ISO/IEC 42001 Annex A Mapping
Maps infrastructure controls to ISO/IEC 42001:2023 Annex A - Controls for AI Management Systems.
Part of the AI Security Infrastructure Controls framework.
Companion to AI Runtime Security.
Scope and Limitations
This mapping covers the technical infrastructure layer of ISO 42001 Annex A compliance. ISO 42001 requires both organisational and technical controls. This repo addresses the technical controls; organisational controls (policies, governance structures, roles, training, third-party management) are addressed by the parent framework and by the implementing organisation's management system.
ISO 42001 Annex A sections A.2 through A.10 are mapped below. Each section lists the Annex A controls, the infrastructure controls that support them, and notes on coverage scope.
A.2 - Policies for AI
| Annex A Control |
Description |
Infrastructure Controls |
Notes |
| A.2.2 |
AI policy |
NET-06, IAM-03 |
Control plane protection ensures AI policy configurations are tamper-proof. Technical controls enforce what policies declare. Organisational policy definition is out of scope for this repo. |
| A.2.3 |
Internal use AI policy |
IAM-01, IAM-02, DAT-01, DAT-02 |
Authentication, least privilege, data classification, and minimisation enforce internal use policies at the technical layer. |
| A.2.4 |
AI policy for third parties |
SUP-01, SUP-02, SUP-05, SEC-07 |
Model provenance, risk assessment, tool supply chain auditing, and endpoint credential protection govern third-party AI component usage. |
A.3 - Internal Organisation
| Annex A Control |
Description |
Infrastructure Controls |
Notes |
| A.3.2 |
Roles and responsibilities for AI |
IAM-01, IAM-02, IAM-03, IAM-08 |
Authentication, least privilege, control/data plane separation, and access auditing enforce role-based access. Role definition is organisational. |
| A.3.3 |
Reporting AI concerns |
IR-01, IR-02, IR-06 |
AI-specific incident categories, detection triggers, and communication protocols provide the technical infrastructure for concern reporting. |
| A.3.4 |
AI governance |
NET-06, IAM-03, LOG-07, SUP-07 |
Control plane protection, plane separation, log integrity, and AI-BOM provide technical infrastructure for governance. Governance structure is organisational. |
A.4 - Resources for AI Systems
| Annex A Control |
Description |
Infrastructure Controls |
Notes |
| A.4.2 |
Resources for AI system development |
SUP-04, SAND-01, SAND-04 |
Fine-tuning pipeline security, sandbox isolation, and resource limits govern AI development resource usage. |
| A.4.3 |
AI system computational resources |
SAND-04, SESS-01, TOOL-05 |
Resource limits, session boundaries, and rate limiting ensure controlled resource consumption. |
| A.4.4 |
Data resources for AI |
DAT-01, DAT-02, DAT-04, SUP-03 |
Data classification, minimisation, RAG access control, and data source integrity govern data resources. |
| A.4.5 |
AI system tools and utilities |
SUP-05, TOOL-01, TOOL-02, TOOL-03 |
Tool supply chain, declared permissions, gateway enforcement, and parameter constraints govern tool resources. |
| A.4.6 |
Data quality for AI |
SUP-03, SUP-04, DAT-01 |
RAG data integrity, fine-tuning pipeline security, and data classification address data quality at the infrastructure level. |
A.5 - Assessing Impacts of AI Systems
| Annex A Control |
Description |
Infrastructure Controls |
Notes |
| A.5.2 |
AI system impact assessment |
SUP-02, IR-01, TOOL-04 |
Model risk assessment, incident category definitions, and action classification by impact support impact assessment. Assessment methodology is organisational. |
| A.5.3 |
AI system lifecycle |
SUP-01, SUP-04, SUP-07, SUP-08, IR-04 |
Provenance, fine-tuning security, AI-BOM, vulnerability monitoring, and rollback capability support lifecycle management. |
| A.5.4 |
AI system design and development |
NET-01, IAM-04, SEC-01, DAT-02 |
Zone architecture, tool invocation constraints, credential isolation, and data minimisation are design-stage decisions. |
| A.5.5 |
AI system testing |
SUP-02, SUP-04, LOG-05, SAND-06 |
Risk assessment, post-training evaluation, drift detection, and code scanning support testing processes. |
| A.5.6 |
AI system deployment |
SUP-01, SUP-06, TOOL-01, NET-02 |
Provenance verification, safety model integrity, manifest validation, and bypass prevention support secure deployment. |
| A.5.7 |
AI system operation |
LOG-01 through LOG-10, NET-08, SESS-01 |
Full logging suite, cross-zone monitoring, and session boundaries support operational monitoring. |
| A.5.8 |
AI system maintenance |
IR-04, SUP-08, SUP-06, SEC-05 |
Rollback, vulnerability monitoring, integrity verification, and credential rotation support maintenance. |
A.6 - AI System Life Cycle
| Annex A Control |
Description |
Infrastructure Controls |
Notes |
| A.6.2 |
Data for AI acquisition |
SUP-03, DAT-01, DAT-04 |
RAG source integrity, data classification, and access-controlled retrieval govern data acquisition. |
| A.6.3 |
Data quality management |
SUP-03, SUP-04, LOG-05 |
Source integrity verification, training data validation, and drift detection support data quality. |
| A.6.4 |
Data provenance |
SUP-01, SUP-03, DEL-02 |
Model provenance, RAG source provenance, and delegation chain audit trails support data traceability. |
