ISO/IEC 42001:2023 — AI Management System (AIMS)
ISO/IEC 42001:2023 — AI Management System (AIMS)
ISO/IEC 42001:2023 — AI Management System (AIMS) — 97% covered.
80 requirements · 76 enforced · 3 designed · 1 advisory · 0 deferred.
Source: ISO/IEC 42001:2023 · License: ISO copyright — citation only
By category
| Category | Reqs | Enforced | Designed | Advisory | Deferred | Coverage |
|---|---|---|---|---|---|---|
| Annex A — AIMS controls | 48 | 47 | 1 | 0 | 0 | 99% |
| Clause 10 — Improvement | 3 | 3 | 0 | 0 | 0 | 100% |
| Clause 4 — Context of the organisation | 4 | 3 | 1 | 0 | 0 | 88% |
| Clause 5 — Leadership | 3 | 3 | 0 | 0 | 0 | 100% |
| Clause 6 — Planning (risk + impact assessment) | 4 | 4 | 0 | 0 | 0 | 100% |
| Clause 7 — Support | 6 | 4 | 1 | 1 | 0 | 79% |
| Clause 8 — Operation (AI system lifecycle) | 4 | 4 | 0 | 0 | 0 | 100% |
| Clause 9 — Performance evaluation | 5 | 5 | 0 | 0 | 0 | 100% |
| Clause 6 — Planning | 2 | 2 | 0 | 0 | 0 | 100% |
| Clause 8 — Operation | 1 | 1 | 0 | 0 | 0 | 100% |
Every requirement → the KYE™ artefact that enforces it
| ID | Title | Status | KYE™ enforcement |
|---|---|---|---|
iso-42001.A.2.2 |
AI policy — document an organisational AI policy | enforced | audit_events: kye.purpose.permission.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
iso-42001.A.3.2 |
Roles and responsibilities for the AIMS | enforced | audit_events: kye.purpose.grant.v1, kye.federation.cross_org_delegation.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/21-DELEGATED-AUDITABILITY.md |
iso-42001.A.4.2 |
AI system impact-assessment process | enforced | audit_events: kye.risk.score.v1, kye.assurance.audit_pilot.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
iso-42001.A.6.2 |
Data for AI systems — quality, provenance, preparation | enforced | audit_events: kye.evidence.model_params.v1, kye.model.influence_envelope.v1, kye.evidence.decision_map.v1engines: internalconstitution_refs: constitution/14-AGENTS-AND-ENGINES.md, constitution/31-DATA-GOVERNANCE-PACK.md |
iso-42001.A.7.2 |
Information for stakeholders of AI systems — transparency to affected parties | enforced | audit_events: kye.model.capability_profile.v1, kye.governedui.evidence_timeline.v1governedui_modules: kye.governedui.module.entity_passport.v1, kye.governedui.module.evidence_timeline.v1constitution_refs: constitution/36-GOVERNEDUI.mdengines: internalworkers: kye-pdp |
iso-42001.A.8.2 |
Use of AI systems — responsible-use policy and lifecycle | enforced | audit_events: kye.purpose.admissibility.v1, kye.purpose.grant.v1, kye.agent.refusal.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/52-DELEGATED-AGENT-BINDING.md |
iso-42001.A.10.3 |
Third-party and customer relationships in AI lifecycle | enforced | audit_events: kye.federation.cross_org_delegation.v1, kye.evidence.tool_call_pin.v1engines: internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
iso-42001.10.1 |
Continual improvement of the suitability, adequacy and effectiveness of the AIMS | enforced | audit_events: kye.resilience.improvement_record.v1, kye.resilience.loop_iteration.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
iso-42001.10.2 |
Nonconformity and corrective action — react, evaluate, implement, review | enforced | audit_events: kye.signal.drift.detected.v1, kye.resilience.improvement_record.v1, kye.purpose.grant.revoked.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
iso-42001.4.1 |
Determine external and internal issues relevant to the AI management system | enforced | audit_events: kye.risk.authority_register.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
iso-42001.4.3 |
Determine the boundaries and applicability of the AIMS to establish its scope | enforced | audit_events: kye.purpose.permission.v1, kye.model.capability_profile.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
iso-42001.5.1 |
Top management shall demonstrate leadership and commitment with respect to the AIMS | enforced | audit_events: kye.risk.authority_register.v1, kye.compliance.attestation.v1engines: internalgovernedui_modules: kye.governedui.module.authority_drift.v1, kye.governedui.module.approval_queue.v1constitution_refs: constitution/36-GOVERNEDUI.md |
iso-42001.5.2 |
Top management shall establish an AI policy compatible with strategic direction | enforced | audit_events: kye.purpose.permission.v1, kye.purpose.grant.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
iso-42001.6.1.2 |
AI risk assessment — identify, analyse, evaluate AI risks | enforced | audit_events: kye.risk.score.v1, kye.evidence.decision_map.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.mdrule_packs: kye:rule-pack:public-sector-governance |
