Artificial Intelligence is accelerating innovation, but it also introduces regulatory, ethical, and operational risks. Organisations deploying or developing AI must now demonstrate that their systems are lawful, transparent, secure, and trustworthy by design.
AI Compliance & Governance Operating Model
Three frameworks define the new AI governance landscape:
- EU AI Act - a risk-based legal framework governing the use and deployment of AI systems
- ISO 42001 - the international standard for Artificial Intelligence Management Systems (AIMS)
- GDPR – the foundation for lawful and ethical use of personal data in AI
Together, they form a Unified AI Compliance & Governance Operating Model, covering the full AI lifecycle - from design and data to deployment, monitoring, and accountability.
The New AI Regulatory Reality
The EU AI Act classifies AI systems by risk and imposes strict obligations on high-risk use cases, including risk management, human oversight, technical documentation, transparency, logging, and post-market monitoring.
ISO 42001 translates these legal obligations into a structured, auditable management system, defining how organisations govern AI in practice through policies, controls, impact assessments, and continuous improvement.
GDPR remains fully applicable wherever AI systems process personal data, requiring lawful basis, transparency, data minimisation, safeguards for automated decision-making, and documented accountability.
How These Frameworks Work Together
- EU AI Act defines what organisations must comply with
- ISO 42001 defines how to operationalise compliance
- GDPR ensures data within AI systems is processed lawfully and ethically
- When combined, they enable compliance that is consistent, measurable, and defensible.
How Grant Thornton Can Help
A. EU AI Act Readiness & Implementation
- Identification and classification of all AI systems
- Internal Audit / Gap assessment against EU AI Act Articles 9–61
- Obligations roadmap for providers & deployers
- Preparation of technical documentation & conformity evidence
B. ISO 42001 Implementation & Maintenance
- Design and build of the AI Management System (AIMS)
- Development of all policies, procedures, registers and templates
- Integration with existing ISO 27001 and ISO 27701 frameworks
- Internal audits and certification preparation
- Virtual AI Officer - Strategy, Development, and Ethical implementation
C. GDPR and Data Protection for AI
- DPIAs specifically tailored for AI and automated decision-making
- Transparency & lawful basis assessments
- Personal data flows and minimisation techniques
- Privacy-by-design built across AI lifecycle
- Virtual DPO (vDPO) Services
Read more on our Privacy and Data Protection capabilities here.
D. Technical AI Assurance
- AI Model Audit & Testing
- Offensive Information Security – Penetration Testing
- Security and model governance checks
- AI Development Lifecycle testing
E. AI Governance Operating Model
- Establishment of AI steering committee
- AI Policies and Procedures
- Virtual AI Officer
- Definition of responsibilities (AI Owner, AI Risk Manager, Ethical AI Lead)
- Escalation, reporting, and monitoring structures
- Integration with corporate governance frameworks
F. AI Awareness, Literacy & Culture
- Executive briefings
- Training for auditors, risk teams and end users
- Awareness campaigns
- Practical workshops on ethical and trustworthy AI
