AI Governance ISO 42001 AIMS Responsible AI AI Roles
Responsible AI Governance

Internal AI vs Customer-Facing AI: How Governance Requirements Differ

Artificial intelligence is now used across many parts of modern organisations. Some AI systems support employees and internal operations, while others are embedded directly into products and services used by customers. Understanding this distinction — and your organisation's role in relation to AI systems — is essential for effective governance under ISO/IEC 42001.


Internal AI vs Customer-Facing AI

The distinction between internal and customer-facing AI helps organisations understand the potential impact of AI systems and the governance considerations that apply.

Internal AI
Used within the organisation
  • AI coding assistants
  • Document analysis tools
  • Productivity copilots
  • Marketing optimisation tools
  • Forecasting and analytics systems
  • AI-powered research and summarisation tools
Customer-Facing AI
Embedded in products or services
  • AI-powered chatbots
  • Recommendation engines
  • Predictive analytics platforms
  • Fraud detection services
  • AI copilots in software products
  • Automated decision-support systems

What Is Internal AI?

Internal AI refers to AI systems used within an organisation to support internal operations rather than being delivered directly to customers or external users. These systems are typically used to improve efficiency, automate activities, or support employee decision-making.

What Is Customer-Facing AI?

Customer-facing AI refers to AI systems that are incorporated into products or services used directly by customers or external users. In these situations, AI outputs may directly influence customer experiences, business outcomes, or decisions affecting individuals.

Why the Distinction Matters

Internal AI systems primarily affect employees and internal business processes. Customer-facing AI systems may directly affect customers, users, partners, or other external stakeholders.

As a result, customer-facing AI systems often require greater scrutiny around reliability, transparency, human oversight, accountability, and regulatory compliance.

However, the nature of governance requirements is not determined solely by whether a system is internal or customer-facing. Organisations must also consider the role they perform in relation to the AI system.

Understanding AI Roles

ISO/IEC 42001 requires organisations to determine their role in relation to AI systems as part of understanding their context and governance obligations. ISO/IEC 22989 describes several AI stakeholder roles:

Role
AI Provider

An organisation that provides products or services that use one or more AI systems — such as AI platform, product, or service providers.

Role
AI Producer

An organisation that designs, develops, tests, and deploys products or services using AI systems — even when using third-party AI models.

Role
AI Customer

An organisation that uses an AI product or service directly or through its provision to AI users.

Role
AI User

An organisation or entity that uses AI products or services. Many organisations using generative AI tools internally operate primarily in this role.

Role
AI Partner

Organisations performing supporting functions — such as system integrators, data providers, AI evaluators, and AI auditors.

Why AI Roles Matter for ISO 42001

The role an organisation performs influences its governance responsibilities and may affect the applicability and extent of applicability of ISO 42001 controls.

Role Key Governance Focus
AI Provider Transparency, monitoring, customer impact, and accountability
AI Producer Design, testing, validation, change management, and lifecycle governance
AI Customer / User Risk assessment, supplier oversight, acceptable use, and human oversight
AI Partner Controls relevant to specific activities such as evaluation, integration, or auditing

Importantly, organisations may perform multiple roles simultaneously.

Example — SaaS Company

A SaaS company may perform all three of the following roles at the same time, each introducing different governance requirements within the AIMS:

  • Use AI tools internally — acting as an AI customer
  • Develop AI-enabled features — acting as an AI producer
  • Provide AI-enabled services to customers — acting as an AI provider

Governance Considerations for Internal AI Systems

Internal AI systems still require governance and oversight. Common considerations include:

  • responsible use policies
  • employee awareness and training
  • monitoring output quality
  • managing privacy and data protection risks
  • preventing overreliance on AI-generated outputs
  • maintaining human review where appropriate

Although internal systems often present lower external impact, organisations remain responsible for managing associated risks.

Governance Considerations for Customer-Facing AI Systems

Customer-facing AI systems typically require more extensive governance because their outputs may directly affect customers or other stakeholders. Common considerations include:

  • transparency regarding AI use
  • monitoring reliability and performance
  • managing bias and fairness risks
  • implementing human oversight mechanisms
  • maintaining accountability for outcomes
  • documenting system operation and governance activities
  • providing mechanisms for customers, users, and other interested parties to report concerns, incidents, unexpected outcomes, or potential adverse impacts associated with AI systems

Customer-facing systems are also more likely to attract customer due diligence requests and regulatory scrutiny.

How ISO 42001 Supports Both Types of AI

ISO 42001 provides a governance framework that can be applied regardless of whether AI systems are internal or customer-facing. The standard requires organisations to establish processes for:

  • identifying AI systems
  • understanding AI roles and responsibilities
  • assessing risks and opportunities
  • governing AI throughout its lifecycle
  • implementing oversight and accountability
  • monitoring AI system performance
  • managing incidents and issues

The specific controls implemented will depend on the organisation's context, the risks presented by the AI system, and the organisation's role in relation to that system.

Need help mapping your AI governance responsibilities?

Adoptech helps organisations identify their AI roles, assess governance requirements, and implement ISO 42001 — with expert UK-based support throughout.

Talk to our team
Artificial intelligence (AI)

Further articles