AI Governance in Service Management

Embracing the ITIL® 6C Model, ISO 42001, and ISO 20000-1 for a Transformative Journey

May 12, 2026

Gabriel Espinosa

AI Governance in Service Management: Embracing the ITIL® 6C Model, ISO 42001, and ISO 20000-1 for a Transformative Journey.

Artificial Intelligence (AI) is no longer optional in managed IT services. However, adopting AI without a structured governance framework is the shortest path to uncontrolled risks, exposed customer data, and diffuse accountability.

This article proposes an integrated AI Governance Model that combines three international reference standards—the ITIL® 6C Model, ISO/IEC 42001:2023, and ISO/IEC 20000-1:2018—and applies them in the context of Managed Support and Service Management.

The Pivotal Moment for AI Governance in Service Management

The ITIL® 6C Model (Version 5): A Functional Taxonomy of AI

ITIL® (Version 5), released in February 2026 by PeopleCert, is the first version of the framework designed to be AI-native. All of its components are structured to be augmented by AI capabilities. This is not merely a cosmetic update; it is a strategic shift that recognizes AI is already operating as a fundamental element at the core of managed IT services.

According to the ITIL® AI Governance White Paper by PeopleCert, 90% of organizations are currently using AI in their daily operations. However, only 18% of these organizations have a fully implemented AI governance framework. This gap represents a significant operational and compliance risk for service management organizations.

ITIL® (Version 5) introduces a functional model of AI capabilities known as the 6C Model within its Information and Technology dimension. This model serves two main purposes: to help organizations understand the AI capabilities they are using and to define risk profiles, controls, and countermeasures specific to each function.

The six capabilities in the model are interconnected rather than mutually exclusive; in fact, most real-world applications in Service Management typically combine several of them. The key aspect of the model is that each capability brings its own distinct risks and governance requirements. This allows organizations to move beyond a one-size-fits-all approach to AI management.

What is ISO/IEC 42001:2023?

ISO/IEC 42001:2023 (ISO 42001) is the first international standard to specify requirements for an Artificial Intelligence Management System (AIMS). Its purpose is not to define how AI is built, but rather how an organization governs it—through clear policies, risk assessment, operational controls, and continuous improvement.

ISO 42001 comprises ten clauses and four annexes, including two normative and two informative. The first three clauses serve as an introduction, offering general information, glossaries, and guidance to facilitate a thorough understanding of the standard. Clauses 4 through 10 detail the auditable requirements for AI Management Systems (AIMS) and are structured according to the Plan-Do-Check-Act (PDCA) continuous improvement cycle.

What is ISO/IEC 20000/1:2018?

ISO/IEC 20000-1:2018 is the leading international standard for IT Service Management (ITSM), aimed at ensuring that organizations provide high-quality services that are aligned with business needs. Its significance lies in establishing a robust framework for planning, designing, transitioning, and improving services, which helps guarantee operational efficiency and customer satisfaction through a continuous improvement approach.

The ISO 20000-1 standard is structured into ten clauses, covering various aspects ranging from the organizational context and leadership to the operation of service processes and performance evaluation. The first three clauses serve as an introduction, while clauses 4 through 10 contain the requirements that can be audited.

ISO 42001 and ISO 20000-1 adopt a high-level structure (HLS) like other widely recognized standards—such as ISO 9001 and ISO 27001—making them easier to integrate into existing management systems for organizations providing IT services.

The Normative Trio: ITIL® (Version 5) + ISO 42001 + ISO 20000-1

These three best practices do not compete with one another, they complement each other, forming a coherent governance layer for Service Management organizations operating AI:

ITIL ® (version 5)	ISO/IEC 42001:2023	ISO/IEC 20000-1:2018
Service Management Framework	AI Management System (AIMS)	Service Management System (SMS)
Defines how services and AI are managed in practice: the 6C Model, the product and service lifecycle, and Service Management practices.	Defines the requirements to govern AI: policy, risk and impact assessment, operational controls, AI supplier management, and continuous improvement.	Establishes the requirements for the SMS (Service Management System): delivery, support, relationships, and improvement of IT services. Regulatory framework for service management organizations.
Role: Operational guide and functional classification of AI	Role: Auditable AI governance standard	Role: Foundation for a certifiable Managed Service

The integration among these three frameworks and standards is straightforward: Annex D of ISO 42001 clearly outlines how the AIMS (Artificial Intelligence Management System) coexists with other management systems, such as ISO 20000-1. ITIL® practices serve as the operational framework through which the controls of both standards are applied in the daily operations of the service management team.

