ISO/IEC 42001:2023 readiness
Clause-by-clause readiness against the AI management system standard. The same shape an external certification auditor pulls first — implemented / partial / not implemented / N/A — with evidence narrative for each clause.
7 of 12 applicable clauses fully implemented. 5 partial.
Leadership
2 clauses
- 5.2ImplementedAI policy
AI Use Policy v2.1, board-approved Feb 2026. Reviewed annually.
- 5.3ImplementedRoles, responsibilities, authorities
AI Review Board chartered; per-use-case owner enforced via registry.
Planning
2 clauses
- 6.1.2ImplementedAI risk assessment
Tiering rubric in production; impact × likelihood × reversibility scored on every registration.
- 6.1.4PartialAI system impact assessment
Assessments documented for 9 of 12 use cases. Three pre-program use cases need backfilled assessments.
Support
3 clauses
- 7.2ImplementedCompetence
Role-specific AI training delivered to all designated operators in Q4 2025.
- 7.3PartialAwareness
Quarterly company-wide briefings established; engineering and CS coverage strong, finance behind.
- 7.5PartialDocumented information
Model cards exist for 8 of 12 use cases; data lineage gaps on the two third-party API systems.
Operation
3 clauses
- 8.1ImplementedOperational planning and control
Pre-deployment review board for Tier 1; tier-aware control bundle enforced.
- 8.2PartialAI system impact assessment
See 6.1.4 — same gap on the three pre-program systems.
- 8.3ImplementedAI risk treatment
Risk treatments tracked per use case; verified at re-review.
Performance evaluation
1 clause
- 9.1PartialMonitoring, measurement, analysis
Validity metrics tracked for 7 of 9 production systems. Drift detection live for 5 of 9.
Improvement
1 clause
- 10.2ImplementedNonconformity and corrective action
Incident process operating; 3 incidents recorded, 2 resolved. Tied into MVP 06 workflow engine.