Here is a problem that does not get enough attention in AI governance discussions. When a legal team, a data science team, an information security team, and a compliance team all sit down to discuss AI governance, they are often using the same words to mean different things — and different words to mean the same things.

What exactly is an “AI system” as opposed to a conventional software application? What is the difference between an AI model and an AI system? What does “explainability” mean technically, and how does it differ from “transparency”? When ISO 42001 refers to “AI risk,” which risks does it mean?

These are not pedantic questions. They determine what is in scope for your AIMS, what controls apply, and whether your governance documentation will hold up under audit. ISO/IEC 22989:2022 — the international standard for AI concepts and terminology — is the document that answers them. If your governance team is not familiar with it, your ISO 42001 implementation is likely being built on inconsistent foundations.

What ISO 22989 Is

ISO/IEC 22989:2022, published in July 2022, establishes a common vocabulary for artificial intelligence. It defines the fundamental concepts, terms, and relationships that underpin the entire ISO AI standards family — including ISO 42001 and the emerging suite of AI-specific standards being developed by ISO/IEC JTC 1/SC 42.

The standard is not a compliance requirement in itself — organisations are not certified against ISO 22989. Its function is foundational: it provides the shared language that makes other AI standards coherent and consistently interpretable. When ISO 42001 uses the term “AI system,” it means what ISO 22989 says it means. When regulators drafting the EU AI Act needed to define their scope, ISO 22989’s definitions informed that work.

The Definitions That Matter Most for ISO 42001 Compliance

AI system. ISO 22989 defines an AI system as a machine-based system that, for a given set of objectives, is capable of making predictions, recommendations, decisions, or other outputs that influence real or virtual environments. This is deliberately broader than “machine learning model.” It encompasses the full sociotechnical system — the model, its inputs, its outputs, the context in which it operates, and the decisions it informs.

Why this matters: many organisations narrowly scope their AI inventory to the ML models their data science team built. But an AI system under ISO 22989’s definition includes third-party AI tools embedded in business processes — a vendor’s AI-powered fraud detection, an AI email screening tool, an AI scheduling system. All of these fall within scope of your AIMS.

AI lifecycle. The standard defines the AI lifecycle as spanning data collection, model design, training, verification, deployment, monitoring, and decommissioning. ISO 42001’s controls apply across this lifecycle — not just at deployment. If your governance programme only covers deployed AI systems and not the development and training phases, it is addressing a fraction of the lifecycle the standard contemplates.

Explainability vs. transparency vs. interpretability. These three terms are frequently conflated in AI governance discussions, and the conflation causes problems when designing controls.

ISO 42001’s controls address all three, but differently. Your human oversight controls, your data subject rights procedures (where GDPR applies), and your audit documentation requirements each depend on the right concept being applied to the right control.

Robustness and reliability. ISO 22989 defines robustness as the ability of an AI system to maintain its performance level under various conditions — including adversarial inputs, distribution shift, and incomplete data. Reliability refers to the consistency of expected performance over time. These concepts underpin the monitoring and incident detection controls in ISO 42001 Annex A.

Bias and fairness. The standard provides definitions of bias in the context of AI — systematic errors in AI outputs that result in unfair treatment of individuals or groups. ISO 42001’s responsible AI controls, and the EU AI Act’s requirements for high-risk AI systems, both reference bias mitigation as a core obligation. Having a shared definition of bias across your organisation is prerequisite to implementing those controls consistently.

Why Governance Teams Often Miss This Standard

ISO 22989 is a technical vocabulary standard — it does not contain requirements or controls, so it does not appear in implementation checklists. Compliance teams focused on “what do we need to do” often skip straight to ISO 42001 and miss the foundation that makes the requirements interpretable.

The consequence is predictable: different teams within the same organisation implement ISO 42001 controls based on different understandings of what the controls mean. The AIMS that results is inconsistent across functions, and those inconsistencies surface at internal audit and certification audit.

The fix is straightforward: treat ISO 22989 as pre-reading for any team involved in ISO 42001 implementation. It does not require technical expertise to understand — it is a vocabulary document, not a technical specification. A one-hour workshop walking through the key definitions in ISO 22989 before AIMS scoping and design begins will save significantly more than one hour in rework.

ISO 22989 and the Broader AI Regulatory Landscape

ISO 22989’s definitions have been adopted or referenced by multiple major AI governance frameworks. The EU AI Act’s definition of “AI system” is directly influenced by ISO 22989’s framework. NIST’s AI Risk Management Framework references ISO 22989 as a source for AI concepts and terminology. As AI regulation proliferates, ISO 22989 is functioning as the Rosetta Stone of AI governance language — the document that allows different frameworks to refer to the same concepts consistently.

For organisations managing compliance across multiple frameworks — ISO 42001, EU AI Act, NIST AI RMF — a working familiarity with ISO 22989 makes the cross-mapping significantly more tractable.

At Bitsecura, our ISO 42001 implementations begin with ensuring that everyone involved in the programme — from the data science team to the legal function — is working from the same vocabulary. ISO 22989 is part of that foundation. It is not an overhead. It is the reason implementations stay coherent under audit.

If you want to discuss how to build a coherent AI governance foundation for your organisation, reach out here. No obligation.


Bitsecura provides ISO 42001 AIMS implementation, internal audit, and maintenance services. Learn more about our ISO 42001 services.