What Is ISO 42001 Clause 10.1 and Why Does It Matter?
If you are building or maintaining an AI Management System under ISO IEC 42001, Clause 10 is where your system proves it can actually improve itself. Clause 10.1, titled simply “General,” sets the foundation for the entire improvement section of the standard. It tells organisations that they must determine and select opportunities for improvement and implement the actions necessary to meet customer requirements and enhance customer satisfaction.
On this page
That sounds straightforward, but in the context of AI systems, it carries significant weight. AI tools, models, and processes change rapidly. The risks they introduce evolve just as fast. Clause 10.1 is the mechanism that ensures your management system does not become a static document gathering dust on a shared drive. It is what makes your AIMS a living system rather than a one-time compliance exercise.
This article walks through exactly what Clause 10.1 requires, what it means in practice for organisations managing AI, and how to demonstrate conformance during an audit. Real-world examples are included throughout so you can see how these concepts apply to actual business situations.
The Structure of ISO 42001 Clause 10
Before diving into Clause 10.1 specifically, it helps to understand how it fits within the broader Clause 10 structure. ISO 42001 follows the same High Level Structure used by other ISO management system standards like ISO 9001, ISO 27001, and ISO 14001. Clause 10 covers improvement and contains three sub-clauses.
- Clause 10.1 General establishes the overarching requirement to identify and act on improvement opportunities.
- Clause 10.2 Nonconformity and Corrective Action deals with what happens when something goes wrong and how you fix it.
- Clause 10.3 Continual Improvement addresses the ongoing obligation to improve the suitability, adequacy, and effectiveness of the AIMS over time.
Clause 10.1 is essentially the parent requirement. It creates the expectation that improvement is not accidental or reactive, but a deliberate and systematic activity embedded in how your organisation manages AI.
What Does Clause 10.1 Actually Require?
The text of Clause 10.1 in ISO 42001 requires organisations to determine and select opportunities for improvement and implement necessary actions to meet AI-related objectives and enhance the performance of the AI management system. This includes improvements to AI systems, processes, products, and services where relevant.
In plain language, this means three things.
- You need a process for identifying where your AI management system could be better.
- You need to make decisions about which improvement opportunities are worth pursuing.
- You need to actually act on those decisions and track whether the actions worked.
The clause does not prescribe how you must do this. ISO standards are intentionally non-prescriptive about method. What matters is that you have a systematic approach and that you can demonstrate it is working. That is what an auditor will be looking for.
How Clause 10.1 Connects to Other Parts of ISO 42001
One of the most common mistakes organisations make is treating Clause 10.1 in isolation. In reality, it draws on outputs from almost every other part of the standard. Understanding those connections makes it much easier to implement in a meaningful way.
Connection to Clause 9 Performance Evaluation
Clause 9 requires you to monitor, measure, analyse, and evaluate your AIMS. The data you collect through internal audits, management reviews, and performance monitoring feeds directly into Clause 10.1. If your monitoring reveals that an AI model is producing biased outputs more frequently than your defined threshold, that is an improvement opportunity that Clause 10.1 requires you to address.
Connection to Clause 6 Planning
Clause 6 covers risk and opportunity identification. When you identify an opportunity during your risk assessment process, for example a chance to improve the transparency of an AI decision-making process, that opportunity should flow through to Clause 10.1 for action. The two clauses work together to create a planning and action loop.
Connection to Clause 8 Operations
Operational controls established under Clause 8 generate real-world performance data. If your AI procurement process, impact assessments, or operational monitoring reveal gaps or inefficiencies, those become inputs to your improvement process under Clause 10.1.
This interconnectedness is intentional. ISO 42001 is designed so that improvement is not an afterthought but a natural output of running your management system properly. If you are doing the other clauses well, you will naturally have a steady stream of improvement inputs feeding into Clause 10.1.
Types of Improvement Covered by Clause 10.1
Clause 10.1 does not limit improvement to any single category. Improvement under an AI management system can take several forms, and understanding these helps you build a more complete and credible improvement programme.
Improvements to AI System Performance
This is often the most visible type of improvement. If an AI model used for credit risk assessment is generating a higher-than-acceptable rate of false positives, improving the model's accuracy is an improvement to the AI system itself. Clause 10.1 supports this by requiring you to identify and act on such opportunities in a structured way.
