do you know what AI you are running? You need an inventory. Not a vague sense that "we use Copilot somewhere." A documented list of the AI systems in use, what each one is for, and who owns it. Most organisations I talk to cannot produce this on request, and that is the first gap a certification audit would find.
Has someone senior actually taken responsibility? The standard expects leadership commitment. That means an AI policy that real executives have signed off on, and named people with defined authority over AI decisions. Governance cannot sit informally with whoever happens to be enthusiastic about the technology.
Have you assessed the risk of each system? ISO/IEC 42001 takes a risk-based approach. For each AI system you need to identify what could go wrong, how likely it is, how serious it would be, and what you are doing about it. For systems that could significantly affect people, the standard calls for a deeper AI system impact assessment.
Can you explain a decision after the fact? The standard pushes hard on traceability. AI outputs, especially in high-impact decisions, need to be explainable and auditable. If a customer challenges an outcome, you should be able to reconstruct how the system reached it.
Are you actually checking, or just hoping? An AIMS is not a document you write once. The standard expects monitoring, internal audits, management reviews, and a process for handling things when they go wrong. It is a cycle, not a certificate you frame and forget.
Why this matters for Australian organisations right now
ISO/IEC 42001 is a voluntary standard. No Australian law currently forces you to hold it. But the questions it asks are about to stop being optional.
From December 2026, amendments to the Privacy Act introduce transparency requirements for automated decision-making. Organisations using AI to make decisions that significantly affect individuals will need to be able to explain those decisions. If you look back at the five questions above, an organisation that has genuinely worked through ISO/IEC 42001 is already most of the way to meeting that obligation. An organisation that has not is starting from zero, with a deadline.
It is also worth knowing that Microsoft 365 Copilot itself is certified to ISO/IEC 42001. That covers Microsoft's management of the underlying platform. It does not cover how your organisation chooses to deploy and govern agents on top of it. That part is yours.
A realistic way to start
You do not need to commit to full certification to get value from the standard. Most organisations are not ready for an audit, and that is fine.
A sensible first step is to treat the five questions above as a self-assessment. Pull together your AI inventory. Check whether anyone has actually signed an AI policy. Look at whether your higher-risk systems have a documented risk assessment. The gaps will be obvious quickly, and they tend to be the same gaps that the December 2026 Privacy Act changes will expose.
This is the work Aureus Govern was built to support. It assesses Copilot Studio agents against ISO/IEC 42001, Australia's 8 AI Ethics Principles, the Microsoft Responsible AI Standard, and the UK AI Regulation White Paper, so you get a clear picture of where you stand before the deadline rather than after it.
ISO/IEC 42001 is not really about the certificate. It is about being able to answer, honestly, whether your organisation runs AI on purpose. That is a good question to be able to answer regardless of what any regulator asks.
References
International Organization for Standardization, ISO/IEC 42001:2023 Information technology, Artificial intelligence, Management system. https://www.iso.org/standard/42001
Microsoft Learn, ISO/IEC 42001:2023 Artificial Intelligence Management System Standards, Microsoft Compliance. https://learn.microsoft.com/en-us/compliance/regulatory/offering-iso-42001
Australian Government Department of Industry, Science and Resources, Australia's AI Ethics Principles. https://www.industry.gov.au/publications/australias-ai-ethics-principles
Office of the Australian Information Commissioner, Privacy Act review and reform, automated decision-making transparency requirements. https://www.oaic.gov.au/privacy/privacy-legislation/privacy-act-review-and-reform
Microsoft, Responsible AI Standard, v2. https://www.microsoft.com/en-us/ai/principles-and-approach
Jan Davids is the Principal Consultant at Aureus Solutions, a Microsoft consulting firm based in Adelaide, South Australia. Aureus Solutions specialises in AI readiness, governance, and Microsoft platform adoption.
