Use of AI Systems - ISO 42001 Annex A Controls
ISO 42001 Annex A.9
Annex A.9 is the deployer's chapter. It applies whenever the organisation uses AI systems, whether developed internally or sourced from third parties.
ISO 42001 Annex A.9 - Use of AI Systems Explained
Annex A.9 covers the responsible use of AI systems by the organisation. While A.6 focuses on the development life cycle of AI systems, A.9 focuses on the use of AI systems in operation, regardless of who developed them.
Control A.9.2 - Processes for responsible use of AI systems
The organisation must define and document the processes for the responsible use of AI systems. The implementation guidance under Annex B.9.2 recognises that organisations have many considerations for determining whether to use a particular AI system - required approvals, costs including ongoing monitoring and maintenance, approved sourcing requirements, and applicable legal requirements. Existing policies for the use of other systems and assets can be incorporated where relevant.
Control A.9.3 - Objectives for responsible use of AI system
The organisation must identify and document objectives to guide the responsible use of AI systems. Objectives commonly include fairness, accountability, transparency, explainability, reliability, safety, robustness and redundancy, privacy and security, and accessibility. Once defined, the organisation implements mechanisms to achieve the objectives within its operations.
The implementation guidance also addresses human oversight. The organisation should determine at which stages of the AI system life cycle meaningful human oversight is needed. This includes involving human reviewers to check AI outputs with authority to override decisions, making sure human oversight is in place where required for acceptable use, monitoring AI system performance, reporting concerns about AI outputs, and considering whether automated decision-making is appropriate.
Control A.9.4 - Intended use of the AI system
The organisation must make sure the AI system is used according to its intended uses and accompanying documentation. The deployment must align with the documentation, the data the AI system operates on must align with the documentation, and the operation must be monitored against the intended use. Where correct deployment causes concern about impacts to interested parties or legal requirements, the concerns must be communicated within the organisation and to any third-party suppliers.
The deployer focus
For most organisations adopting ISO 42001, Annex A.9 is the most directly applicable section because most are deployers rather than developers. The three controls together establish that AI systems are not deployed casually, that responsible use objectives are explicit, and that AI systems are used within their intended scope. This is the discipline that distinguishes managed AI use from ad-hoc adoption.
The intended use control under A.9.4 is one auditors look at carefully because it connects directly to safety, fairness and accountability. An AI system used outside its intended scope is no longer covered by the supplier's testing, documentation or assurance, and the deployer carries the consequences.
The procurement and approvals process is the natural place to embed A.9.2. Each new AI system goes through an approval gate that confirms the use case, the supplier assessment, the impact assessment and the responsible use considerations. The gate prevents AI from being adopted by individual teams without the management system's awareness.
When auditing Annex A.9, I look at the AI Process Register and pick AI systems to trace through. For each, I check the responsible use process, the documented objectives that apply, and the evidence that the system is being used within its intended scope. Mismatch between the supplier documentation and actual use is a common finding.
Human oversight evidence is the other area that gets attention. A.9.3 recognises that human oversight is part of responsible use for many AI systems. If the impact assessment identifies the need for human oversight, the operational records should show that oversight is happening.
For the inspection AI, the human oversight is the QA team reviewing flagged units before disposition. For the generative tool, human oversight is the requirement for staff to review AI-drafted content before sending. Both are documented in the standard operating procedure for the AI system, both are evidenced in operational records, and both came directly out of the impact assessment.
Practical Compliance Guidance
The IMS1 Manual Section 4 Operational Processes/IMS1-4-3 Control-of-Operations provides the framework for responsible use processes. The P-120 Artificial Intelligence Policy sets out the principles that responsible use objectives are aligned to, and the F-Q11 Company Objectives form is the operational record of the objectives.
The following alphaZ documents support compliance with ISO 42001 Annex A.9.
| alphaZ document | How to use it |
|---|---|
| ISO 42001 AI Management System Toolkit | The full toolkit containing the AI management system documentation including the AI policy, AI Process Register and supporting templates. |
| P-120 Artificial Intelligence Policy | The AI policy that sets out the principles and commitments which the responsible use objectives under A.9.3 are aligned to. |
| F-IMS40 AI Process Register | Records the AI systems within scope, the intended uses, and the responsible use processes that apply to each, supporting A.9.2 and A.9.4. |
| F-Q11 Company Objectives | Records the objectives for responsible use of AI systems, supporting A.9.3. |
| PP-8-100 AI Content Procedure | Sets out the procedure for the responsible use of AI in content generation, providing an operational example of A.9.2 and A.9.4 in practice. |
Note - all the above files can be downloaded with an alphaZ subscription.
