ISO/IEC 42001 Clause 10: Improvement (Continual Improvement & Corrective Action)

ISO/IEC 42001 Clause 10 – Improvement focuses on continuously enhancing an organization’s AI Management System (AIMS) through proactive changes and effective handling of issues.

Navigate
ISO/IEC 42001

Templates & Tools

Clause 10: Improvement (Continual Improvement & Corrective Action)

ISO 42001 Clause 10 , the final element of the ISO 42001 framework, goes over two key areas: continual improvement of the AIMS (Clause 10.1) and nonconformity and corrective action (Clause 10.2).

In practice, Clause 10 drives organizations to identify opportunities for improvement, correct problems, learn from mistakes, and adapt the AI governance framework as technologies and regulations evolve. With doing so, the AIMS remains suitable, adequate, and effective over time, aligning with the “Act” phase of the Plan-Do-Check-Act (PDCA) cycle for ongoing improvement.

This guide provides detailed guidance on Clause 10 requirements and best practices for implementation.

Continual Improvement (Clause 10.1)

Clause 10.1 – Continual Improvement requires the organization to “continually improve the suitability, adequacy, and effectiveness” of its AI management system.

You should not only react to problems but also proactively seek ways to make the AIMS better over time. Continual improvement in ISO 42001 mirrors the ethos of other ISO management standards (like quality or information security), pushing for ongoing enhancements rather than one-time fixes. Key aspects of continual improvement include analyzing performance data, audit findings, risk assessments, and stakeholder feedback to identify areas where the AIMS can be strengthened.

Why Continual Improvement

AI systems don’t stay still, and neither do the conditions around them. New risks can surface, tools improve, and regulatory expectations can shift. Clause 10.1 is there to make sure your AI governance keeps up.

Regular checks on the AIMS help you understand what’s working and what needs attention. Insights from Clause 9 performance evaluations and management reviews, for instance, can highlight gaps, trends, or unintended outcomes. Those findings can then feed into updates to policies, controls, and day-to-day processes so the organization stays aligned with its objectives.

This approach reduces the chance of the AIMS drifting into a “good enough” mindset where progress slows. Instead, it supports steady learning, responsible innovation, and ethical maturity in how AI is deployed. In practice, continual improvement means making refinement routine so the management system remains strong, adaptable, and ready for future change.

Best Practices for Continual Improvement

Leverage Performance Data: Use outputs from Clause 9 (monitoring, audits, management reviews) to drive improvements. Analyze trends in AI system performance, compliance findings, incident reports, and user feedback to pinpoint improvement opportunities. For example, if audits show recurring minor issues, update processes or training to address the root causes.
Set Improvement Objectives: Establish measurable goals for enhancing the AIMS (e.g. reducing AI model bias by a certain percentage, speeding up incident response times, improving transparency of AI decisions). Setting targets helps maintain focus on improvement and provides a way to measure progress.
Encourage Innovation and Updates: Don’t limit improvements to correcting failures. Also seek opportunities for positive change – for instance, adopting new best practices in AI ethics, incorporating advanced monitoring tools, or streamlining governance workflows. Clause 10.1 isn’t just about fixing problems; it’s about making the AIMS more effective and aligned with current best practices and business needs.
Integrate with Strategy: Align continual improvement initiatives with the organization’s strategic objectives and AI policy. For example, if your company prioritizes AI fairness or energy efficiency, use those themes to guide improvements in model development or deployment processes. This ensures enhancements in the AIMS also advance broader business goals like innovation, customer trust, and ethical AI use.
Regular Reviews and Adaptation: Make continual improvement a standing agenda item in management reviews (Clause 9.3). Top management should regularly review whether the AIMS remains suitable and adequate given any changes in technology, regulations (like updates in the EU AI Act), or organizational priorities. This might lead to adjusting resources, updating risk assessments, or revising AI objectives to drive further improvement.

Clause 10.1 ensures that AIMS improvements are not ad hoc, but part of an ongoing cycle of planning, action, review, and refinement.