iso-42001.6.1.3 |
AI risk treatment — define risk-treatment options and produce a Statement of Applicability | enforced | audit_events: kye.purpose.grant.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
iso-42001.6.1.4 |
AI system impact assessment — assess consequences for individuals, groups, society | enforced | audit_events: kye.risk.score.v1, kye.assurance.audit_pilot.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
iso-42001.6.2 |
AI objectives shall be measurable, monitored, communicated, updated as appropriate | enforced | audit_events: kye.model.capability_profile.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
iso-42001.7.2 |
Persons doing work that affects AIMS performance shall be competent | advisory | governedui_modules: kye.governedui.module.trainers.v1constitution_refs: constitution/10-PARTNER.md, constitution/39-LEARN-RAIL.md |
iso-42001.7.5 |
Documented information required by the AIMS shall be controlled and protected | enforced | audit_events: kye.evidence.pack.v1, kye.signal.evidence.sealed.v1engines: internal, internalworm_tables: evidence_packconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
iso-42001.8.1 |
Plan, implement and control operational processes needed to meet AIMS requirements | enforced | audit_events: kye.purpose.admissibility.v1, kye.evidence.decision_map.v1, kye.assurance.adoption_stage.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/14-AGENTS-AND-ENGINES.md |
iso-42001.8.2 |
AI risk assessment shall be performed at planned intervals or when significant changes occur | enforced | audit_events: kye.risk.score.v1, kye.signal.drift.detected.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
iso-42001.8.3 |
AI system impact assessment shall be performed at planned intervals | enforced | audit_events: kye.assurance.audit_pilot.v1, kye.risk.score.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
iso-42001.8.4 |
AI system development, deployment, operation lifecycle controls (data, model, system) | enforced | audit_events: kye.model.capability_profile.v1, kye.model.influence_envelope.v1, kye.evidence.model_params.v1, kye.evidence.tool_call_pin.v1engines: internal, internalconstitution_refs: constitution/14-AGENTS-AND-ENGINES.md |
iso-42001.9.1 |
Monitoring, measurement, analysis and evaluation of AIMS performance | enforced | audit_events: kye.compliance.attestation.v1, kye.risk.score.v1, kye.signal.evidence.sealed.v1engines: internal, internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
iso-42001.9.2 |
Internal audit shall be conducted at planned intervals | enforced | audit_events: kye.assurance.audit_pilot.v1, kye.assurance.audit_replay_report.v1engines: internal, internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
iso-42001.9.3 |
Management review of the AIMS at planned intervals | enforced | audit_events: kye.risk.authority_register.v1, kye.compliance.attestation.v1engines: internalgovernedui_modules: kye.governedui.module.authority_drift.v1constitution_refs: constitution/36-GOVERNEDUI.md |
iso-42001.4.2 |
Understanding the needs and expectations of interested parties relevant to the AI management system | designed | audit_events: kye.stakeholder.v1, kye.risk.authority_register.v1constitution_refs: constitution/13-RESILIENCE-LOOP.md |
iso-42001.4.4 |
Establish, implement, maintain and continually improve an AI management system | enforced | audit_events: kye.compliance.attestation.v1constitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
iso-42001.5.3 |
Roles, responsibilities and authorities for AI management shall be assigned and communicated | enforced | audit_events: kye.purpose.permission.v1, kye.risk.authority_register.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
iso-42001.6.1.1 |
Actions to address risks and opportunities — general (planning) | enforced | audit_events: kye.risk.score.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
iso-42001.6.3 |
Planning of changes — when changes to the AIMS are needed, they shall be carried out in a planned manner | enforced | audit_events: kye.change_calendar.v1constitution_refs: constitution/13-RESILIENCE-LOOP.md |
iso-42001.7.1 |
Determine and provide resources needed for the AI management system | enforced | constitution_refs: constitution/16-EDGE-RUNTIME.md, constitution/51-NO-SPOF.md |
iso-42001.7.3 |
Persons doing work under the AIMS shall be aware of policy, contribution and implications of non-conformance | designed | constitution_refs: constitution/39-LEARN-RAIL.md |
iso-42001.7.4 |
Determine the need for internal and external communications relevant to the AI management system | enforced | audit_events: kye.comms.dispatch.v1constitution_refs: constitution/38-COMMS-RAIL.md |
