What is the difference between ISO/IEC 42001 and ISO/IEC 23894?

ISO/IEC 42001 is a standard for an AI Management System (AIMS), focusing on documented governance, roles, lifecycle data governance, monitoring, and continual improvement for AI systems. The provided sources do not contain information about ISO/IEC 23894, so a comparison to that standard cannot be made.

ISO/IEC 42001 follows the Plan-Do-Check-Act management-system structure, encompassing clauses 4-10 for management system requirements and Annex A for AI-specific controls. Key aspects of ISO/IEC 42001 include:

• Context of the Organization (Clause 4): Determining internal and external context, interested parties, and the scope of the AIMS.
• Leadership (Clause 5): Top management establishing an AI policy, a documented AIMS, and assigning roles, responsibilities, and authorities for AI governance. This cross-maps to NIST-GOVERN-1/2.
• Planning (Clause 6): Addressing risks and opportunities, establishing an AI risk assessment and AI impact assessment process, and setting AI objectives. This cross-maps to NIST MAP/MANAGE.
• Performance Evaluation (Clause 9): Involves monitoring, measurement, analysis, and evaluation of the AIMS, including internal audits and management reviews. This cross-maps to NIST-MEASURE-3.1 and OWASP LLM10 (abuse/consumption monitoring).
• AI System Lifecycle (Annex A.6): Ensuring responsible design, development, deployment, operation, and retirement of AI systems with controls at each stage. This is central to data governance lifecycle coverage.
• Data for AI Systems (Annex A.7): Implementing data governance for provenance, quality, preparation, and management of data used by AI systems across its lifecycle. This cross-maps to OWASP LLM04 data poisoning and NIST GenAI "Data privacy".
• Third-party Relationships (Annex A.10): Establishing controls for suppliers and third parties in the AI value chain, such as model and data providers. This cross-maps to NIST-GOVERN-6.1 and OWASP LLM03 supply chain.