Governance, Ethics and ISO/IEC 42001: How Dawgen’s AI Audit Methodologies Keep You Compliant

Artificial Intelligence is no longer confined to experimental projects or innovation labs. It now influences who gets credit, how patients are prioritised, which transactions are flagged as fraud, and how citizens access public services. As AI moves into these high-impact domains, regulators, customers, and boards are demanding something very clear:

“Show us that your AI is governed responsibly, ethically, and in line with recognised standards.”

In response, a new class of AI governance frameworks and regulations has emerged. Among the most important are:

• ISO/IEC 42001:2023 – the world’s first Artificial Intelligence Management System (AIMS) standard, specifying requirements for establishing, implementing, maintaining, and continually improving an AI management system.

• The NIST AI Risk Management Framework (AI RMF) – built around the functions Govern, Map, Measure, Manage, designed to help organisations manage AI risks throughout the lifecycle.

• The EU Artificial Intelligence Act – the first comprehensive AI law, using a risk-based classification (unacceptable, high, limited, minimal risk) and imposing stringent obligations on high-risk AI systems.

For organisations operating in or interacting with global markets, including those in the Caribbean, these frameworks are rapidly becoming the reference points for AI governance and ethics.

Dawgen Global has responded by designing proprietary methodologies—Dawgen AI Lifecycle Assurance (DALA)™, Dawgen Generative AI Controls Framework (DGACF)™, Dawgen AI Governance & Ethics Index (DAGEI)™, and Dawgen Continuous AI Monitoring & Assurance (DCAMA)™—that help clients not only meet these expectations, but use them to create strategic advantage.

This article explains:

• What ISO/IEC 42001 is and why it matters

• How Dawgen’s methodologies align with ISO/IEC 42001, the NIST AI RMF, and the EU AI Act

• How boards and executives can practically move towards standards-aligned, ethics-centred AI governance

ISO/IEC 42001: The AI Management System Standard Explained

ISO/IEC 42001:2023 is the first international standard dedicated to AI management systems. It sets out requirements and guidance for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS) within an organisation.

In simple terms, an AIMS is:

A structured set of policies, processes, and controls that govern how AI is developed, deployed, and used—so that it is effective, ethical, and trustworthy.

ISO/IEC 42001 follows the familiar management system structure used in other ISO standards (such as ISO 9001 and ISO 27001), with core clauses covering:

• Context of the organisation (Clause 4) – understanding internal and external issues, stakeholders, and the scope of AI use.

• Leadership (Clause 5) – top management commitment, roles, responsibilities, and AI policy.

• Planning (Clause 6) – risk and opportunity assessment, AI objectives, and planning actions.

• Support (Clause 7) – resources, competence, awareness, communication, and documented information.

• Operation (Clause 8) – operational planning and control for AI systems across their lifecycle.

• Performance evaluation (Clause 9) – monitoring, measurement, analysis, evaluation, internal audit, and management review.

• Improvement (Clause 10) – nonconformity handling, corrective actions, and continual improvement.

The goal is not merely “tick-box compliance”, but to embed responsible AI practices into the fabric of the organisation—covering ethical considerations, transparency, bias, security, and ongoing risk management.

For boards and executives, ISO/IEC 42001 offers three critical benefits:

1. A credible, recognised benchmark to show regulators, partners, and customers that AI is managed responsibly.

2. A structured way to integrate AI governance with existing risk, compliance, and quality systems.

3. A platform for continuous improvement, rather than one-off projects or fragmented controls.

The Governance and Ethics Landscape: NIST AI RMF and the EU AI Act

While ISO/IEC 42001 focuses on management systems, two other pillars shape the AI governance conversation:

NIST AI Risk Management Framework

The NIST AI RMF provides voluntary guidance for managing AI risks through four interlocking functions: Govern, Map, Measure, Manage.

• Govern – establish an AI risk-aware culture, roles, policies, and oversight.

