Why HR Managers Are Suddenly in the Middle of AI Certification
If your organisation is pursuing ISO 42001 certification, or has already started the process, you may have noticed that a lot of the requirements land squarely in HR territory. Competence, awareness, training, roles and responsibilities, human oversight of AI systems, and workforce impact assessments. These are not IT problems. They are people problems, and that means they are yours to own.
On this page
ISO 42001 is the international standard for AI management systems. It gives organisations a structured framework for governing how they develop, deploy, or use artificial intelligence in a responsible and accountable way. To get a solid grounding in the standard itself, the ISO IEC 42001 overview on CertBetter is worth reading before you go any further.
This article is specifically written for HR managers and people leaders who are being pulled into an ISO 42001 project and need to understand what the standard actually requires from them, what documentation they need to produce, and where the common mistakes happen.
What ISO 42001 Is Actually Asking HR to Do
The standard does not treat HR as a support function. It treats people management as a core control mechanism for responsible AI governance. That is a meaningful shift in how HR interacts with a management system standard.
Here is a plain English summary of the clauses that directly touch HR responsibilities.
Clause 7.2: Competence
This clause requires the organisation to determine what competence is needed for people whose work affects AI performance or AI-related risks. It then requires evidence that those people actually have that competence, or that action has been taken to help them get it. That action needs to be evaluated for effectiveness. It is not enough to send someone to a webinar and tick a box.
In practice, this means HR needs to build or update a competence framework that covers AI-related roles. That includes technical staff building or maintaining AI systems, but it also includes managers making decisions based on AI outputs, procurement staff evaluating AI vendors, and customer-facing staff interacting with AI-assisted tools.
Clause 7.3: Awareness
Every person doing work under the organisation's control needs to be aware of the AI policy, their contribution to the AI management system, the implications of not conforming to requirements, and the potential harms that could result from irresponsible AI use. This is a training and communications responsibility that HR typically owns or co-owns with compliance.
Clause 6.2 and Annex A Controls Related to Roles
ISO 42001 includes a set of Annex A controls that organisations can apply based on their AI risk profile. Several of these controls relate directly to workforce governance. Control A.6.2 covers roles, responsibilities, and authorities for AI. Control A.6.5 covers AI system impact assessments, which often require HR input when the AI system affects workers, hiring, performance management, or workforce planning.
The standard also references the need to consider impacts on individuals and communities, which in a workforce context means HR needs to be at the table when AI tools that affect employees are being assessed for risk.
The HR Documents You Will Need to Produce or Maintain
One of the most common frustrations HR managers experience when joining an ISO project is being handed a list of required documents without any explanation of what those documents actually need to contain. Here is a practical breakdown.
Competence Records
You need documented evidence that each person in an AI-related role has the required competence. This can take many forms. Training completion records, qualifications, internal assessments, or performance reviews that reference AI-related capabilities. The key requirement is that the records are retrievable and linked to specific roles or individuals. A spreadsheet that maps roles to required competencies and then links to evidence of those competencies being met is a perfectly acceptable approach for most organisations.
If you are building this from scratch, start with a simple training matrix. This guide to building an ISO training matrix walks through the structure in detail and applies directly to what ISO 42001 needs from HR.
Awareness Training Records
Every staff member covered by the AI management system scope needs documented evidence of awareness training. This does not mean a full AI ethics course for everyone. It means people understand the AI policy, know what is expected of them, and understand what could go wrong if the system is misused or ignored. A short induction module, a team briefing with sign-off, or an online quiz with completion records all work. The auditor wants to see that awareness has been communicated and that there is evidence it reached the right people.
Role Descriptions and Accountability Documentation
The standard requires that roles, responsibilities, and authorities related to AI governance are clearly defined and communicated. HR typically owns or contributes to position descriptions, and this is where AI-related responsibilities need to be embedded. If your organisation has an AI Ethics Officer, an AI Risk Owner, or even just a team leader responsible for reviewing AI outputs, those responsibilities need to appear somewhere in documented role descriptions or governance documentation.
AI Impact Assessment Inputs Related to Workforce
When an AI system affects workers directly, whether it is an AI-assisted recruitment tool, a performance monitoring system, or a scheduling algorithm, HR needs to provide input into the impact assessment for that system. This does not mean HR runs the assessment alone. It means HR contributes the people-related risk considerations: fairness, bias, transparency to affected employees, and compliance with employment law obligations.
The Practical Challenges HR Managers Face in ISO 42001 Projects
Let me be honest about where things go wrong, because the same issues come up repeatedly in AI management system implementations.
HR Is Brought In Too Late
In most organisations, ISO 42001 projects start in IT or compliance. HR gets invited to a meeting six months in and is handed a list of things to produce with a deadline attached. By that point, the scope has already been defined, the risk register is half-built, and nobody thought to check whether HR had a view on which AI systems affect workers. If you are in this situation, push back early. Ask to review the scope statement and the AI system inventory. If any of those systems touch hiring, performance, rostering, or workforce planning, HR needs to be involved in the risk assessment, not just the training records.
