A.6.2.6 - AI System Monitoring
Auto-Evidence: Request/response attestations
Every AI request generates attestation evidence that proves:
- Request was processed
- Timestamp and sequence
- System identification
ISO/IEC 42001:2023
ISO/IEC 42001:2023 is the first international standard for AI management systems. GLACIS provides native support for ISO 42001 with 184 pre-mapped controls and automated evidence collection.
What is ISO 42001?
ISO/IEC 42001:2023 specifies requirements for establishing, implementing, maintaining, and continually improving an AI Management System (AIMS) within organizations.
Key Benefits
- International recognition: Accepted globally for AI governance
- Risk-based approach: Proportionate controls based on AI risk
- Certifiable: Third-party auditable certification available
- Compatible: Aligns with ISO 27001, ISO 9001, and other management systems
Standard Structure
ISO 42001 follows the high-level structure common to all ISO management system standards:
| Clause | Title | Description |
|---|---|---|
| 4 | Context of the organization | Understanding the organization and its context |
| 5 | Leadership | Top management commitment and policy |
| 6 | Planning | Actions to address risks and objectives |
| 7 | Support | Resources, competence, awareness, communication |
| 8 | Operation | Operational planning and control |
| 9 | Performance evaluation | Monitoring, measurement, analysis |
| 10 | Improvement | Nonconformity and continual improvement |
Annex A: Reference Controls
The standard includes Annex A with 8 control domains containing 184 controls:
┌─────────────────────────────────────────────────────────────┐│ Annex A Control Domains │├─────────────────────────────────────────────────────────────┤│ A.2 - Organizational Governance (20 controls) ││ Policies, roles, responsibilities │├─────────────────────────────────────────────────────────────┤│ A.4 - AI System Inventory (8 controls) ││ System identification and registry │├─────────────────────────────────────────────────────────────┤│ A.5 - Impact Assessments (20 controls) ││ Risk assessments and mitigation │├─────────────────────────────────────────────────────────────┤│ A.6 - AI System Lifecycle (50 controls) ││ Design, development, deployment │├─────────────────────────────────────────────────────────────┤│ A.7 - Data Management (20 controls) ││ Data governance and quality │├─────────────────────────────────────────────────────────────┤│ A.8 - Deployment & Operations (20 controls) ││ Monitoring and incident response │├─────────────────────────────────────────────────────────────┤│ A.9 - AI System Use (30 controls) ││ Usage policies and oversight │├─────────────────────────────────────────────────────────────┤│ A.10 - Third-Party Relationships (16 controls) ││ Vendor risk management │└─────────────────────────────────────────────────────────────┘GLACIS Auto-Evidence Controls
GLACIS sidecars automatically generate evidence for these ISO 42001 controls:
A.6.2.8 - Performance Tracking
Auto-Evidence: Latency and error metrics
Sidecar metrics automatically track:
- Response times
- Error rates
- Throughput volumes
A.7.5 - Data Quality
Auto-Evidence: Input validation scores
L2 attestations include:
- PII detection results
- Input format validation
- Data quality indicators
A.9.4 - User Monitoring
Auto-Evidence: Usage pattern attestations
Aggregated metrics on:
- Usage patterns
- User interaction volumes
- Anomaly detection
Domain Deep Dives
A.2 - Organizational Governance
Controls in this domain establish the governance framework:
| Control | Name | GLACIS Support |
|---|---|---|
| A.2.1 | AI Governance Policy | Template generation via Wizard |
| A.2.2 | AI Ethics Statement | Template generation |
| A.2.3 | AI Risk Appetite | Wizard interview capture |
| A.2.4 | Roles and Responsibilities | Dashboard assignment |
| A.2.5 | Management Review | Compliance snapshots |
A.4 - AI System Inventory
Controls for identifying and cataloging AI systems:
| Control | Name | GLACIS Support |
|---|---|---|
