en flag
Nutri-AI on LinkedIn
en flag
Nutri-AI on LinkedIn

Governing AI Beyond Compliance: The State of the Art Between the EU AI Act, ISO 42001 and Business Strategy

From regulation to management system: how to turn the EU AI Act and international standards into concrete governance for business, marketing and operations.

Alessandro Drago

Introduction

The use of artificial intelligence in companies is no longer experimental. It is now embedded in products, services, marketing, and decision‑making processes. With the EU AI Act coming into force and the publication of ISO/IEC 42001, organizations face a twofold challenge: understanding which risk category their systems fall into and building governance that goes beyond a superficial “box‑ticking” approach.

For people working in regulatory, communications, IT/AI and business roles, it has become essential to distinguish between legal obligations, voluntary standards, and strategic choices. The goal is to avoid both paralyzing over-compliance and underestimating risks that may turn into sanctions, loss of trust, or actual incidents.

1. The EU AI Act: The New Regulatory Perimeter
1.1 Risk‑based logic and risk categories

The EU AI Act introduces a risk‑based approach, distinguishing between prohibited AI systems, high‑risk systems, limited‑risk systems, and minimal‑risk systems, with obligations increasing as risk increases. AI systems listed in Annex III are automatically considered high‑risk when used for the specified purposes, including, for example, AI used in managing critical infrastructure, HR processes, access to essential services, or specific healthcare and care contexts.

For these systems, the Act requires stringent obligations on risk management, data quality, technical documentation, post‑market monitoring, transparency, and registration in a public EU database.

1.2 Transparency for high‑risk systems and general‑purpose models

The EU AI Act dedicates specific attention to transparency for high‑risk AI systems (HRAIS), requiring providers to design and develop systems so that deployers can reasonably understand how they work and what their outputs mean, supported by clear and complete instructions for use. For general-purpose AI models (GPAI), the Act requires documentation covering training, testing, and evaluation, as well as a summary of the training data that helps stakeholders understand the model’s capabilities and limitations.

This has a direct impact on companies integrating generative models into customer service, marketing, data analysis, or decision support, because they now need far more robust documentation than the typical opaque “AI SaaS” model.

1.3 Borderline scenarios: when marketing and sales approach high‑risk territory

Although many AI applications in marketing and sales formally fall outside Annex III, the boundaries are not always clear-cut. Systems that profile individuals for decisions about access to essential services or economic conditions or that significantly affect rights and opportunities can shift into the high‑risk category, especially when they combine scoring, automated recommendations, and decisions with material impact.

In parallel, horizontal rules on dark patterns and unfair digital practices are starting to touch AI‑driven interfaces, putting under scrutiny aggressive nudging or opaque designs.

2. ISO 42001 and the NIST AI RMF: Governance Standards That Complete the Picture
2.1 ISO/IEC 42001: an AI management system

ISO/IEC 42001:2023 defines an international standard for an Artificial Intelligence Management System (AIMS), applicable across the entire AI system lifecycle. It covers governance structures, risk management, transparency, fairness, resilience, and compliance with legal requirements, bringing AI into the familiar Plan‑Do‑Check‑Act logic used by other ISO management standards.

Adopting ISO 42001 allows organizations to demonstrate, in a verifiable way, how they identify, assess, and mitigate risks in their AI systems, strengthening their credibility with clients, partners, investors, and regulators.

2.2 NIST AI RMF and how it complements ISO

The NIST AI Risk Management Framework, developed by the U.S. National Institute of Standards and Technology, offers a voluntary framework based on four key functions (Govern, Map, Measure, Manage) to guide organizations in managing AI risk. While ISO 42001 focuses on a certifiable management system, the NIST AI RMF emphasizes “trustworthy AI” attributes—such as safety, accountability, explainability, privacy, and fairness—and even introduces a specific profile for generative AI.

Together, the two references provide a powerful combination: ISO 42001 for organizational structure and certification potential and NIST AI RMF for risk content and operational best practice.

3. Italy’s Focus on Healthcare: Telemedicine as a Regulatory Testbed

In 2025 Italy adopted Law 132, which governs AI in healthcare and aligns with the EU AI Act, explicitly acknowledging AI’s role as support (not a replacement) for clinical judgement and requiring specific safeguards on privacy, non‑discrimination and the use of health data. The law establishes, among other things, a national AI platform managed by Agenas, integrated with the Electronic Health Record, to support professionals and provide interactive services to citizens.

Although centred on healthcare, this experience offers valuable lessons for other highly regulated sectors (health insurance, wellness, nutrition, digital health services), where boundaries between support, automation and final decision‑making can easily blur.

4. Practical Implications for Regulatory, Marketing, IT/AI and Sales

From an operational standpoint, this new scenario requires previously separate functions to work together: regulatory, data/IT, marketing and sales need to converge on a few fundamental choices.

