See all posts

ISO 42001 in practice: how we govern AI in Inagent

Author
Date of publication
17/6/2026
table of contents
Example H2
Example H3
Example H4
Example H5
Example H6

Subscribe to the blog and receive recommendations to boost your CX

There is already a lot of content about ISO 42001, but most of it sounds the same. Many articles explain what the standard is, list clauses, summarize annexes, or translate its requirements into a blog format. That can be useful, but it does not always answer a more important question for companies evaluating artificial intelligence solutions: what does it actually mean to apply ISO 42001 to a real product, in production, operated by customers?

At Inconcert, we became certified in ISO/IEC 42001 from a very specific position: we are an AI provider. We develop, implement, and operate Inagent, our AI agent solution for customer service, sales, collections, and CX operations. Then, our customers deploy those virtual agents in their own environments to interact with end users.

That position completely changes the way we approach the standard, because it requires us to demonstrate that we govern a technology other companies incorporate into sensitive processes, with a direct impact on customers, teams, data, costs, efficiency, and reputation.

What is ISO 42001 and why does it matter for AI solutions?

ISO/IEC 42001 is the international standard that defines the requirements for establishing, implementing, maintaining, and continuously improving an Artificial Intelligence Management System, also known as an AIMS. It is designed for organizations that develop, provide, or use AI-based products and services.

In practice, ISO 42001 certification helps demonstrate that an organization does more than talk about responsible AI. It shows that the organization has processes, controls, responsibilities, documentation, and continuous improvement mechanisms in place to govern it.

This is especially important when evaluating the implementation of an enterprise AI agent solution. For a CEO, CFO, CIO, or legal team, the question goes beyond whether the AI agent works. What matters is whether the solution is controlled, whether human oversight exists, how data is managed, what risks have been assessed, what usage limits have been defined, and what evidence the provider can offer.

Inconcert is certified in ISO/IEC 42001 as an AI provider, applying this management system to Inagent, its enterprise AI agent platform. That is why we want to share what we have learned by applying ISO 42001 in a production environment, with an evolving AI agent platform, real customers, and decisions that cannot remain just a statement of good intentions.

Governing AI is much more than keeping paperwork in order

ISO/IEC 42001 was published in December 2023 and shares a structure with well-known management standards such as ISO 27001 and ISO 9001. That makes part of the work easier, because there is a common logic. In our case, we were already working with frameworks such as ISO 27001 and PCI DSS, so part of the path was already mapped out.

In this sense, the ISO 42001 standard requires organizations to explain, with clear criteria and in operational terms, how they govern their AI systems throughout their entire life cycle, assessing AI-specific risks such as:

  • The opacity of AI models, including LLMs.  
  • Shared responsibility with third parties.  
  • The scope of human oversight.  
  • The impact on people.  
  • Unintended uses.  
  • Data quality and processing.  
  • AI bias management.  
  • Transparency toward stakeholders.  

This governance is also structured through a very specific framework:

  • ISO/IEC 42001 follows the continuous improvement cycle with 10 main clauses, from organizational context and leadership to planning, support, operation, performance evaluation, and continual improvement. In addition, there are two especially relevant normative annexes: Annex A, with control domains, and Annex B, with implementation guidance for those controls.  
  • Another key ISO 42001 document is the Statement of Applicability, or SoA. It explains which controls apply, which do not, why, and how each decision connects to the risks identified. It shows whether the company has truly understood the standard or has simply tried to check the box.  

How ISO 42001 translates into Inagent, our AI agent platform

ISO 42001 certification is directly connected to how we design, operate, and improve Inagent:

AI governance

What ISO 42001 requires Define responsibilities, policies, and controls

How we apply it in Inagent: Documented management model for the design, operation, and improvement of Inagent

Data management

What ISO 42001 requires Manage quality, origin, preparation, and intended use

How we apply it in Inagent: Separation between vector database, configuration, conversational events, and analytical data

Impact on people

What ISO 42001 requires Analyze effects on individuals, groups, and stakeholders

How we apply it in Inagent: AIIA reviewed periodically as a living document

Intended use cases and transparency

What ISO 42001 requires Communicate limits, capabilities, and reporting channels

How we apply it in Inagent: Documentation on intended uses, unintended uses, and potential impacts

Human oversight

What ISO 42001 requires Define when and how a person should intervene

How we apply it in Inagent: Escalation rules, monitoring, and Agent Quality Management

Providers

What ISO 42001 requires Control responsibilities across the third-party chain

How we apply it in Inagent: Evaluation of models, infrastructure, and shared responsibilities

1. AI governance: the example of Inagent’s multilingual system

One of our clearest learnings came from analyzing multilingual operations. Inagent handles more than 200 languages and regional variations, which creates a real governance requirement. A response that feels natural in one culture may be inappropriate in another. Tone, expressions, user expectations, and interpretation risks all change.

That is why, across the complete process of:

  1. How the agent is configured.
  2. What rules are assigned to it.
  3. What tools it can activate.
  4. What logic it follows to resolve an interaction.

We analyze how to:

  • Anticipate real-world scenarios.
  • Review configurations.
  • Adjust prompts.
  • Detect failures.
  • Understand how the impact of an interaction may vary depending on context.

As a provider of an AI agent platform, our obligation is to manage the entire process of creating and managing each virtual agent with rigor.

