AI management systems: what they actually are, and what to buy

The phrase AI management system keeps turning up in board papers and vendor demos. The trouble is it can mean two completely different things, and people often don't realise they're not talking about the same one.

The formal sense is ISO/IEC 42001, published in late 2023 as the international standard for AI Management Systems. It's modelled on ISO 27001 and ISO 9001. It describes the organisational machinery you build to govern AI: policy, roles, risk register, training, review cadence. It's a management standard, not software.

The other sense is shorthand for the platforms, and that category has filled out fast. Credo AI, Holistic AI and Calypso AI sit on the governance side. LangSmith, LangFuse, Helicone and Arize cover ops and observability. Microsoft Purview AI Hub and the DLP camp handle policy enforcement. These are software products. They support an AI management system. They don't substitute for one.

The slip happens at procurement. The board hears about AI governance, asks IT to "look at platforms," IT runs a demo cycle, and six months later there's a $40-80k licence in flight and no underlying policy. The tool ends up configured against nothing in particular.

For most firms we work with (100 to 1,000 staff, across professional services, AEC, financial services and healthcare), the right starting point isn't a platform at all. It's a one-page policy that says what's allowed and who approves edge cases. A spreadsheet inventory of every AI tool actually in use, who owns it, what data it touches, what the vendor's terms say. A handful of obvious controls: DLP on the paste-into-public-LLM vector, conditional access on the approved tools, a review step in procurement so AI-adjacent purchases don't slip through unflagged. And a quarterly cadence to keep the inventory honest.

That isn't glamorous. It's also what most mid-market firms need for the next twelve months. Spending on a platform before the policy exists usually produces compliance theatre. A dashboard pointing at risks no one has written down, with no obvious owner.

Platforms become genuinely useful when you cross one of three lines: APRA-regulated workloads where audit lineage stops fitting in a spreadsheet; production AI with three or more models in the loop and real customers downstream; or a procurement requirement from your own customers for ISO 42001 evidence. Until then, the policy and the inventory hold up fine.

The shortcut question ("can we just buy the tool?") comes up in nearly every board conversation we have on this. The honest answer is no, not really. Buying the platform without the policy is like installing a CRM before deciding who your customers are.

The standard describes the system. The platforms support it. The policy is what it actually says.

Map first. Buy second.