| A.6.5 |
Data preparation |
SUP-04, DAT-03, DAT-08 |
Fine-tuning pipeline security, PII detection/redaction, and evaluation data tokenisation govern data preparation. |
| A.6.6 |
Data annotation/labelling |
SUP-04, IAM-01, LOG-07 |
Pipeline security, authentication of annotators, and log integrity support labelling integrity. Note: annotation quality controls are organisational. |
| A.6.7 |
Data for testing |
SAND-01, DAT-08, DAT-05 |
Sandbox isolation, evaluation data protection, and encryption protect test data. |
A.7 - Data for AI Systems
| Annex A Control |
Description |
Infrastructure Controls |
Notes |
| A.7.2 |
AI system performance monitoring |
LOG-01, LOG-02, LOG-03, LOG-05, LOG-10 |
Model I/O logging, guardrail decision logging, Judge evaluation logging, drift detection, and SIEM correlation provide comprehensive performance monitoring. |
| A.7.3 |
AI system performance evaluation |
LOG-03, LOG-05, SUP-02 |
Judge evaluation logs, drift detection, and model risk assessment support performance evaluation. Evaluation methodology is organisational. |
| A.7.4 |
AI system monitoring |
LOG-04, LOG-06, LOG-10, NET-08, IR-02 |
Agent chain logging, injection detection, SIEM correlation, cross-zone monitoring, and detection triggers provide operational monitoring. |
| A.7.5 |
Addressing performance issues |
IR-03, IR-04, IR-07, LOG-05 |
Containment procedures, rollback capability, post-incident review, and drift detection support performance issue response. |
| Annex A Control |
Description |
Infrastructure Controls |
Notes |
| A.8.2 |
AI system documentation |
SUP-07, TOOL-01, REPO-STRUCTURE |
AI-BOM, tool manifests, and the structured control documentation support system documentation. Document content is organisational. |
| A.8.3 |
AI system explainability |
LOG-01, LOG-04, DEL-02, TOOL-06 |
Model I/O logs, agent chain reconstruction, delegation audit trails, and tool invocation logs provide the data needed for explainability. Explainability methods are organisational. |
| A.8.4 |
Information about AI system interaction |
LOG-01, LOG-02, DAT-07 |
I/O logging, guardrail decision logging, and conversation history management support interaction transparency. User-facing disclosures are organisational. |
A.9 - Use of AI Systems
| Annex A Control |
Description |
Infrastructure Controls |
Notes |
| A.9.2 |
AI system record-keeping |
LOG-07, LOG-08, DEL-02, TOOL-06, IAM-08 |
Log integrity, retention policies, delegation audit trails, tool invocation logging, and access change auditing provide comprehensive record-keeping. |
| A.9.3 |
AI system auditing |
All LOG controls, all mapping documents, SUP-07 |
Full logging suite, standards mappings, and AI-BOM support audit capability. Audit programme design is organisational. |
| A.9.4 |
Responsibility for AI system decisions |
IAM-01, IAM-05, DEL-05, TOOL-04 |
Authentication, human approval routing, user identity propagation, and action classification by impact enable decision attribution. |
| A.9.5 |
Reporting of AI incidents |
IR-01 through IR-08 |
Full incident response control suite supports incident reporting. Reporting obligations are organisational/regulatory. |
A.10 - Third-Party and Customer Relationships
| Annex A Control |
Description |
Infrastructure Controls |
Notes |
| A.10.2 |
Third-party AI suppliers |
SUP-01, SUP-02, SUP-05, SUP-08 |
Provenance, risk assessment, tool/plugin supply chain, and vulnerability monitoring govern third-party AI components. Supplier management processes are organisational. |
| A.10.3 |
Third-party AI customers |
DAT-06, SEC-01, NET-07, LOG-09 |
Response leakage prevention, credential isolation, gateway enforcement, and log redaction protect customer data in multi-tenant AI deployments. |
| A.10.4 |
Interested parties for AI systems |
IR-06, IR-07, LOG-10 |
Communication protocols, post-incident review, and SIEM correlation support stakeholder engagement. Stakeholder identification is organisational. |
Coverage Summary
| Annex A Section |
Infrastructure Controls Mapped |
Coverage Type |
| A.2 Policies |
8 controls |
Technical enforcement of policies; policy creation is organisational |
| A.3 Internal Organisation |
7 controls |
Technical infrastructure for governance; organisational structure is out of scope |
| A.4 Resources |
11 controls |
Resource usage controls at infrastructure level |
| A.5 Assessing Impacts |
16 controls |
Impact assessment and lifecycle security from design through maintenance |
| A.6 Life Cycle |
12 controls |
Data integrity, quality, and protection at infrastructure level |
| A.7 Data |
10 controls |
Monitoring, detection, and response infrastructure |
| A.8 Interested Parties |
7 controls |
Data and logging infrastructure supporting transparency |
| A.9 Use of AI Systems |
10 controls |
Record-keeping, auditing, and attribution infrastructure |
| A.10 Third Parties |
8 controls |
Supply chain and multi-tenant protection |
Note: Full ISO 42001 compliance requires both the technical infrastructure controls in this repo and the organisational controls (policies, governance, training, roles, processes) addressed by the implementing organisation's AI management system. This mapping covers the technical layer only.