Exploring the Intersection: The 6C Model, Service Management Practices, and ISO/IEC Standards

The following table cross-references the six capabilities of the ITIL® 6C Model with the key service management practices, the ISO 42001 controls they activate, and their alignment with ISO 20000-1. Each cell represents a governance point that must be documented in the organization's AIMS.

ITSM Practice	Main 6C Capability	Use Case in Service Management	ISO/IEC 42001	ISO/IEC 20000-1
Service Desk (L1)	Communication + Creation	Virtual Agent responds, generates KB, and escalates intelligently	A.4, A.7, A.9	§8.6 Incident Management
Incident Management	Cognition + Curation	Automatic classification, prioritization, and correlation of alerts	A.6, A.8, C.9	§8.6, §8.7
Problem Management	Cognition + Clarification	Assisted root cause analysis, generation of PIR draft	A.4, A.5, C.9	§8.8 Problem Management
Change Enablement	Cognition + Coordination	RFC risk scoring, detection of conflicting changes	C.6, A.8, A.4	§8.5 Change Management
Capacity Management	Cognition	Resource forecasting, predictive capacity alerts	A.3, A.5, C.9	§8.4 Capacity Planning
Monitoring / AIOps	Curation + Coordination	Event correlation, noise suppression, auto-remediation	A.5, A.8, C.9	§8.6, §8.7
Knowledge Management	Creation + Curation	Semantic search, AI-generated/curated articles	A.6, A.7, A.9	§8.3 Knowledge Management
Reporting / SLA	Creation + Cognition	Automated executive reports, SLA breach prediction	A.7, C.9, A.8	§9.1 Performance Evaluation

The Four Challenges ITIL® (Version 5) Identifies for Governing AI

ITIL ® (Version 5) explicitly notes that traditional IT governance frameworks were not designed to address the specific challenges of AI, and identifies four issues that Service Management organizations must address with specific controls:

1. Autonomy in decision-making

AI systems make decisions without human approval at every step.

· In Service Management: automatic incident routing or the execution of runbooks in AIOps

· Required control: defined human oversight (ISO 42001, A.8)

2. Lack of transparency

It is frequently unclear why the AI made a specific decision.

· In Service Management: when the model classifies an incident as P3 instead of P2, can the analyst explain why?

· Required control: traceability and explainability (ISO 42001, A.5, A.7)

3. Evolving ethical dilemmas

Edge cases not anticipated during the design phase.

· In Service Management: a Virtual Agent handling a user complaint involving sensitive personal data

· Required control: continuous impact assessment (ISO 42001, A.4)

4. Rapidly evolving regulatory requirements

The EU AI Act, national regulations, and sector-specific standards.

· In Service Management: managed service contracts must reflect compliance with the client's AIMS

· Required control: continuous review and vendor management (ISO 42001, A.9, Clause 9)

Shadow AI in Service Management: The Most Immediate Risk

The most significant risk to AI Governance within service management teams arises not from officially deployed AI systems but from Shadow AI—where technicians, analysts, and managers use AI tools without formal authorization or oversight.

According to a recent UpGuard study (November 2025), over 80% of employees, including 90% of security professionals, engage with unauthorized AI tools in their professional activities. Within the realm of Service Management, this could imply that incident logs, client configurations, and Service Level Agreement (SLA) data are processed by external large language models (LLMs) without adequate impact assessments, vendor management protocols, or traceability mechanisms in place.

ISO 42001 addresses Shadow AI through Clause 5 (AI Policy), Clause 7 (Awareness), and Annex A.2 (AI Usage Policies).

From Governance to Stewardship: The ITIL® (Version 5) Vision

ITIL® (Version 5) introduces a concept that goes beyond governance as mere control: stewardship. This shift is fundamental for Service Management teams:

Traditional IT Governance

· Focus on control and compliance

· Static rules periodically reviewed

· Responsibility of the IT department

· Reacts to governance incidents

· The user is the recipient of the service

AI Stewardship — ITIL® (Version 5)

· Focus on care and ethical responsibility

· Dynamic and adaptive governance

· Shared responsibility across the team

· Proactively monitors and improves

· The user co-creates value with AI

This change means that AI governance is not the exclusive responsibility of the CISO or the compliance team—it is part of the operational culture of every analyst, technician, and service manager who interacts with AI systems.