• Map – understand AI systems, their context, and potential impacts.

• Measure – analyse and monitor AI risks and performance.

• Manage – act on insights, implement controls, and continuously improve.

The RMF emphasises that trustworthiness characteristics—such as validity, reliability, safety, fairness, privacy, security, and transparency—must be managed across the AI lifecycle, not treated as afterthoughts.

EU AI Act

The EU AI Act, in force since 2024 with phased implementation, introduces a risk-based regulatory regime:

• Unacceptable risk AI practices are prohibited (e.g., certain manipulative or exploitative systems).

• High-risk systems (e.g., credit scoring, employment, critical infrastructure, healthcare, law enforcement, some public services) face stringent obligations around data governance, technical documentation, transparency, human oversight, robustness, cybersecurity, and post-market monitoring.

• Limited and minimal-risk systems have lighter requirements, often focused on transparency.

Even organisations outside the EU can be captured if their AI systems affect individuals within the EU—especially relevant for financial services, digital services, and cross-border platforms.

Together, ISO/IEC 42001, NIST AI RMF, and the EU AI Act define a converging global expectation: AI must be subject to formal governance, risk management, and ethical controls at the same level of rigour as financial reporting or cybersecurity.

Dawgen’s Methodologies: The Bridge Between Standards and Reality

Standards and regulations can feel abstract. Dawgen Global’s proprietary AI audit methodologies are designed to turn them into concrete, auditable practices.

1. DALA™ – Dawgen AI Lifecycle Assurance Framework

DALA™ provides a seven-phase lifecycle audit framework covering:

1. Strategy & Use Case Qualification

2. Governance & Risk Context

3. Data & Model Due Diligence

4. Pre-Deployment Testing & Scenario Validation

5. Deployment, Controls Integration & Change Management

6. Real-World Monitoring & Incident Management

7. Governance, Compliance & Continuous Improvement

These phases align naturally with ISO/IEC 42001’s management system requirements (context, leadership, planning, operation, performance evaluation, improvement) and with NIST’s Govern–Map–Measure–Manage functions:

• Govern & Context (ISO 42001; NIST Govern/Map) → DALA™ Phases 0–2

• Operation (ISO 42001; NIST Map/Measure/Manage) → DALA™ Phases 3–5

• Performance Evaluation & Improvement (ISO 42001; NIST Measure/Manage) → DALA™ Phase 6

DALA™ also embeds key EU AI Act themes—such as data governance, technical documentation, robustness, post-market monitoring, and incident management—into practical audit steps for high-risk systems.

2. DGACF™ – Dawgen Generative AI Controls Framework

As generative AI proliferates, the NIST AI RMF now includes a Generative AI Profile to address risks unique to LLMs and similar systems.

Dawgen’s DGACF™ focuses on:

• Model provenance and documentation

• Use case scoping and guardrails

• Prompt, context, and output controls

• Data protection and IP/copyright management

• Human oversight and explainability

• Monitoring, metrics, and feedback loops

This framework helps organisations align their generative AI deployments with ISO/IEC 42001’s requirements for responsible AI use and with EU AI Act concerns about transparency, safety, and misuse.

3. DAGEI™ – Dawgen AI Governance & Ethics Index

DAGEI™ is Dawgen’s scoring and benchmarking tool to rate an organisation’s AI governance and ethics posture across dimensions such as:

• Governance & accountability

• Policy & standards alignment

• Data, privacy & security

• Fairness & human rights

• Operational resilience & monitoring

• Transparency & stakeholder communication

Scores can be mapped to ISO/IEC 42001 maturity, NIST AI RMF implementation progress, and EU AI Act readiness—providing a single, board-friendly view of where the organisation stands and where it needs to improve.