2. Data management in Inagent: not all information carries the same weight

When documenting Inagent within the Artificial Intelligence Management System, we realized it did not make sense to talk about “data” as a generic concept. In reality, we work with different data sets, each with its own owner, function, risk, and quality logic. These include:

  • A vector database: owned by the customer and used to feed the agent’s knowledge.
  • Virtual agent configuration data: where prompts, proprietary templates, and customer-specific settings coexist.
  • Real-time conversation events: Inagent stores conversation history for monitoring.
  • Historical data: used to feed analysis, metrics, and KPIs in the Data Lake.

ISO 42001 requires method. That means that, in our auditable data model, each type of data must be managed according to its origin, preparation, consistency, potential biases, purpose, and suitability for its intended use.

3. The impact of AI agents on people

One of the most valuable aspects of ISO 42001 is that it distinguishes between risk to the organization and impact on people. A company may have its internal risks under control and still fail to properly assess the effect its AI system can have on end users.

The AI system impact assessment, known as AIIA, looks outward. Its goal is to anticipate what may happen to an individual, a group, or society when the system is deployed and starts operating.

In a conversational AI model like Inagent, this requires asking very specific questions:

  • What happens if the agent provides incorrect information about a service?
  • What happens if a customer needs human assistance and the system does not detect it in time?
  • Could a configuration create unequal treatment depending on context?
  • What impact would a misinterpretation have in a sensitive process?

That is why our team reviews Inagent’s AIIA on a recurring basis, assessing benefits and potential harm for the parties involved. We do not treat it as a document stored away for an annual audit, but as a living document that must evolve at the same pace as the product.

4. Intended use cases in Inagent and defining limits for AI agents

ISO 42001 requires organizations to document intended uses as well as unintended uses. In our case, that means making it clear that the solution is not designed to replace critical human decisions, perform automated medical diagnoses, or operate autonomously in sensitive environments without proper oversight.

Defining these limits affects how we explain the product, how we configure it with customers, and how we understand responsibilities. Because not everything that is technically possible is necessarily acceptable within a responsible AI model.

5. Collaboration between AI agents and people: human oversight

Human oversight is one of the most important concepts in AI governance. ISO 42001 requires organizations to define oversight mechanisms, document them, and demonstrate that they are effective.

In Inagent, this oversight is supported by real-time monitoring and control tools. It is also reflected in capabilities such as Agent Quality Management, which makes it possible to review conversations, detect complex situations, and enable human intervention when the context requires it.

The key is to integrate the AI agent into a defined, measurable, and reviewable process. Teams need to know:

  • When a conversation is transferred.
  • Who can intervene.
  • How the intervention is recorded.
  • How the system is improved based on that information.
6. Managing LLMs in Inagent’s AI Engine: third-party models, our own controls

Inagent relies on third-party language models. At Inconcert, we do not train those models from scratch. Instead, we integrate them into a specific architecture with clearly defined controls and responsibilities. This raises a critical question: how do we ensure that the providers in the chain manage their risks at the same level we commit to with our customers?

The answer lies in provider evaluation, contractual definition of responsibilities, control reviews, and documenting findings within the impact assessment. The AI chain is long:

  1. Model creator.
  2. Infrastructure provider.
  3. Solution provider.
  4. Customer deploying the system.
  5. End user interacting with it.

ISO 42001 helps organize that chain and turn it into a more transparent and auditable model.

Why ISO 42001 certification matters to our customers

For our customers, having ISO 42001 certification demonstrates that Inconcert applies a real governance model to Inagent. It means that:

  • We clearly understand our responsibilities as an AI provider.
  • We define red lines for use.
  • We assess risks and impact.
  • We document how data, providers, and controls are managed.
  • We activate human oversight when necessary.
  • This entire model is reviewed continuously.

In Inagent, this governance translates into enterprise AI agents capable of automating customer service and sales processes without giving up operational control. Teams can define rules, manage orchestration, supervise conversations, and maintain human intervention whenever the context requires it.

Request a demo and explore Inagent in depth.

Frequently asked questions about ISO 42001

ISO/IEC 42001 is the international standard for artificial intelligence management systems. It defines requirements for establishing, implementing, maintaining, and improving a secure AI governance model within an organization.
It helps demonstrate that an organization has policies, processes, controls, responsibilities, and continuous improvement mechanisms in place to manage AI in a responsible, secure, and auditable way.
It applies to companies that develop, provide, or use artificial intelligence-based products and services. This includes both AI providers and companies that deploy AI within their own operations.
Because it helps distinguish between providers that only offer AI capabilities and providers that can demonstrate how they govern, supervise, and control their systems. For business-critical processes, that difference is key.
In Inagent, ISO 42001 is applied through a governance model that includes risk and impact assessment, data management, definition of intended and unintended uses, human oversight, provider control, and continuous improvement of the system.
compartir en:
share on:

Let's work in sync. Let's work Inconcert.

Request a demo

Get all the latest news, updates and exclusive tutorials!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Top services
Inagent
Inconnect
Infunnel
Inspeech
Intrack
Inteam
Company
Inconcert Ecosystem
About Inconcert
Offices
Events
Join the team
Resources
blog
Reports
Webcast
Success stories
Press
Shortcuts
Request a free demo
Contact
Support
Partner portal
Inconcert Formations
Capterra Logo
©2026 Inconcert.  All rights reserved.
Artificial Intelligence PolicyPrivacy PolicyLegal NoticeCookie Use PolicyInternal Information Channel