Nonconformity and Corrective Action (Clause 10.2)

Clause 10.2 – Nonconformity and Corrective Action outlines how organizations must respond when the AIMS or an AI system outcome does not meet a requirement or deviates from expected practice. A nonconformity could be discovered through various means – an internal audit finding, an incident or error in an AI system, a compliance check, a customer complaint, or even during day-to-day operations. Whenever such a nonconformity occurs, ISO 42001 requires a structured approach to address it and prevent it from happening again.

At a high level, the required steps for handling nonconformities and implementing corrective action are:

React and Control: React to the nonconformity immediately to control and correct it. This may involve containing the issue and mitigating any adverse consequences.
Example: if an AI model is producing incorrect or biased outputs (a nonconformity with expected performance or ethical standards), the immediate action might be to pull that model from production or activate a human review fallback to contain the impact.
Deal with Consequences: Address any consequences caused by the nonconformity. Ensure any harm or compliance breaches are managed. Continuing the example, this could mean informing affected users or correcting any decisions that were made based on faulty AI output.
Root Cause Analysis: Investigate the cause of the nonconformity to understand why it happened and how to prevent it. ISO 42001 expects organizations to evaluate the need for action to eliminate the cause(s) of the nonconformity so it does not recur or occur elsewhere. This often involves performing a root cause analysis – using methods like the “Five Whys” or Ishikawa (fishbone) diagrams to dig deeper than the immediate symptom. Additionally, check if similar issues exist in other areas or could potentially occur under similar conditions.
Example: if an AI system failed due to a data quality issue, assess whether other AI projects might have similar vulnerabilities.
Implement Corrective Actions: Once the root cause is identified, take corrective action to eliminate that root cause and prevent recurrence. Corrective actions should be appropriate to the effects and severity of the problem. In some cases, this could mean updating a procedure or providing additional training; in others, it could require a redesign of an AI model, a new control, or changes to supplier arrangements. The key is addressing the underlying issue, not just the surface problem.
Example: fixing a flawed algorithm rather than merely correcting one erroneous output.
Review Effectiveness: After implementing the fix, review and verify the effectiveness of the corrective action. This might involve testing the AI system under the same conditions that caused the issue, auditing the changed process, or monitoring outputs over time to ensure the problem has truly been resolved and hasn’t recurred. A corrective action is not “closed” until there is objective evidence (e.g. data or audit results) showing the issue is resolved and will not resurface.
Make System Changes if Necessary: If the nonconformity revealed weaknesses in the AI management system, update the AIMS documentation or processes accordingly. This could mean revising risk assessment criteria, improving supplier evaluation processes, tightening change management for AI models, or other systemic changes to plug any gaps. Clause 10.2 explicitly expects organizations to “make changes to the AI management system, if necessary” following a corrective action, to further ensure the issue doesn’t happen elsewhere.
Document the Incident and Action: Maintain documented information as evidence of the nature of the nonconformity, the actions taken, and the results of the corrective action. This means keeping a record in a nonconformity log or incident register that details what went wrong, when it was detected, who was responsible, what root cause was found, what correction and corrective steps were taken, and the outcome. This documentation is crucial for transparency and is often reviewed during audits or certification assessments to confirm that issues are handled properly and improvements are recorded. It also helps your own team learn from past mistakes.

Following these steps ensures a thorough approach to problems: you correct the immediate issue and also address the underlying causes to prevent future recurrence.
Example: if a bias in an AI model’s decisions is identified (nonconformity with your fairness criteria), the organization might (1) correct or remove biased outputs immediately, (2) analyze and find that the training data lacked diversity (root cause), (3) retrain or adjust the model with better data and bias mitigation techniques (corrective action), and (4) later verify that the model’s decisions improved in fairness metrics (effectiveness review). Additionally, the organization would document this incident and perhaps update its data procurement or model validation procedures (system change) to avoid similar bias issues elsewhere.

