What AI system lifecycle controls does ISO/IEC 42001 require?

ISO/IEC 42001 requires organizations to implement controls across the entire AI system lifecycle, from design and development through deployment, operation, and retirement, ensuring responsible management of AI systems.

Specific controls for the AI system lifecycle include:

• ISO/IEC 42001 A.6 AI system lifecycle: Organizations must ensure the responsible design, development, deployment, operation, and retirement of AI systems, with specific controls applied at each stage of the lifecycle.
• ISO/IEC 42001 A.7 Data for AI systems: This control mandates data governance practices, including the provenance, quality, preparation, and management of data used by AI systems throughout its lifecycle. This cross-maps to OWASP LLM04 data poisoning.
• ISO/IEC 42001 A.5 AI impact assessment: Processes are required to assess the impacts of AI systems on individuals, groups, and society across the entire lifecycle. This cross-maps to NIST-MAP-5.1.
• ISO/IEC 42001 A.9 Use of AI systems: This control focuses on responsible-use controls and human oversight for the operation of AI systems. It cross-maps to NIST-GOVERN-3.2 and OWASP LLM06/LLM09 regarding oversight and overreliance.
• ISO/IEC 42001 A.10 Third-party relationships: Controls are necessary for suppliers and third parties involved in the AI value chain, such as model providers, data providers, and tool/plugin vendors. This cross-maps to NIST-GOVERN-6.1 and OWASP LLM03 supply chain risks.
• ISO/IEC 42001 Cl.8 Operation: This clause requires operational planning and control, ensuring that AI risk and impact assessments are implemented and AI systems are operated under defined controls [iii].