Artificial intelligence (AI) has moved beyond being a future promise, it has become an operational reality within IT Managed Support services. We now classify incidents using machine learning (ML), resolve queries with chatbots, and use algorithms to predict capacity. However, do we have a formal framework for managing these systems with the same rigor that we apply to our services? ISO/IEC 42001 directly addresses this question by outlining how to manage AI systems with responsibility, traceability, and control.


What is ISO/IEC 42001?

ISO/IEC 42001 is the first international standard to specify requirements for an Artificial Intelligence Management System (AIMS). Its purpose is not to define how AI is built, but rather how an organization governs it—through clear policies, risk assessment, operational controls, and continuous improvement.

Published in December 2023, this standard adopts a high-level structure like other widely recognized standards—such as ISO 9001, ISO 27001, and ISO 20000-1—making it easier to integrate into existing management systems for organizations providing IT services.


Structure of the Standard

ISO 42001 comprises ten clauses and four annexes, including two normative and two informative. The first three clauses serve as an introduction, offering general information, glossaries, and guidance to facilitate a thorough understanding of the standard. Clauses 4 through 10 detail the auditable requirements for AI Management Systems (AIMS) and are structured according to the Plan-Do-Check-Act (PDCA) continuous improvement cycle.

Image
clasue-1-scope-who-it-applies-to-how-it-applies-and-how-it-can-be-used.png

Applicability in Managed Support and ITSM

AI has now become an integral component of the Managed Support value chain. The key question is not whether these systems should be managed, but how to effectively manage them with traceability and appropriate controls.  ISO 42001 provides the necessary framework for this purpose. Its applicability within IT Service Management (ITSM) can be assessed through four complementary dimensions: the types of AI being used, the roles being performed, the processes in which they are integrated, and the associated risks that must be adequately controlled.

 

1. Types of AI Applied to Managed Support Services

Not all AI used in ITSM is created equal. Before governing it, it is advisable to identify the specific type of system being operated, as each presents distinct risks and requirements under ISO 42001

Image
ISO Alignment Media 5

Each type of AI requires a specific impact assessment (refer to Annex A.4) and a distinct set of controls. For instance, a large language model (LLM) that generates responses for end users needs controls for transparency (A.7) and data quality (A.6) that differ significantly from those required for a machine learning model (ML) that predicts internal change risks.

 

2. The Three Roles of Managed Support in the Face of AI

ISO 42001 recognizes that an organization may engage with AI in three distinct ways, and compliance requirements are tailored according to these roles:

  • Provider: Develops and markets AI systems.
  • Operator: Deploys third-party AI systems within its services.
  • User: Uses AI tools internally for its operations.

An IT service provider, such as Managed Support, simultaneously fulfills three critical roles: it leverages artificial intelligence to automate internal processes, implements AI solutions within client environments, and develops tailored AI capabilities. This multi-faceted approach enhances operational efficiency and supports client success.

A key component of Annex A is the AI system impact assessment (Control A.4 / Clause 8.4), which must be performed prior to deploying any AI system and reviewed periodically to identify potential effects on individuals, groups, and society.

Image
ISO Alignment Media 5


3. AI in ITSM Processes: Where and How the Standard Applies

Below is a detailed table illustrating how AI is deployed within key Managed Support processes, along with the ISO 42001 controls applicable in each case

Image
ISO Alignment Media 3

 

4. Shadow AI: The Invisible Risk in Managed Support

One of the most critical—and often overlooked—risks for Managed Support teams is Shadow AI: the use of AI tools by technicians, support agents, and service managers without the knowledge or formal authorization of the IT department or the client.
Common examples include: a support agent copying an incident log into ChatGPT to obtain a quick resolution suggestion; a service manager pasting the contents of a monthly report into an LLM to generate an executive summary; or a technician using an AI-powered coding assistant to automate a routine task. Each action appears harmless—yet, collectively, they represent an uncontrolled data leak and the use of AI outside the scope of the AIMS.

WHY IS IT ESPECIALLY SERIOUS IN MANAGED SUPPORT?