iso-42001.7.5.1 |
Documented information shall be controlled (creation, update, version) | enforced | audit_events: kye.evidence.pack.v1, kye.audit_chain_entry.v1engines: internal, internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
iso-42001.8.5 |
Operation — actions to address AI system impact assessment results | enforced | audit_events: kye.consequence_map.v1, kye.purpose.admissibility.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
iso-42001.9.2.1 |
Internal audit — general (plan, conduct, report) | enforced | audit_events: kye.assurance.audit_pilot.v1agents: internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
iso-42001.9.2.2 |
Internal audit program — establish, implement, maintain | enforced | audit_events: kye.assurance.audit_pilot.v1, kye.change_calendar.v1constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
iso-42001.10.3 |
Continual improvement — continually improve the suitability, adequacy and effectiveness of the AIMS | enforced | audit_events: kye.signal.drift.detected.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
iso-42001.A.2.3 |
Annex A — alignment with other organisational policies (information security, privacy, quality) | enforced | audit_events: kye.compliance.attestation.v1constitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
iso-42001.A.3.3 |
Annex A — reporting of concerns about AI systems (whistleblower channel) | designed | audit_events: kye.comms.dispatch.v1constitution_refs: constitution/38-COMMS-RAIL.md |
iso-42001.A.4.3 |
Annex A — resources for AI systems (data, tooling, personnel, computational) | enforced | audit_events: kye.spof_registry.v1constitution_refs: constitution/51-NO-SPOF.md |
iso-42001.A.4.4 |
Annex A — tooling resources for AI systems | enforced | constitution_refs: constitution/32-AGENT-DEV-KIT.md |
iso-42001.A.4.5 |
Annex A — data resources for AI systems | enforced | audit_events: kye.data_use_manifest.v1, kye.data_asset.v1engines: internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
iso-42001.A.4.6 |
Annex A — system and computing resources for AI | enforced | audit_events: kye.spof_registry.v1constitution_refs: constitution/16-EDGE-RUNTIME.md, constitution/51-NO-SPOF.md |
iso-42001.A.5.1 |
Annex A — AI system impact assessment process | enforced | audit_events: kye.consequence_map.v1, kye.risk_assessment.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
iso-42001.A.5.2 |
Annex A — documentation of AI system impact assessment | enforced | audit_events: kye.evidence.pack.v1engines: internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
iso-42001.A.5.3 |
Annex A — assessment of AI system impact on individuals or groups of individuals | enforced | audit_events: kye.consequence_map.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
iso-42001.A.5.4 |
Annex A — assessment of societal impacts of AI systems | enforced | audit_events: kye.consequence_map.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
iso-42001.A.6.1.1 |
Annex A — objectives for responsible AI development | enforced | audit_events: kye.compliance.attestation.v1constitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
iso-42001.A.6.1.2 |
Annex A — processes for responsible AI design and development | enforced | constitution_refs: constitution/32-AGENT-DEV-KIT.md |
iso-42001.A.6.2.1 |
Annex A — AI system requirements and specification | enforced | audit_events: kye.entity.model.v1, kye.model.capability_profile.v1constitution_refs: constitution/14-AGENTS-AND-ENGINES.md |
iso-42001.A.6.2.3 |
Annex A — AI system verification and validation | enforced | audit_events: kye.scenario_run.v1, kye.assurance.audit_replay_report.v1engines: internal, internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
iso-42001.A.6.2.4 |
Annex A — AI system deployment | enforced | audit_events: kye.purpose.grant.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
iso-42001.A.6.2.5 |
Annex A — AI system operation and monitoring | enforced | audit_events: kye.audit_chain_entry.v1, kye.signal.drift.detected.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/35-STREAMING-LOGS.md |
iso-42001.A.6.2.6 |
Annex A — AI system technical documentation | enforced | audit_events: kye.evidence.pack.v1, kye.model.capability_profile.v1engines: internalconstitution_refs: constitution/43-MACHINE-READABLE-BY-DEFAULT.md |
iso-42001.A.6.2.7 |
Annex A — AI system recording of event logs | enforced | audit_events: kye.audit_chain_entry.v1, kye.audit_retention_policy.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md, constitution/35-STREAMING-LOGS.md |