A Practical Implementation Framework for Service Management

The following roadmap integrates the four-step approach from PeopleCert’ s ITIL® AI Governance White Paper along with the requirements of ISO 42001 and ISO 20000-1.

Four-Step AI Stewardship Roadmap

· Step 1 — Stress-test the current framework: Inventory all AI systems currently in use (including Shadow AI), map each one to the 6C Model to identify which capabilities are operational, and assess whether current governance controls are sufficient for those capabilities.

Deliverable: 6C capability map with identified gaps

· Step 2 — Define specific AI requirements: For each identified 6C capability, define specific governance requirements using Annex A of ISO 42001 as a control catalog. Prioritize controls A.4 (impact), A.7 (transparency), A.9 (suppliers), and A.6 (data).

Deliverable: AI Management System (AIMS) Statement of Applicability (SoA)

· Step 3 — Design governance adjustments: Integrate ISO 42001 controls into existing ITSM processes (ISO 20000-1)—not as an additional layer, but as an extension of service management controls. Use Annex D of ISO 42001 for formal integration.

Deliverable: Updated procedures with embedded AI controls

· Step 4 — Operate governance dynamically: Implement continuous monitoring cycles (ISO 42001, Clause 9) to detect model degradation, new risks, and regulatory changes. AI governance is not a one-off compliance project—it is a living process aligned with ITIL®’s continuous improvement and the AIMS’s PDCA cycle

Conclusion

The ITIL 6C Model (Version 5) provides a much-needed resource for the Managed Support industry: a common and precise language for classifying what AI does. Instead of viewing AI as a generic technology, this model defines specific capabilities along with their distinct risks and controls.

When integrated with the regulatory framework of ISO 42001 for AIMS governance and the operational effectiveness of ISO 20000-1 for service management, this combination forms the most solid foundation currently available for managing AI within a services environment.

Governing artificial intelligence is not intended to impede innovation; instead, it focuses on ensuring accountability for the outcomes generated by AI systems. Whether a Virtual Agent interacts with a user, a model assesses potential risks, or AIOps manages alerts, it is essential that there is a system of oversight in place. This entails thorough documentation of controls and the establishment of processes designed to facilitate ongoing improvement of the system.

Well-governed AI is not just a safer choice; it’s also more dependable, more efficient, and delivers greater value to customers. This ensures lasting benefits and trust.

References

· AI Governance White Paper (6C Model). PeopleCert / ITIL. 2025. itil.com/ai-governance-white-paper

· Everything you need to know about ITIL 5, AI and incident management. incident.io, February 2026. https://incident.io/blog/everything-you-need-to-know-about-itil-5-ai-and-incident-management

· Information and Technology in ITIL Version 5: The 6C Model. PMG Academy, February 2026. https://www.pmgacademy.com/en/articles/itil/information-and-technology-in-itil-version-5-the-guide-for-the-ai-era-and-data-governance/

· ISO/IEC 42001:2023. Information technology — Artificial intelligence — Management system. International Organization for Standardization. iso.org/standard/42001

· ISO/IEC 20000-1:2018. Information technology — Service management — Part 1: Service management system requirements. International Organization for Standardization. iso.org/standard/70636

· ITIL AI Governance in Organizations. PeopleCert / itil.com, January 2026. https://www.itil.com/Itil-News-and-Announcements/itil-ai-governance-organizations

· ITIL (Version 5) Explained — Key Changes, Lifecycle, AI Governance. ITSM.tools, 2026. https://itsm.tools/itil-version-5-explained-key-changes-lifecycle-ai-governance/

· ITIL (Version 5) vs ITIL 4: 20 Key Changes. ITSM.tools, 2026. https://itsm.tools/itil-version-5-vs-itil-4-key-changes/

· Shadow AI is widespread — UpGuard Report. Cybersecurity Dive, November 2025. https://www.cybersecuritydive.com/news/shadow-ai-employee-trust-upguard/805280/

Enjoyed this post? Join the conversation by leaving a comment or sharing your thoughts below, we’d love to hear your experiences and perspectives. Don’t forget to explore our upcoming events for more opportunities to learn and connect, and visit the forum to continue the discussion.

Where conversation, connection, and real-world practices come together.

Comment (1)

Popular