ISO 42001 Annex A Controls: The 38 AI Management Controls and Where Each One Lands in the Deployment
ISO 42001 Annex A lists 38 controls across nine areas (A.2 through A.10) that an organization implementing an AI Management System (AIMS) has to consider. The auditor's Statement of Applicability records which controls the organization has implemented, which controls it has excluded (with justification), and which controls are partially implemented with a target date for completion. This piece walks through each of the nine areas, the controls each area contains, the deployment layer where each control operates (policy, application, gateway, model provider), and the evidence artifacts a certification body's auditor accepts as satisfaction of the control.

ISO 42001 Annex A lists 38 controls across nine areas (A.2 through A.10) that an organization implementing an AI Management System (AIMS) has to consider. The Statement of Applicability records which controls the organization has implemented, which controls it has excluded (with justification), and which controls are partially implemented with a target date for completion. The auditor samples the applicable controls at the certification audit and the surveillance audits that follow.
I want to walk through each of the nine areas, the controls each area contains, the deployment layer where each control operates (policy, application, gateway, or model provider), and the evidence artifacts a certification body's auditor accepts as satisfaction of the control.
A.2: Policies related to AI
A.2 contains three controls covering the AI policy documentation.
A.2.2 (AI policy) requires the organization to maintain an AI policy that describes the objectives and principles for the responsible development, deployment, and use of AI systems. The evidence is the policy document, signed by the accountable executive, with a review date within the past 12 months.
A.2.3 (Alignment with other organizational policies) requires the AI policy to align with the organization's other policies (information security, privacy, ethics, compliance). The evidence is a cross-reference matrix showing the alignment.
A.2.4 (Review of the AI policy) requires the policy to be reviewed at planned intervals. The evidence is the review record with the date, the participants, and the outcomes.
The A.2 controls operate at the policy layer. The policy document is the primary artifact, and the enforcement layer (see A.8.3 and A.8.4) produces the operational evidence that connects the policy to the AI system's operation.
A.3: Internal organization
A.3 contains two controls covering roles and responsibilities.
A.3.2 (AI roles and responsibilities) requires the organization to define, allocate, and document responsibilities for AI-related activities. The RACI matrix that names the AI Policy Owner, the AI System Owner, the AI Risk Owner, and the Human Oversight Assignee is the primary evidence.
A.3.3 (Reporting of concerns) requires the organization to establish a mechanism for reporting concerns about the organization's AI systems. The evidence is the reporting channel (a defined process), the reports received in the period, and the responses provided.
A.4: Resources for AI systems
A.4 contains six controls covering the resources needed to operate AI systems responsibly.
A.4.2 (Resources documentation) requires the organization to document the resources allocated to AI-related activities. The evidence is the resource inventory covering people, technology, and data.
A.4.3 (Data resources) requires the organization to document the data resources used across the AI system lifecycle. The evidence is the data inventory with data source, purpose, and processing agreements.
A.4.4 (Tooling resources) requires the organization to document the tooling used to develop and operate AI systems. The evidence is the tool inventory.
A.4.5 (System and computing resources) requires the organization to document the compute infrastructure. The evidence is the infrastructure inventory.
A.4.6 (Human resources) requires the organization to document the human resources involved in the AI lifecycle. The evidence is the role catalog with competence requirements.
A.4.7 (Resource allocation) requires the organization to allocate resources sufficient to implement the AIMS. The evidence is the budget or resource commitment record.
A.5: Assessing impacts of AI systems
A.5 contains three controls covering the AI impact assessment.
A.5.2 (AI system impact assessment process) requires the organization to establish a process for assessing the potential consequences for individuals, groups, and society of AI systems. The evidence is the process document plus the completed assessments for each AI system in scope.
A.5.3 (Documentation of AI system impact assessments) requires the organization to document the assessments produced. The evidence is the assessment records.
A.5.4 (Assessing AI system impact on individuals or groups of individuals) requires the assessment to include the impact on individuals. The evidence is the impact analysis on affected persons.
A.5.5 (Assessing societal impacts of AI systems) requires the assessment to include the societal impact where relevant.
A.6: AI system life cycle
A.6 contains six controls covering the AI system lifecycle from planning through decommissioning.
A.6.2.2 (Objectives for the responsible development of AI systems) requires the objectives for responsible development to be defined.
A.6.2.3 (Processes for responsible design and development of AI systems) requires processes for responsible design and development. The evidence is the AI development lifecycle documentation.
A.6.2.4 (AI system requirements and specification) requires the AI system's requirements to be documented. The evidence is the requirements document.
A.6.2.5 (Documentation of AI system design and development) requires the design and development to be documented. The evidence is the design records.
A.6.2.6 (AI system verification and validation) requires the AI system to be verified and validated. The evidence is the verification and validation records including the test results.
A.6.2.7 (AI system deployment) requires the deployment to be planned and controlled. The evidence is the deployment plan and the deployment records.
A.6.2.8 (AI system operation and monitoring) requires the operation to be monitored. The evidence is the monitoring records: the audit log the gateway produces plus the review records showing the monitoring is operational.
A.6.2.9 (AI system technical documentation) requires the technical documentation to be maintained. The evidence is the technical documentation.
A.6.2.10 (Event logs of AI systems) requires the AI system to record events. The evidence is the event log itself: the per-decision audit records the gateway produces.
A.7: Data for AI systems
A.7 contains six controls covering the data lifecycle for AI systems.
