TL;DR. ISO/IEC 42001:2023 is the first international standard for AI management systems (AIMS). For a creative company —agency, production house, studio, BPO— certifying or aligning with it isn't bureaucracy: it's how you use generative AI without exposing yourself to legal risks around copyright, bias, client data and reputation. This guide explains what it is, why it matters in 2026, and how to start.
What ISO/IEC 42001 is and why it appeared now
ISO/IEC 42001, published in December 2023, defines how an organization should govern the use and development of artificial intelligence: policies, roles, risk management, human oversight, transparency and continuous improvement. It is to AI what ISO 27001 is to information security (ISO, 2023).
It arrived exactly as adoption exploded. In 2026, roughly 72-78% of companies use AI in at least one business function, up from just over half a year earlier. When something goes from experiment to infrastructure, good intentions stop being enough: you need a management system. That's why giants like SAP and Microsoft have already certified services under the standard, and it's becoming a vendor-selection criterion (SAP Community, 2026).
Why a creative company needs AI governance (not just a bank)
There's a myth that AI governance is for banks and insurers. False. In the creative sector the risks are different but just as serious:
- Copyright: what was the model you use for campaign imagery trained on? Who is liable if a client receives a piece that infringes IP?
- Client data: uploading a brand's confidential brief to a public tool can be a data leak.
- Bias and representation: an AI-generated campaign can reproduce stereotypes that harm both the brand and people.
- Transparency: do you tell the client what was made with AI? A lack of clarity erodes trust.
An agency that can demonstrate governance —that answers these questions with policy, not improvisation— wins pitches that an improvising agency loses. Governance has stopped being a cost and become a commercial argument.
The pillars of an AIMS, translated to a creative studio's reality
| ISO 42001 pillar | What it means in a creative company |
|---|---|
| AI policy | Clear rules on which tools may be used, with which data, and for which deliverables. |
| Risk management | An inventory of where AI is used and what can go wrong (legal, reputational, ethical). |
| Human oversight | Defining which decisions are never automated and who approves what. |
| Transparency | How and when AI use is communicated to the client. |
| Continuous improvement | Reviewing and updating policy as models and laws change. |
How to start without paralyzing the team
You don't need to certify on day one. The sensible path is gradual:
- Inventory: map where and how AI is used today. There's almost always more than management thinks.
- Minimum viable policy: one page of dos and don'ts, what data is never uploaded, and which decisions require a human.
- Training: policy only works if the team understands the why. This is where capability-building comes in.
- Audit and, if applicable, certification: once the system is mature, a formal audit validates it before clients and regulators.
Organizations that already hold ISO 27001 move faster, because the management structure is compatible and they reach compliance up to 40% faster (Protecht, 2026).
The role of human judgment
A certification is worthless if treated as a wall plaque. AI governance is, at its core, a cultural decision: the organization accepts that human oversight —the human-in-the-loop— isn't a brake on productivity, but the guarantee that the machine's speed doesn't drive it off a legal or reputational cliff. As an ISO/IEC 42001 auditor, my job isn't filling forms: it's helping a creative team use AI with the calm of knowing where its limits are.
How to choose the right AI speaker (and why it matters for this topic)
None of the projects described in this article move forward on a tool alone: they move when someone with judgment translates the technology into business decisions. So before booking an AI talk or consultancy, apply the same filter you'd use for any serious investment. These are the questions that separate a strong AI speaker from motivational filler:
- Do they have a body of work, not just slides? Ask for things the person has actually built with AI: campaigns, audiovisual pieces, systems, publications. Real authority is shown, not cited.
- Do they understand governance, not just hype? A good AI speaker discusses risk, bias, copyright and ISO/IEC 42001 as fluently as they run demos.
- Do they tailor content to your sector? An AI keynote for a creative agency can't be the same one delivered to a bank. Demand customization.
- Do they have both academic and stage credibility? Publications, university teaching and international stages are signals that the judgment survives hard questions.
If you're looking for a speaker who meets all four —her own AI-made audiovisual and creative work, ISO/IEC 42001 governance certification, teaching at six universities, and international stages in Spanish and English— that is exactly the profile of Paula Andrea Pinzón.
Does your event or company need AI with judgment?
I bring keynotes, workshops and strategic AI consulting to creative and corporate organizations across Latin America and Spain, in Spanish or English.
Hire Paula → Let's talk on LinkedIn