4. DCAMA™ – Dawgen Continuous AI Monitoring & Assurance

Finally, DCAMA™ converts one-off assessments into a managed assurance service:

• Ongoing monitoring of performance, drift, and incidents

• Periodic mini-audits of controls and governance

• Annual full DALA™ reviews and refreshed DAGEI™ scores

• Board-level reporting packs and recommendations

This is how organisations move from “we did an AI review once” to “we have an ISO/IEC 42001-style AI management system that is continuously evaluated and improved”.

Mapping ISO/IEC 42001 to Dawgen’s AI Audit Approach

To make this tangible, consider how ISO/IEC 42001’s core clauses map to Dawgen’s methodologies:

Context and Leadership (Clauses 4 & 5)

ISO/IEC 42001 requires organisations to define the context of AI use and ensure leadership commitment, roles, and policies.

Dawgen supports this through:

• DALA™ Phase 0 – Strategy & Use Case Qualification:

  • Building a Use Case Register with risk classification and regulatory heat maps.

• DALA™ Phase 1 – Governance & Risk Context:

  • Assessing AI governance structures, committees, and RACI matrices.

• DAGEI™:

  • Scoring governance and accountability maturity and highlighting leadership gaps.

This gives boards and executives a clear, structured view of where AI is used, who is accountable, and how it aligns with organisational strategy.

Planning and AI Risk Management (Clause 6)

ISO/IEC 42001 emphasises risk and opportunity assessment, and planning actions to address them.

Dawgen addresses this by:

• Creating and maintaining an AI Risk Register under DALA™.

• Aligning AI risks with enterprise risk management and model risk frameworks.

• Using DAGEI™ scores to prioritise improvement actions and roadmap initiatives.

This planning work is informed by the NIST AI RMF and EU AI Act risk-based approach, ensuring that high-risk AI systems are treated with the appropriate level of scrutiny.

Support (Clause 7): Resources, Competence, Documentation

ISO/IEC 42001 requires appropriate resources, competence, awareness, and documentation for AI.

Dawgen’s engagements typically include:

• Reviewing AI competence and training across business, risk, compliance, and technology teams.

• Evaluating documentation quality for models, data pipelines, monitoring processes, and incident handling.

• Recommending training programmes and documentation upgrades to support certification aspirations.

This ensures that AI governance is not only well-designed on paper, but also understood and executed by the people who operate it.

Operation (Clause 8): Lifecycle Control of AI Systems

Clause 8 focuses on operational planning and control—exactly where DALA™ is strongest.

• Phases 2–3: Data & Model Due Diligence, Pre-Deployment Testing & Scenario Validation

• Phase 4: Deployment, Controls Integration & Change Management

• Phase 5: Real-World Monitoring & Incident Management

Dawgen’s procedures ensure that ISO/IEC 42001 requirements for data governance, technical robustness, security, human oversight, and post-market monitoring are operationalised, particularly for high-risk use cases aligned with EU AI Act categories.

Performance Evaluation and Improvement (Clauses 9 & 10)

ISO/IEC 42001 requires monitoring, internal audits, management reviews, and continual improvement of the AIMS.

Dawgen delivers this through:

• DALA™ Phase 6 – Governance, Compliance & Continuous Improvement

• DCAMA™ – recurring monitoring, periodic reviews, and board-level reporting

• Regular updates to DAGEI™ scores and improvement roadmaps

This is where the ISO mantra of “Plan–Do–Check–Act (PDCA)” becomes real for AI: issues identified in monitoring and audits lead to corrective actions, model enhancements, and governance upgrades.

Ethics at the Core: Fairness, Transparency, and Accountability

ISO/IEC 42001 explicitly addresses AI’s unique challenges—ethical considerations, transparency, and continuous learning.

Dawgen’s methodologies embed ethics as a cross-cutting theme:

• Fairness & Bias:

  • DALA™ includes structured fairness and bias testing in pre-deployment and ongoing monitoring.

  • DAGEI™ rates organisations on fairness, human rights, and bias remediation practices.