A.7.2 (Data for development and enhancement of AI systems) requires the data used for AI development to be documented and appropriate. The evidence is the training data documentation.
A.7.3 (Acquisition of data) requires the acquisition of data to be documented and lawful. The evidence is the data sourcing records and the legal basis analysis.
A.7.4 (Quality of data for AI systems) requires the data quality to be assessed. The evidence is the data quality assessment records.
A.7.5 (Data provenance) requires the provenance of the data to be documented. The evidence is the provenance records including the transformations applied.
A.7.6 (Data preparation) requires the data preparation to be documented. The evidence is the preparation records.
A.8: Information for interested parties of AI systems
A.8 contains four controls covering the information the organization provides to interested parties.
A.8.2 (System documentation and information for users) requires the organization to provide documentation and information to users. The evidence is the user documentation.
A.8.3 (External reporting) requires the organization to have a process for external reporting where required. The evidence is the reporting records for the applicable regulatory obligations (EU AI Act Article 26.4 incident reports, HIPAA breach notifications, SEC 8-K filings).
A.8.4 (Communication of incidents) requires the organization to communicate incidents. The evidence is the incident communication records.
A.8.5 (Information for interested parties) requires the organization to provide information for interested parties. The evidence is the information provided to data subjects, customers, regulators, and the public where the applicable regulation calls for it.
A.9: Use of AI systems
A.9 contains three controls covering the use of AI systems.
A.9.2 (Processes for responsible use of AI systems) requires processes for responsible use to be defined. The AI Usage Policy plus the enforcement mechanism are the evidence.
A.9.3 (Objectives for responsible use of AI systems) requires responsible use objectives to be defined.
A.9.4 (Intended use of the AI system) requires the intended use of each AI system to be defined and monitored. The evidence is the intended use statement plus the monitoring records showing the actual use aligns with the intended use.
A.10: Third-party and customer relationships
A.10 contains three controls covering third-party and customer relationships.
A.10.2 (Allocating responsibilities) requires responsibilities in third-party relationships to be allocated. The evidence is the third-party agreements including the AI-specific clauses.
A.10.3 (Suppliers) requires supplier relationships to include AI considerations. The evidence is the supplier evaluation records for AI providers (OpenAI, Anthropic, Google, cloud AI providers).
A.10.4 (Customers) requires customer relationships to address AI considerations. The evidence is the customer-facing terms and disclosures for AI-related processing.
The Statement of Applicability
The Statement of Applicability (SoA) is the primary Annex A artifact the certification body reviews. For each of the 38 controls, the SoA records:
The control identifier and title.
The applicability status (applicable / not applicable).
The justification for non-applicability (if not applicable).
The implementation status (implemented / partially implemented / planned).
The evidence reference (the document, record, or artifact that shows the control operates).
The target date for completion (if not fully implemented).
The auditor uses the SoA to plan the audit sample. Controls the SoA lists as applicable and implemented get sampled. Controls listed as not applicable get reviewed for the justification. Controls listed as planned get reviewed for the completion target.
DeepInspect
The DeepInspect gateway produces the evidence artifacts for several Annex A controls in a single record series. A.6.2.8 (operation and monitoring) and A.6.2.10 (event logs) map directly to the gateway's per-decision audit records. A.8.3 (external reporting) maps to the record excerpts the CISO produces for regulatory reporting. A.8.4 (incident communication) maps to the incident records the runbook produces. A.9.2 (responsible use) maps to the policy enforcement events. A.9.4 (intended use monitoring) maps to the classifier verdicts and the policy events.
The gateway's identity binding satisfies the identification evidence A.3.2 needs. The gateway's tamper-evident storage satisfies the record integrity properties the auditor tests for.
If your team is building out the Annex A control set for an ISO 42001 certification or a Statement of Applicability, let's talk today.
Frequently asked questions
- How many of the 38 Annex A controls typically apply to an enterprise AI deployment?
Most deployments mark 30 to 36 controls as applicable. Controls A.7.2 (data for development) and A.7.3 (data acquisition) may be marked not applicable when the organization does not train its own models and relies on external providers. Controls A.5.5 (societal impact) may be marked partially applicable when the AI system's societal impact is limited.
- Do I need all 38 controls implemented at the initial certification?
Not necessarily. The SoA can list controls as partially implemented with a target date. The auditor reviews the target date and the progress at the surveillance audits. Most initial certifications have several controls in partial-implementation status at the certification audit.
- How does A.10.3 (suppliers) apply when I use OpenAI or Anthropic?
The organization documents the supplier evaluation for each AI provider. The evaluation covers the provider's security posture (SOC 2 report), the provider's AI-specific documentation (model card, system card), the data processing agreement, and the incident notification obligations. The supplier evaluation record is the primary artifact.
- What is the difference between Annex A and Annex B?
Annex A lists the reference control set (38 controls). Annex B provides implementation guidance for each control. The Statement of Applicability references Annex A. The implementation team uses Annex B to design the specific controls.
- How does ISO 42001 Annex A compare to ISO 27001 Annex A?
ISO 27001 Annex A (2022 edition) has 93 information security controls across four themes. ISO 42001 Annex A has 38 AI-specific controls across nine areas. The two Annexes overlap where AI systems are information assets (see the ISO 42001 vs ISO 27001 article for the mapping). Most organizations that hold both certifications maintain a single integrated Statement of Applicability that references both Annexes.