Regulated-Sector AI Governance: An ISO 42001 Lead Auditor's Briefing for UK Financial Services and Healthcare Boards

John Airey
iso-42001 regulated-sectors financial-services healthcare ai-governance

Generic AI governance frameworks fail regulated boards for one structural reason: the ICO, the FCA and the MHRA each expect a different evidence artefact and a single policy template satisfies none of them properly. We sit in the Lead Auditor’s seat for ISO 42001 work across UK regulated firms, and the pattern is consistent. Boards arrive with a governance document that reads well and proves nothing a supervisor will accept. ISO 42001 Annex B is among the few control sets that map cleanly to all three regulators at once, which is why this briefing is built around it rather than around a maturity model that stops at the boardroom door.

This post sets out how ISO 42001 applies in financial services and healthcare specifically, which Annex B controls produce board-ready evidence, and what UK regulators look for. The distinction that matters throughout: what a SOC vendor can monitor is not the same as what a regulator will accept as proof of competent AI risk management. This briefing addresses UK regulatory frameworks only and does not constitute legal or regulatory advice; firms should seek independent legal counsel on their specific obligations under the ICO, FCA and MHRA regimes.

Why generic AI governance fails regulated boards

A single-audience framework cannot hold up in front of regulated boards, because those boards answer to several supervisors at once. A bank running AI-driven credit decisions sits under ICO accountability for the personal data, FCA SYSC and Consumer Duty for the outcomes and its own internal model risk governance for the decisioning logic. A policy template written for general AI ethics speaks to none of these in the language each regulator uses.

The problem is the evidence, not the intent. Regulators do not reward good intentions; they ask for artefacts. The ICO wants documented impact assessments and a lawful basis. The FCA wants a named accountable senior manager and consumer outcome testing. The MHRA, for any AI functioning as software-as-a-medical-device, wants clinical safety evidence and post-market surveillance. A framework that cannot produce all three sets of artefacts from a common foundation forces the board to maintain three parallel governance efforts, which is where most regulated programmes quietly collapse.

How ISO 42001 maps to UK financial services and healthcare

ISO 42001 gives a regulated firm a single AI management system that maps to ICO accountability, FCA SYSC and Consumer Duty obligations and MHRA software-as-a-medical-device expectations. The standard does not replace any of these regimes. It organises the firm’s AI activity into a structure that produces the evidence each regulator requests, drawn from one source of record rather than three disconnected ones (see our ISO 42001 certification guide for how the management system is built).

In financial services the connection is direct. SYSC requires firms to maintain adequate systems and controls; ISO 42001 documents those controls for AI systems specifically. Consumer Duty requires firms to test and evidence good consumer outcomes; the standard’s impact assessment and monitoring controls capture exactly that testing in an auditable form.

In healthcare the connection runs through clinical safety. Where an AI tool meets the definition of a medical device, MHRA expectations sit alongside clinical governance obligations. MHRA requirements in this area continue to develop, so firms should track current MHRA guidance on software and AI as a medical device. ISO 42001’s controls on data quality, human oversight and lifecycle monitoring give the trust board a structure that aligns with both.

The Annex B controls that build a board-ready evidence pack

Compliance Leads in financial services and healthcare need a board-ready evidence pack, not a policy template and that pack is built from Annex B controls A.4 through A.9 with regulator-specific attestations attached. These controls cover the work that regulators care about: AI impact assessment, data governance across the system lifecycle and documented human oversight of AI-driven decisions.

A.4 through A.9 matter because they generate artefacts rather than statements. An impact assessment under these controls is a dated, owned document that a supervisor can read. A data governance control produces lineage and quality records. A human oversight control produces a log showing where a person reviewed or overrode an AI output and on what basis. These are the items an FCA supervisor or an MHRA assessor asks to see, and they are the items a policy template cannot manufacture after the fact.

The regulator-specific layer is the attestation attached to each control. The same human oversight evidence supports an FCA SMCR attestation for an accountable senior manager, an ICO record of meaningful human review of automated decisions under Article 22 and an MHRA record of clinical sign-off. One control set, three attestations, drawn from a single evidence base. That is the structure that lets a board present competent AI risk management to multiple regulators simultaneously without maintaining three programmes.

What the FCA expects from boards in 2026

The FCA expects regulated boards to demonstrate accountable senior managers under SMCR for AI-driven decisions, documented model risk management, consumer outcome testing under Consumer Duty and an auditable record of human oversight. ISO 42001 certification is not mandated. Its Annex B controls produce evidence artefacts that align closely with the documentation supervisors request during firm visits and Section 166 reviews, including records of how the firm governs and validates the models behind regulated decisions.

Certification is optional; the underlying evidence is not. A firm can decline to certify and still face a Section 166 skilled person review that asks for the kind of documentation Annex B controls produce. Building the evidence pack against the standard means the firm is ready for that review whether or not it ever seeks a certificate.

The accountable manager requirement deserves particular attention. SMCR makes a named individual responsible, and when an AI system drives a regulated outcome that individual must be able to evidence oversight. A governance framework that cannot tie a specific control to a specific senior manager leaves that person exposed. The Annex B human oversight controls close that gap by recording who held the decision and on what evidence.

Why a Lead Auditor’s perspective changes the brief

We operate as ISO 42001 Lead Auditors for UK regulated firms, which means our briefings reflect what auditors and regulators accept as sufficient evidence rather than what a monitoring vendor can observe. A SOC platform can tell a firm that a model is running and flag anomalous behaviour. It cannot produce the dated impact assessment, the attested human oversight log or the consumer outcome test record that a supervisor requests.

The difference is between observation and proof. Monitoring evidences that a system behaves; an audit-grade evidence pack proves that the firm governs it. Regulated boards are accountable for the second, and the second is what the Annex B structure delivers. Reading a control set from the auditor’s seat means knowing which records will hold up under challenge and which will be waved away as insufficient, which is the knowledge a generic governance vendor cannot offer because it has never sat on that side of the table.

Common questions from regulated Compliance Leads

Do we need to certify to ISO 42001, or just adopt the controls?

Certification is not mandated by the ICO, FCA or MHRA. The value sits in the Annex B controls and the evidence they produce, which a board can build and maintain without seeking a certificate. Many regulated firms adopt the controls first to be ready for supervisory review, then decide on certification once the evidence base is established and the cost is justified.

Who in the firm should own the AI governance evidence pack?

Ownership should sit with a named accountable senior manager under SMCR in financial services, supported by the Compliance Lead who maintains the artefacts. In healthcare, clinical safety leadership shares ownership where the AI functions as a medical device. The principle is that one individual must be able to stand behind the evidence to a regulator, so distributed or committee-only ownership tends to fail under scrutiny.

How long does it take to build an audit-grade evidence pack from a standing start?

It depends on how many AI systems are in scope and how much existing documentation can be reused. A focused programme covering the firm’s highest-risk AI decisions can typically produce a board-ready pack against Annex B controls A.4 through A.9 faster than firms expect, because the controls organise existing risk and data work rather than requiring it to be built afresh. Timeframes vary by scope and are confirmed at scoping.

Map your evidence position before a supervisor does

The firms that struggle in a Section 166 review or an MHRA assessment are not the ones with weak intentions. They are the ones whose governance produced statements rather than artefacts. Book a 45-minute regulated-sector AI governance briefing with our ISO 42001 Lead Auditor team to map your Annex B evidence position against ICO, FCA and MHRA expectations and to see where your current pack would hold or fail under regulatory challenge.