Conducting a gap analysis

Conducting a gap analysis for ISO/IEC 42001 is a structured way of understanding how responsibly your organization designs, deploys, and governs AI today—and how far that reality is from what the standard expects. A strong gap analysis sets the tone for the entire AI management system. If done properly, it becomes the backbone of your implementation plan and your strongest defense during certification audits. 1. Define the scope of the gap analysis Start by clearly defining what the AI management system will cover. This includes identifying the legal entities, teams, and business functions involved in designing, developing, deploying, or using AI. It also requires identifying all AI systems in scope, including internally built models, third-party AI tools, and embedded AI features. 2. Establish the current state of AI governance and operations Assess how AI is currently governed and operated across the organization. This involves reviewing existing policies, procedures, risk management practices, development workflows, and operational controls that relate to AI, even if they were not explicitly designed for ISO 42001.
Interviews with engineering, product, legal, security, and business stakeholders are essential to understand how controls work in practice. The focus at this stage is on accuracy, not maturity. Informal or inconsistent practices should be captured as they are. 3. Map existing practices to ISO/IEC 42001 requirements Compare the current state against the requirements of ISO/IEC 42001, including both the management system clauses and the AI-specific control expectations. The objective is to determine whether existing practices achieve the intent of the standard, not whether they match its language. 4. Identify and classify gaps Identify gaps where requirements are not met, only partially met, or met inconsistently. Gaps should be classified based on their nature, such as the absence of controls, weak governance, inadequate documentation, or ineffective implementation. This classification helps distinguish between low-effort hygiene issues and structural gaps that require process or organizational change. 5. Assess the risk and impact of each gap Evaluate each identified gap in terms of potential harm, regulatory exposure, and business impact. Gaps affecting high-impact or externally facing AI systems typically carry a higher risk than gaps related to internal documentation or tooling. 6. Document evidence, assumptions, and rationale For each assessment area, record the evidence reviewed, the assumptions made, and any professional judgment applied. This is especially important where requirements are interpreted based on organizational context or AI use cases. 7. Consolidate findings into a usable gap analysis output Summarize findings in a clear, structured format that shows the current state, identified gaps, associated risks, and recommended next steps. The output should be easily consumable by both technical and non-technical stakeholders.