• Transparency & Explainability:

  • DGACF™ focuses on documentation, explainability tools, and user-facing transparency (disclosures, disclaimers, model limitations).

  • DALA™ checks whether stakeholders—from front-line staff to board members—receive explanations they can actually use.

• Accountability & Human Oversight:

  • Human-in-the-loop designs are reviewed to ensure meaningful oversight, escalation paths, and contestability.

  • Governance structures ensure that someone is responsible for AI decisions, incident responses, and improvements.

This ethical foundation aligns both with ISO/IEC 42001 expectations and with EU AI Act obligations, particularly for high-risk AI systems where human oversight, documentation, and post-market monitoring are mandatory.

Practical Steps for Organisations: From Today to ISO/IEC 42001 Readiness

For many organisations—especially in emerging markets and the Caribbean—the question is:

“Where do we start, and how do we move realistically toward ISO/IEC 42001-style governance?”

A pragmatic roadmap with Dawgen Global typically looks like this:

1. AI Landscape & Gap Assessment

   • Inventory AI use cases, classify risk levels, and identify high-risk systems.

   • Perform an initial DAGEI™ assessment and DALA™ gap analysis against ISO/IEC 42001 and NIST AI RMF.

2. Governance & Policy Foundation

   • Define or refine AI policies, roles, and committees.

   • Embed AI into enterprise risk management and existing governance forums.

3. Pilot AI Audit on a High-Risk System

   • Apply DALA™ and (where relevant) DGACF™ to a priority system (e.g., credit, AML, underwriting, triage).

   • Use lessons learned to shape broader organisational practices.

4. Monitoring & Assurance Set-Up

   • Implement monitoring dashboards, drift indicators, and incident management processes.

   • Launch DCAMA™ as an ongoing assurance overlay where appropriate.

5. Scale Across Portfolio & Build Towards Certification

   • Extend governance, audit, and monitoring practices to additional AI systems.

   • Close gaps highlighted by DAGEI™ to move towards ISO/IEC 42001 readiness or formal certification where desired.

This approach balances ambition with practicality—allowing organisations to align with global best practice step by step, rather than attempting a big-bang transformation.

Why Dawgen Global is a Strategic Partner for AI Governance

For organisations in the Caribbean and globally, Dawgen Global brings a combination of strengths:

• Deep experience in audit, risk, and regulatory advisory, now extended into AI.

• Proprietary frameworks (DALA™, DGACF™, DAGEI™, DCAMA™) built to align with ISO/IEC 42001, NIST AI RMF, and EU AI Act expectations.

• A multi-disciplinary team spanning auditors, data and technology specialists, risk professionals, and legal/compliance advisors.

• A pragmatic understanding of local and regional realities—resource constraints, regulatory diversity, and the need to remain competitive against larger players.

In a world where AI is reshaping industries, Dawgen Global helps clients ensure that their AI is not just powerful, but also governed, ethical, and ready for scrutiny.

Next Step: Build ISO/IEC 42001-Ready AI Governance with Dawgen Global

If your organisation is developing or using AI systems—and especially if they touch credit, healthcare, public services, employment, or other high-impact areas—now is the time to ask:

• Do we have a structured AI management system, or just isolated controls?

• Can we show regulators, customers, and partners that our AI is ethical, transparent, and accountable?

• How close are we to the expectations embodied in ISO/IEC 42001, NIST AI RMF, and the EU AI Act?

Dawgen Global’s proprietary AI audit methodologies—DALA™, DGACF™, DAGEI™, and DCAMA™—are designed to help you answer those questions with confidence.

📧 To assess your AI governance maturity and explore a roadmap towards ISO/IEC 42001-aligned AI management, email [email protected] to request a tailored AI governance and compliance proposal.

Our team will work with you to understand your AI landscape, identify gaps, and design an assurance programme that keeps your AI trusted, compliant, and strategically aligned in a rapidly evolving regulatory environment.

About Dawgen Global