What data governance controls does ISO/IEC 42001 require for AI systems?

ISO/IEC 42001 requires organizations to establish a management system for AI, including specific controls for data governance throughout the AI system lifecycle.

Organizations must implement the following data governance controls for AI systems:

• AI system lifecycle (A.6): Establish responsible design, development, deployment, operation, and retirement of AI systems, with controls at each lifecycle stage. This is considered the core of data governance lifecycle coverage.
• Data for AI systems (A.7): Implement data governance practices covering provenance, quality, preparation, and management of data used by AI systems across its lifecycle. This control cross-maps to OWASP LLM04 for data poisoning and NIST GenAI for "Data privacy".
• Resources for AI systems (A.4): Identify and document resources for AI systems, including data, tooling, compute, and human competence, as well as the model/tool components in use.
• Third-party relationships (A.10): Apply controls for suppliers and third parties in the AI value chain, such as model providers, data providers, and tool/plugin vendors. This cross-maps to NIST-GOVERN-6.1 and OWASP LLM03 for supply chain risks.
• Documented information (Cl.7): Provide control over documented information to support the operation of the AI Management System.
• AI policy (A.2): Maintain a documented AI policy that is aligned with business objectives and other relevant policies. This policy should also address roles, responsibilities, and authorities for AI governance.