Best Practices for Nonconformity & Corrective Action

Establish a Clear Process: Develop a formal procedure for handling nonconformities – from detection to closure. Ensure all staff know how to report issues when they see them. Having a standard workflow (often called a Corrective Action Preventive Action – CAPA process) helps maintain consistency. It should include prompt recording of the issue, notification of responsible personnel, root cause analysis, action tracking, and verification steps.
Maintain a Nonconformity Log: Use a centralized log or tracking system to record all nonconformities and corrective actions. This log should capture details and status (open, in-progress, closed). Reviewing this log periodically can reveal patterns (e.g., multiple incidents in a particular process or AI model) and help prioritize systemic improvements. Many organizations integrate this with their incident management or GRC (Governance, Risk, Compliance) software for automation and alerts.
Thorough Root Cause Analysis: Avoid the temptation to apply quick fixes without understanding why a problem occurred. Invest time in a proper root cause analysis for each significant nonconformity. Techniques like the 5 Whys or fishbone diagrams are useful to peel back layers of symptoms and uncover the fundamental cause.
Action Plans with Accountability: For each nonconformity, create a corrective action plan that details what will be done, by whom, and by when. Assign ownership to ensure accountability. Include interim containment actions (immediate fixes) as well as long-term preventive measures. Ensure that management is aware of major nonconformities and allocates necessary resources to fix them properly.
Verify and Close: After corrective actions are implemented, verify their effectiveness before closing the issue. This might require collecting data or conducting a follow-up audit/inspection. Only close the corrective action once you have evidence that the solution worked (for instance, a problematic AI model has been re-tested and meets the performance criteria, or an updated process has been followed without issues for a period of time). A corrective action isn’t finished until there is objective evidence showing the issue will not recur.
Use a No-Blame Culture: Adopt a culture that views reporting of nonconformities and near-misses as opportunities to improve rather than grounds for punishment. When employees and stakeholders are encouraged to speak up about problems or potential problems, you’ll find out about issues early and can address them before they escalate. Recognize teams for identifying and resolving issues, which reinforces proactive behavior.
Integrate with Continual Improvement: Treat each nonconformity as a chance to make broader improvements.
Example: if an issue revealed a gap in training, improve the training program for all staff, not just fix that one case.
During management review meetings, discuss not only the status of corrective actions but also what was learned and how the AIMS can be improved as a result. ISO 42001 expects that lessons from nonconformities feed into the continual improvement process.
Capture Opportunities for Improvement: In addition to formal nonconformities, encourage capturing Opportunities for Improvement (OFIs) – suggestions that may not stem from a failure, but from an idea to do things better. This could be as simple as an employee noticing an AI validation step could be improved, or a stakeholder suggesting a new metric to track AI performance. Have a channel (like an improvement register or suggestion program) for collecting these ideas. Clause 10’s spirit is not just about correcting wrongs, but also about making things better proactively.
ISO 42001 compliance benefits from mechanisms to capture and implement improvement ideas from employees and stakeholders.

Effective corrective action management leads to a virtuous cycle: every mistake or incident strengthens the system rather than weakening it. Over time, this will greatly enhance the reliability, safety, and compliance of your AI systems.

Achieving Continuous Improvement and AI Governance Maturity

Implementing Clause 10 is crucial for building trust in AI operations. It closes the loop of the management system by ensuring continuous learning and optimization. When done right, the Improvement process (Clause 10) helps your organization stay adaptive, compliant, and innovative in a fast-changing AI landscape. Consider Clause 10 as making your AI governance a “living system” that actively gets better every day, rather than a one-time setup.

Main takeaways for Clause 10 implementation

Always be looking for what can be improved – even if things are going well, there’s likely a way to make your AI processes more efficient, ethical, or robust.
Treat problems as goldmines of insight. A nonconformity reveals a weakness; by fixing it properly, your organization becomes stronger and prevents future issues.
Document everything related to improvements and corrections. Not only is this required for ISO 42001 compliance, it also builds organizational knowledge. Over time, you’ll have a knowledge base of what was tried, what worked, and what didn’t, which is invaluable for training new team members and avoiding repeat mistakes.
Ensure top management support for improvement initiatives. Leadership should champion a culture of continual improvement and allocate necessary resources to implement changes (this ties back to Clause 5 on Leadership commitment).
Recognize that AI governance is never “finished” – as AI technology and regulations evolve, so must your AIMS. Clause 10 provides the mechanism to make sure your AI management system keeps up with emerging risks and opportunities, from incorporating new ethical guidelines to handling novel types of AI failures.

ISO/IEC 42001 Clause 10 “Improvement” ensures that your AI management system gets better with time – learning from every incident and adapting to every change – so that your organization’s use of AI remains effective, safe, and worthy of trust.