| A.4.1 | AI System Identification | Wizard discovery + manual entry |
| A.4.2 | AI System Classification | Risk tier assignment |
| A.4.3 | AI System Documentation | Generated documentation |
| A.4.4 | AI System Inventory | Dashboard registry |
A.5 - Impact Assessments
Controls for assessing and mitigating AI risks:
| Control | Name | GLACIS Support |
|---|---|---|
| A.5.1 | AI Impact Assessment Process | Wizard-generated process |
| A.5.2 | AI Risk Identification | CTE gap analysis |
| A.5.3 | AI Risk Analysis | Automated scoring |
| A.5.12 | Impact Assessment Documentation | Generated assessments |
A.6 - AI System Lifecycle
The largest domain covering design through deployment:
| Control | Name | GLACIS Support |
|---|---|---|
| A.6.1.1 | Development Process | Policy templates |
| A.6.2.6 | AI System Monitoring | Auto-evidence via attestations |
| A.6.2.8 | Performance Tracking | Auto-evidence via metrics |
| A.6.3.1 | Testing Requirements | Evidence collection |
A.8 - Deployment & Operations
Controls for operational AI management:
| Control | Name | GLACIS Support |
|---|---|---|
| A.8.1 | Deployment Planning | Documentation |
| A.8.4 | Incident Response | Incident tracking module |
| A.8.5 | Change Management | Audit log |
A.10 - Third-Party Relationships
Controls for vendor and supplier management:
| Control | Name | GLACIS Support |
|---|---|---|
| A.10.1 | Third-Party Policy | Policy templates |
| A.10.2 | Vendor Assessment | Vendor module |
| A.10.3 | Contractual Requirements | Documentation |
Certification Journey
Phase 1: Gap Assessment (Week 1-2)
- Run the Certification Wizard — 20-minute AI interview
- Review gap analysis — Prioritized control gaps
- Assign ownership — Designate control owners
- Create roadmap — Plan remediation timeline
Phase 2: Implementation (Week 3-12)
- Deploy sidecars — Enable auto-evidence generation
- Implement policies — Customize generated templates
- Collect evidence — Manual + automated collection
- Track progress — Monitor compliance score
Phase 3: Internal Audit (Week 13-14)
- Create snapshot — Point-in-time compliance record
- Run internal audit — Review all controls
- Address findings — Remediate gaps
- Export SOA — Generate Statement of Applicability
Phase 4: Certification Audit (Week 15-16)
- Stage 1 audit — Documentation review
- Stage 2 audit — Implementation verification
- Address NCRs — Non-conformity remediation
- Receive certificate — ISO 42001 certified!
Statement of Applicability (SOA)
GLACIS generates ISO 42001-compliant Statements of Applicability:
# Statement of Applicability - ISO/IEC 42001:2023
Organization: Acme CorpDate: 2024-01-15Version: 1.0
## Control Status Summary
| Domain | Applicable | Implemented | In Progress | Not Started ||--------|------------|-------------|-------------|-------------|| A.2 | 18/20 | 15 | 2 | 1 || A.4 | 8/8 | 8 | 0 | 0 || A.5 | 18/20 | 12 | 4 | 2 || A.6 | 45/50 | 32 | 8 | 5 || A.7 | 18/20 | 14 | 3 | 1 || A.8 | 18/20 | 12 | 4 | 2 || A.9 | 28/30 | 20 | 5 | 3 || A.10 | 14/16 | 10 | 2 | 2 |
**Overall Compliance: 78%**OSCAL Export
GLACIS exports compliance data in NIST OSCAL format for interoperability:
{ "catalog": { "uuid": "glacis-iso42001-catalog", "metadata": { "title": "ISO/IEC 42001:2023 Control Catalog", "version": "1.0.0" }, "groups": [ { "id": "a.2", "title": "Organizational Governance", "controls": [ { "id": "a.2.1", "title": "AI Governance Policy", "props": [ { "name": "status", "value": "implemented" }, { "name": "evidence-count", "value": "3" } ] } ] } ] }}Cross-Framework Mapping
GLACIS maps ISO 42001 controls to other frameworks:
| ISO 42001 | EU AI Act | SOC 2 | NIST AI RMF |
|---|---|---|---|
| A.2.1 | Article 9 | CC1.1 | Govern 1.1 |
| A.4.1 | Article 13 | CC3.1 | Map 1.1 |
| A.5.1 | Article 9 | CC3.2 | Measure 2.1 |
| A.6.2.6 | Article 14 | CC7.1 | Manage 2.1 |
Next Steps
Start Certification Wizard Begin your ISO 42001 journey with the AI-powered interview.
Deploy Sidecars Enable auto-evidence generation for monitoring controls.
EU AI Act Alignment Understand how ISO 42001 maps to EU AI Act requirements.