ISO/IEC 42001:2023 — AI Management Systems (Clause 8)
ISO/IEC 42001:2023 is the first management-system standard for AI. This mapping covers the Clause 8 (operations), Clause 9 (monitoring, evaluation), and Clause 10 (improvement) requirements along with Annex A transparency controls. Ledgix evidences each control via the policy lifecycle and the per-decision ledger.
Status: Full — every control resolves to an artifact Ledgix produces today. Pair with the ISO 42001 Extended mapping for Clauses 5, 6, 7 (leadership, planning, support).
Scope
ISO/IEC 42001 applies to any organisation that develops, deploys, or uses AI. Certification requires a full AI management system; this mapping focuses on the operational clauses that can be satisfied with per-action technical evidence. Coverage spans Clause 6.1.2 risk assessment, Clause 8.4 risk treatment, Clause 9.1 monitoring, Clause 9.2 internal audit, Clause 10.2 nonconformity and corrective action, and Annex A.6.2 transparency.
Controls covered
| Field | Type | Required | Description |
|---|---|---|---|
| ISO42001-6.1.2 | events_jsonl | AI Risk Assessment | Per-decision confidence, denial reasons, and action_category provide quantitative risk assessment data. |
| ISO42001-8.4 | policy_snapshots / events_jsonl | AI Risk Treatment | Versioned policies represent implemented risk controls; approval rate demonstrates enforcement effectiveness. |
| ISO42001-9.1 | events_jsonl / checkpoint_chain | Monitoring, Measurement, Analysis and Evaluation | Time-series data for approval rate, confidence, and agent-level performance plus checkpoint cadence. |
| ISO42001-9.2 | proof_index / key_history | Internal Audit | Merkle leaf index and key history enable internal auditors to verify independently. |
| ISO42001-10.2 | events_jsonl | Nonconformity and Corrective Action | Denied events with reasons represent nonconformities requiring action. |
| ISO42001-A.6.2 | events_jsonl | AI Transparency | reason, citations, evidence_chunks, and policy_version_id per action. |
Evidence types referenced
- events_jsonl — per-decision risk, approval, reasoning, and transparency data.
- policy_snapshots — versioned policies as implemented risk-treatment controls.
- checkpoint_chain — operational continuity evidence.
- proof_index — Merkle leaf index for independent verification.
- key_history — key history for signature re-verification by internal auditors.
Known gaps (if any)
None — every control resolves to an artifact Ledgix produces today. Pair with the ISO 42001 Extended mapping for leadership, planning, support, and training-data-lineage coverage.
Audit pack workflow
Export an evidence ZIP for this framework from the admin console's Evidence Exports panel by selecting ISO/IEC 42001:2023 — AI Management Systems and a time window. Each control's evidence_locators[] in the included framework_mapping.json points to the corresponding file in the ZIP.
References
- Framework mapping JSON:
vault/internal/compliance/frameworks/iso_42001.json - Canonical source: ISO/IEC 42001:2023 — iso.org