Key points:

  • Map all AI use cases in the organization, including core systems as well as marketing tools, CRM, customer support, and analytics.

  • Classify systems by risk, using Annex III of the AI Act as a reference and documenting why a system is or is not considered high-risk.

  • Integrate AI governance and AI risk management into existing processes (risk committees, compliance, IT governance), avoiding unnecessary parallel structures.

  • Ask vendors for solid technical documentation, instructions for use, training data information, and model limitations, in line with transparency requirements for HRAIS and GPAI.

  • Align AI use in marketing and sales with rules on unfair commercial practices and dark patterns, avoiding personalization or persuasion approaches that edge into deceptive behavior.

Conclusions and Recommendations

The current state of the art shows clearly that AI is no longer “just a tech topic”: it is a regulatory and governance object that requires unified leadership from business, legal, regulatory, IT/AI and communications. Relying only on compliance checklists is risky; an organization can be formally compliant and still substantively fragile in the eyes of customers and authorities.

For companies that want to move with clarity, priorities include:

  • building an up-to-date map of their AI systems and their impact on people, rights and decisions;

  • adopting, or at least taking strong inspiration from, ISO 42001 and the NIST AI RMF to turn AI risk management into a continuous, measurable process;

  • using the AI Act as a driver to rethink processes, roles, and relationships with vendors, not just as a compliance checklist.

In this perspective, approaches like Nutri‑AI—which intertwine scientific evidence, regulatory reading, and responsible AI use—offer a promising model, not only for nutrition but also for any sector that wants to combine innovation with accountability.

#NutriAI #NutriAINewsletter #ArtificialIntelligence #AI #Nutrition #ScientificCommunication #FoodTech #FoodSafety #AIRegulation #EFSA #RegulatoryCompliance #ISO42001 #HealthClaims #DigitalInnovation #ResponsibleAI #AITransparency #Governance #DataScience #FoodCompliance #DigitalNutrition #FoodLaw #HighRiskAI #TrustInAI #AINews #ScientificCommunication #EUAIAct #MedicalEducation #AIliteracy #ContinuingEducation #Dietitians #Nutritionists #LargeLanguageModels #AIAct #ClinicalDecisionSupport #DigitalHealth #Nutrition

Disclaimer: All rights to images and content used belong to their respective owners. This article is provided for educational and informational purposes only. It does not constitute legal or regulatory advice. Organizations should consult qualified legal and regulatory experts before implementing AI systems in the nutrition sector.

--------------------------------------------------------------------------

Bibliographic and Regulatory References

  1. European Union (2006). Regulation (EC) No 1924/2006 of the European Parliament and of the Council of 20 December 2006 on nutrition and health claims made on foods. Official Journal of the European Union L 404.
    URL: https://www.legislation.gov.uk/eur/2006/1924/article/4

  2. European Union (n.d.). Article 6: Classification Rules for High-Risk AI Systems – EU AI Act.
    URL: https://artificialintelligenceact.eu/article/6/

  3. European Union (n.d.). Annex III: High-Risk AI Systems Referred to in Article 6(2) – EU AI Act.
    URL: https://www.euaiact.com/annex/3

  4. European Union (n.d.). Key Issue 5: Transparency Obligations – EU AI Act.
    URL: https://www.euaiact.com/key-issue/5

  5. European Commission (2026). AI Act – Shaping Europe’s Digital Future.
    URL: https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai

  6. Deloitte (2024). ISO 42001 Standard for AI Governance and Risk Management.
    URL: https://www.deloitte.com/us/en/services/consulting/articles/iso-42001-standard-ai-governance-risk-management.html

  7. ModelOp (2025). NIST vs ISO – Compare AI Frameworks.
    URL: https://www.modelop.com/ai-governance/ai-regulations-standards/nist-vs-iso

  8. European Observatory on Health Systems and Policies (WHO) (2025). Italy introduces new law to regulate AI in healthcare (Law 132/2025).
    URL: https://eurohealthobservatory.who.int/monitors/health-systems-monitor/updates/hspm/italy-2023/italy-introduces-new-law-to-regulate-ai-in-healthcare

  9. Marco Galli Massimiliano Cucè Giorgia Valsecchi (2025). Italy's New AI Law: Article 8 Marks a Turning Point for Healthcare. LinkedIn article.
    URL: https://www.linkedin.com/pulse/italys-new-ai-law-article-8-marks-turning-point-healthcare-swp1e

  10. Nutri‑AI (2025‑). Nutri‑AI Newsletter – Where Evidence-Based Nutrition Meets Regulatory Intelligence.
    URL: https://www.linkedin.com/newsletters/nutri-ai-newsletter-7388685315625963520

Contact details

Follow me on LinkedIn

Nutri-AI 2025 - Alessandro Drago. All rights reserved.

LinkedIn

e-mail: info@nutri-ai.net

Nutri-AI on LinkedIn