Improvements to Processes and Controls
Sometimes the AI system is performing adequately but the processes around it are inefficient or risky. For example, if your process for reviewing AI-generated outputs before they influence a decision is inconsistently applied across departments, improving that process is a Clause 10.1 activity. You are not changing the AI, you are improving how the organisation manages its use.
Improvements to Documentation and Training
If an internal audit reveals that staff responsible for overseeing an AI tool do not fully understand how to identify when the tool is producing unreliable outputs, that is a training gap. Addressing it through updated training materials or competency assessments is a valid improvement under Clause 10.1.
Improvements to Stakeholder Communication
ISO 42001 places significant emphasis on transparency and accountability in AI use. If feedback from customers or regulators suggests that your communication about how AI is used in your services is unclear, improving that communication is an improvement to your AIMS that Clause 10.1 supports.
Practical Examples of Clause 10.1 in Action
Abstract requirements become much clearer when you see them applied to real situations. Here are several examples across different industries and AI use cases.
Example 1: Recruitment AI Tool in a Large Employer
A professional services firm uses an AI tool to screen job applications. During a management review, the HR director notes that the tool has been flagging candidates with non-English surnames at a higher rejection rate than others with equivalent qualifications. This is identified as an improvement opportunity under Clause 10.1.
The organisation selects the improvement action of engaging the AI vendor to review and retrain the model, and in the interim, introduces a mandatory human review step for all rejections. The action is documented, assigned an owner, given a target completion date, and reviewed at the next management review to confirm effectiveness. This is exactly what Clause 10.1 looks like in practice.
Example 2: AI-Assisted Customer Service in a Telecommunications Company
A telco uses an AI chatbot to handle customer complaints. An internal audit reveals that the chatbot is escalating only 12 percent of complaints to human agents, but post-resolution surveys show that 34 percent of customers felt their issue was not properly resolved. The gap between those two numbers is an improvement signal.
Under Clause 10.1, the organisation identifies this as an opportunity to improve the escalation logic within the chatbot. They also identify a need to improve the monitoring process so that customer satisfaction data is reviewed monthly rather than quarterly. Both actions are logged, tracked, and reviewed for effectiveness.
Example 3: Predictive Maintenance AI in a Manufacturing Business
A manufacturing company uses an AI system to predict equipment failures. After six months of operation, the maintenance team reports that the system is generating too many false alarms, leading to unnecessary downtime. This is raised as an improvement opportunity through the internal audit process.
The organisation works with its AI system supplier to adjust the sensitivity thresholds and implements a parallel monitoring period to validate the changes. The improvement is documented as a formal action under Clause 10.1, with effectiveness criteria defined as a 40 percent reduction in false alarms within 90 days. The outcome is reviewed and recorded.
What Auditors Look for Under Clause 10.1
When an auditor reviews your conformance with Clause 10.1, they are not looking for perfection. They are looking for evidence that your organisation has a genuine, functioning process for identifying and acting on improvement opportunities. Here is what typically comes up in an audit conversation.
Evidence of Identified Improvement Opportunities
The auditor will want to see records showing that improvement opportunities have been identified through your monitoring, audit, and review processes. This could be a register of opportunities, action logs from management reviews, or documented outputs from internal audits. If you cannot show that opportunities are being identified, that is a gap.
Evidence of Selection and Prioritisation
Not every improvement opportunity can or should be acted on immediately. Auditors understand this. What they want to see is that you have a rational basis for deciding which opportunities to pursue and when. This does not need to be a complex scoring system. A simple risk-based prioritisation approach is sufficient as long as it is applied consistently.
Evidence of Implementation
Actions need to be implemented, not just planned. Auditors will look for evidence that improvement actions were actually carried out. This might include updated procedures, training records, system change logs, or vendor correspondence. Planned actions with no evidence of implementation are a common nonconformity finding.
Evidence of Effectiveness Review
This is where many organisations fall short. You need to demonstrate that you reviewed whether your improvement actions actually worked. If you changed a process, did the change produce the intended result? If you retrained a model, did the performance improve? Effectiveness reviews close the improvement loop and demonstrate that your system is genuinely improving rather than just generating paperwork.
For a broader understanding of how to approach internal audits that surface real improvement opportunities, it is worth reviewing how audit programmes connect to your overall management system performance.
Common Mistakes Organisations Make With Clause 10.1
Having reviewed AI management systems across a range of industries, certain patterns of weakness come up repeatedly when it comes to Clause 10.1.