iso-42001.A.7.3 |
Annex A — data for AI systems: acquisition of data | enforced | audit_events: kye.data_use_manifest.v1, kye.data_asset.v1engines: internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
iso-42001.A.7.4 |
Annex A — quality of data for AI systems | enforced | audit_events: kye.data_use_manifest.v1engines: internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
iso-42001.A.7.5 |
Annex A — data provenance | enforced | audit_events: kye.data_use_manifest.v1, kye.evidence.pack.v1constitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
iso-42001.A.7.6 |
Annex A — data preparation | enforced | audit_events: kye.data_use_manifest.v1, kye.evidence.model_params.v1constitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
iso-42001.A.8.3 |
Annex A — information for interested parties about AI systems (transparency) | enforced | audit_events: kye.comms.dispatch.v1, kye.compliance.attestation.v1constitution_refs: constitution/38-COMMS-RAIL.md |
iso-42001.A.8.4 |
Annex A — external reporting (regulatory or public reporting) | enforced | audit_events: kye.comms.dispatch.v1constitution_refs: constitution/38-COMMS-RAIL.md |
iso-42001.A.8.5 |
Annex A — communication of incidents to interested parties | enforced | audit_events: kye.signal.incident.opened.v1, kye.comms.dispatch.v1engines: internalconstitution_refs: constitution/38-COMMS-RAIL.md |
iso-42001.A.9.2 |
Annex A — processes for responsible use of AI systems | enforced | audit_events: kye.purpose.admissibility.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
iso-42001.A.9.3 |
Annex A — objectives for responsible use of AI systems | enforced | audit_events: kye.purpose.permission.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
iso-42001.A.9.4 |
Annex A — intended use of the AI system | enforced | audit_events: kye.purpose.permission.v1, kye.model.capability_profile.v1constitution_refs: constitution/12-PURPOSE-PERMISSION.md |
iso-42001.A.10.2 |
Annex A — allocating responsibilities (third-party relationships) | enforced | audit_events: kye.federation.cross_org_delegation.v1, kye.subprocessor.v1constitution_refs: constitution/12-PURPOSE-PERMISSION.md |
iso-42001.A.10.4 |
Annex A — suppliers (AI components, data, services) | enforced | audit_events: kye.subprocessor.v1, kye.spof_registry.v1constitution_refs: constitution/51-NO-SPOF.md |
iso-42001.A.10.5 |
Annex A — customers (intended deployment context) | enforced | audit_events: kye.account.v1, kye.directory.entry.v1constitution_refs: constitution/17-DIRECTORY-SEARCH.md |
iso-42001.A.2.1 |
Annex A — policies for AI (organisational AI policy) | enforced | audit_events: kye.compliance.attestation.v1constitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
iso-42001.A.2.4 |
Annex A — review of AI policies | enforced | audit_events: kye.change_calendar.v1, kye.compliance.attestation.v1constitution_refs: constitution/DECAY-WINDOWS.md |
iso-42001.A.3.1 |
Annex A — internal organisation roles and responsibilities for AI | enforced | audit_events: kye.risk.authority_register.v1, kye.purpose.permission.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
iso-42001.A.4.1 |
Annex A — resource documentation for AI systems | enforced | audit_events: kye.spof_registry.v1, kye.compliance.attestation.v1constitution_refs: constitution/51-NO-SPOF.md |
iso-42001.A.6.1.3 |
Annex A — documentation of AI design and development | enforced | audit_events: kye.evidence.pack.v1, kye.evidence.model_params.v1engines: internalconstitution_refs: constitution/43-MACHINE-READABLE-BY-DEFAULT.md |
iso-42001.A.6.2.2 |
Annex A — documentation of AI system requirements and specification | enforced | audit_events: kye.model.capability_profile.v1constitution_refs: constitution/14-AGENTS-AND-ENGINES.md |
iso-42001.A.7.1 |
Annex A — data management process for AI systems | enforced | audit_events: kye.data_use_manifest.v1, kye.data_flow_graph.v1engines: internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
iso-42001.A.8.1 |
Annex A — information for interested parties about AI systems (objectives) | enforced | audit_events: kye.purpose_manifest.v1constitution_refs: constitution/12-PURPOSE-PERMISSION.md |
iso-42001.A.9.1 |
Annex A — processes for responsible use of AI systems (objectives) | enforced | audit_events: kye.purpose.permission.v1constitution_refs: constitution/12-PURPOSE-PERMISSION.md |
iso-42001.A.10.1 |
Annex A — third-party relationships — general (vendor / customer / regulator) | enforced | audit_events: kye.federation.cross_org_delegation.v1, kye.directory.entry.v1constitution_refs: constitution/49-UNIVERSAL-ENGAGEMENT-RAIL.md |