  • Customer Data: Tickets, logs, configurations, and reports contain confidential information about our clients' environment. Processing this data with external language models (LLMs) without a proper contract would violate confidentiality agreements and potentially breach the General Data Protection Regulation (GDPR).
  • Lack of Impact Assessment: "Shadow AI" systems have not undergone the mandated impact assessment process (A.4) as outlined in ISO 42001.  This means a lack of information about how the model processes the data, what other data it was trained on, or whether its outputs may contain biases.
  • Lack of Vendor Management: Using free or freemium AI tools involves working with unvetted vendors (A.9). The terms of service for many free services allow the use of user inputs to retrain their models.
  • Diffuse Accountability: If a root cause analysis generated by Shadow AI leads to an incorrect decision resulting in a major incident, who will be held accountable? ISO 42001 requires that the chain of accountability be clearly defined and documented.

ISO 42001 addresses this risk directly through Clause 5 (AI Policy), Clause 7 (Awareness and Competence), and Annex A.2 (AI Usage Policies). The standard requires the organization to establish explicit rules regarding which AI tools may be used, by whom, in which contexts, and with what data.

PRACTICAL ACTIONS TO CONTROL SHADOW AI IN MANAGED SUPPORT TEAMS

  1. Inventory of AI in use: Conduct an honest review of what tools the team is currently using, including unauthorized ones.
  2. Acceptable Use Policy for AI: define which tools are approved, what types of data can be processed in each one, and what is prohibited.
  3. Catalog of approved AI: provide secure corporate alternatives for the team’s legitimate needs.
  4. Training and awareness: explain to the team why Shadow AI is a real risk—not to ban AI, but to use it properly.
  5. Process for requesting new tools: create an agile channel so the team can propose and evaluate new AI tools. 

 

Integration with ITIL® and ISO 20000-1

ISO 42001 does not replace ITIL or ISO 20000; rather, it complements them by adding a layer of governance specifically for AI systems that are already—or will soon be—part of the managed services architecture.
For organizations already operating under the ISO 20000-1 standard, integration with ISO 42001 is a natural fit.  Annex D of the standard explicitly guides this coexistence. The most direct points of integration are:

  • AI risk management (Clause 6) integrates with the service risk management defined in ISO 20000.
  • The AI system lifecycle (A.5) aligns with the service lifecycle in ITIL.
  • AI performance metrics (Clause 9) are incorporated into the service KPI dashboard.
  • AI supplier management (A.9) integrates into the service supply chain management.
     

A Practical Case: The Service Desk Virtual Agent

To demonstrate how the requirements of ISO 42001 are implemented in practice, let’s consider the deployment of an AI-powered virtual assistant for handling a client's first-line support. In this scenario, we operate as operators under ISO 42001, and the deployment activates multiple clauses simultaneously:

ISO 42001 CHECKLIST FOR A VIRTUAL AGENT IN THE SERVICE DESK

  1. Clause 6: Assess risks — what happens if the virtual agent provides incorrect information to an end user?
  2. Annex A.4: Impact assessment — user data, potential biases, affected groups.
  3. Clause 7 / A.3: Train the support team in the supervision and escalation of AI interactions.
  4. Annex A.7: Inform end users that they are interacting with an AI system (mandatory transparency).
  5. Annex A.9: Manage the contractual and security relationship with the language model provider.
  6. Clause 9: Monitor metrics for accuracy, escalation rate, satisfaction, and bias detection.
  7. Clause 10: Establish a continuous improvement process for incidents or non-conformities involving the virtual agent.
     

Conclusion

The integration of AI in Managed Support services is not just a future trend; it is already a part of our current projects. ISO/IEC 42001 offers us the necessary vocabulary, framework, and controls to effectively manage this integration, just as we do with availability, security, and service continuity.

Adopting ISO 42001 does not mean stopping innovation. It means innovating with traceability, with accountability to the client, and with the confidence that our AI systems are being systematically monitored and improved.

As ITSM professionals, we already know that well-managed processes build trust. Now, it is time to apply that same logic to AI.

 

References 

Connect with
our experts.

Looking for your next opportunity? View our jobs!

Locations.

×