Competence Requirements Are Too Vague
A common mistake is defining AI competence requirements at such a high level that they are meaningless. Saying that all staff need to “understand AI” is not a competence requirement. A proper competence requirement for, say, a hiring manager who uses an AI-assisted shortlisting tool would specify that they can identify potential bias in AI-generated rankings, know when to override the system, and understand the organisation's escalation process when the AI output seems incorrect. That level of specificity is what makes the competence framework auditable.
Training Is Treated as a One-Off Event
ISO 42001, like all ISO management system standards, expects continual improvement. That applies to training and competence too. If you run an AI awareness session in March and then never revisit it, an auditor will ask what you have done to keep awareness current as AI systems evolve, as new tools are introduced, or as risks change. Build a review cycle into your training calendar. Annual refreshers at minimum, with triggered updates whenever a significant new AI system is deployed or a material change is made to an existing one.
The Connection Between HR Records and the AI Risk Register Is Missing
One of the most common audit findings in early ISO 42001 certifications is a disconnect between the AI risk register and the competence controls. The risk register might identify that an AI tool used in performance management could produce biased outcomes, but there is no corresponding control showing that managers using that tool have been trained to recognise and respond to bias. HR records and the AI risk register need to talk to each other. Make sure someone in your project team is responsible for mapping competence controls to identified AI risks.
Where HR Intersects With AI Ethics and Responsible Use
ISO 42001 is built on a foundation of responsible AI principles. The standard itself references human rights, fairness, transparency, and accountability as core values that the AI management system should uphold. For HR, this is not abstract. It has direct operational implications.
AI in Recruitment and Selection
If your organisation uses AI tools to screen CVs, rank candidates, or predict job fit, HR owns the governance of those tools. That means documenting how the tool works, what data it uses, what its known limitations are, and how human reviewers are expected to engage with its outputs. It also means having a clear process for candidates to query or appeal decisions that were influenced by AI. Under Australian employment law and the Privacy Act, there are obligations around automated decision-making that HR needs to understand and document as part of the AI management system.
AI in Performance Management
Performance monitoring tools that use AI to analyse productivity, flag anomalies, or generate performance scores require careful governance. Employees have a right to understand how these systems work and how the outputs are used. HR needs to ensure that the use of these tools is disclosed in employment contracts or policies, that managers are trained to use the outputs appropriately, and that the organisation has documented its position on how much weight AI outputs carry in formal performance reviews.
Workforce Impact of AI Deployment
When new AI systems are introduced that change how work is done, HR has a responsibility to assess the workforce impact. This is partly a change management function and partly a risk management function. ISO 42001 expects organisations to consider the broader societal and individual impacts of their AI systems. In a workforce context, that means asking whether the introduction of an AI tool changes job roles in ways that require retraining, whether it creates risks of unfair treatment, and whether affected workers have been consulted appropriately.
How to Prepare HR for an ISO 42001 Audit
If your organisation is heading toward a Stage 2 certification audit, here is what an auditor will typically want to see from HR.
- A documented competence framework covering all roles that interact with AI systems within scope
- Evidence that competence requirements have been communicated to individuals in those roles
- Training records showing that awareness requirements have been met across the relevant workforce
- Position descriptions or governance documents that clearly assign AI-related responsibilities
- Records showing that competence and training have been reviewed and updated as the AI environment changes
- HR input into AI impact assessments for any systems that affect workers
- A process for employees to raise concerns about AI systems that affect them
The auditor is not expecting perfection. They are looking for evidence that the organisation has thought carefully about the people dimension of AI governance, documented its approach, and is actively maintaining and improving it. Gaps in documentation are manageable if you can demonstrate that the underlying processes exist and are working. Gaps in the processes themselves are harder to defend.
For more context on what the audit process looks like from start to finish, the guide to preparing for an ISO 42001 Stage 1 audit covers the readiness steps in detail.
Getting the Right Support for Your ISO 42001 Project
ISO 42001 is a genuinely new standard and the number of consultants with real implementation experience is still limited. If your organisation is at the early stages of the project, getting the right consultant involved early makes a significant difference to how smoothly the HR components come together. A good consultant will help you map AI systems to HR risks, build a competence framework that is proportionate to your organisation's size and complexity, and make sure your documentation is audit-ready without creating unnecessary overhead.
If you are comparing options, CertBetter makes it straightforward. You submit one form and receive up to three quotes from vetted ISO 42001 consultants and certification bodies. The service is free for businesses, and it saves a significant amount of time compared to searching and vetting providers individually. Given how specialised ISO 42001 expertise still is, having a platform that pre-vets providers for you is genuinely useful.