Treating Improvement as a Corrective Action Process Only
Many organisations confuse Clause 10.1 with Clause 10.2. Corrective action is reactive. It deals with nonconformities after they occur. Clause 10.1 is broader. It includes proactive identification of opportunities to improve before something goes wrong. If your improvement register only contains items triggered by nonconformities, you are likely missing the proactive dimension that Clause 10.1 requires.
No Defined Ownership for Improvement Actions
Improvement actions without a named owner rarely get completed. This is one of the most common practical failures. Every improvement action should have a person responsible for it, a target date, and a defined measure of success. Without these three elements, the action is just a wish.
Improvement Activities Disconnected From AI-Specific Risks
ISO 42001 is specifically focused on AI risks and impacts. Generic improvement activities that could apply to any management system are not sufficient on their own. Your improvement programme needs to reflect the specific characteristics of AI, including bias, transparency, explainability, data quality, and the evolving regulatory environment. Auditors who specialise in ISO 42001 will notice if your improvement activities look like they were copied from an ISO 9001 system without any AI-specific thinking.
Effectiveness Reviews That Are Superficial
Writing “action completed” in an action log is not an effectiveness review. You need to demonstrate that the action achieved its intended outcome. This requires defining what success looks like before you implement the action, then measuring against that definition after implementation. If you cannot show this, an auditor may raise an observation or nonconformity.
Building a Practical Improvement Process for Your AIMS
If you are setting up or strengthening your improvement process under Clause 10.1, the following practical steps will help you build something that works in the real world, not just on paper.
First, establish a central improvement register. This does not need to be sophisticated. A well-maintained spreadsheet or a field within your existing management system software is sufficient. The register should capture the source of the opportunity, a description of the opportunity, the selected action, the owner, the target date, and the effectiveness review outcome.
Second, build improvement identification into your existing processes. Every internal audit, management review, customer feedback review, and AI incident review should have a formal step where participants ask “what improvement opportunities does this reveal?” Making this a standing agenda item ensures it happens consistently.
Third, align your improvement activities with your AI-specific risks. Review your AI risk register regularly and ask whether your improvement programme is addressing the risks that matter most. If your highest-rated AI risk is data quality, your improvement programme should reflect that with targeted actions.
Fourth, define effectiveness criteria before you implement an action. This forces you to think clearly about what success looks like and makes the effectiveness review meaningful rather than a box-ticking exercise.
For organisations just beginning their ISO 42001 journey, understanding what ISO 42001 certification actually costs and what the implementation process involves is a useful starting point before diving into individual clause requirements.
You can also find authoritative guidance on the overall structure and intent of ISO 42001 through the ISO 42001 standard page on ISO.org, which provides the official scope and background for the standard.
Clause 10.1 in the Context of AI Regulation
The timing of ISO 42001 is not accidental. Governments around the world are introducing AI-specific regulations, and ISO 42001 is increasingly being referenced as a framework for demonstrating compliance. In Australia, the government's voluntary AI Ethics Framework and the emerging regulatory discussions around high-risk AI applications make a structured improvement process under Clause 10.1 increasingly relevant.
Organisations that can demonstrate a functioning, documented improvement process for their AI systems are in a much stronger position when engaging with regulators, responding to tenders, or reassuring customers about how they manage AI responsibly. Clause 10.1 is not just a compliance requirement. It is a competitive and reputational asset when implemented well.
If you are preparing for an ISO 42001 audit, understanding how improvement requirements connect to the audit process is important. Our article on how to prepare for an ISO 42001 Stage 1 audit covers what auditors review in the early stages of the certification process.
Getting Help With ISO 42001 Implementation
ISO 42001 is a relatively new standard and genuine expertise in AI management systems is still developing across the consulting industry. Finding a consultant who understands both the technical dimensions of AI and the management system requirements of the standard is not straightforward. Many consultants are adapting their ISO 27001 or ISO 9001 experience to ISO 42001, which is not always sufficient for organisations dealing with complex AI applications.
If you are looking for qualified help with ISO 42001 implementation, including building out your Clause 10.1 improvement process, CertBetter can connect you with verified consultants and accredited certification bodies who have demonstrated experience with the standard. You submit one form, receive up to three competing quotes, and compare your options before committing to anything. The service is completely free for businesses seeking certification help.
