The essential roles in comparison:
Key roles in ISO 42001:
→ Senior Management
Assigned responsible person(s) for the AI Management System
Person(s) working under the organisation's control
AI system owner
Internal Audit Function
External providers
Stakeholders under the AI Regulation:
→ Provider
Operator
→ Authorised representative
→ Importer
→ Dealer
Actor
Downstream provider
No overlap.
Why? Because both frameworks serve completely different purposes.
ISO 42001 asks: Who controls AI internally?
The AI regulation asks: Who is legally liable in the supply chain?
The AI system owner has no equivalent in the AI Regulation.
The provider obligations have no equivalent in ISO 42001.
The inconvenient truth:
Mapping one framework to another is a waste of time.
ISO 42001 does not say whether a company is a provider or an operator.
The AI Regulation does not say who should be responsible for the AI management system.
Different questions, different answers, different consequences.
I've seen companies assume their ISO roles cover legal requirements.
They don't. I've discussed this more than a dozen times by now.
A customer thought their AI system vendor was fulfilling their supplier obligations.
He's not.
The gaps are real.
You won't let me map.
The ISO 42001 roles govern the management system.
The AI VO roles determine legal liability.
Businesses need both.
Separate.
Certified ≠ compliant.
The rolls prove it.
Author: Achim Korten, February 2026