Suppliers
Identify where AI goals impact or are impacted by existing policies.
Plain language
This control is about making sure your AI efforts don't clash with your company's existing rules and goals. Imagine if your AI system started offering discounts without checking if it's within the company's pricing policy-it could cost you money and create confusion. Aligning AI goals with other policies saves you from these headaches.
Framework
ISO/IEC 42001:2023
Control effect
Preventative
Classifications
N/A
Official last update
01 Dec 2023
Control Stack last updated
19 May 2026
Maturity levels
N/A
Official control statement
The organisation shall establish a process to ensure that its usage of services, products or materials provided by suppliers aligns with the responsible development and use of AI systems.
Why it matters
If AI goals aren't aligned with existing policies, your business risks non-compliance, unexpected costs, and legal issues that could damage its reputation.
Operational notes
Whenever AI goals change, double-check them against other policies to prevent misalignment that could cause compliance issues.
Implementation tips
- The AI lead should organise a workshop with department heads to identify which policies might be affected by AI systems. A one-hour discussion can start by listing current AI objectives and existing policies to find intersections.
- Procurement should update supplier agreements to include conditions where AI tools align with corporate policies. Adding a clause about policy compliance in contracts ensures vendors are aware of your organisational standards.
- The head of risk should conduct a risk assessment to see where AI projects might conflict with other policies. Using a simple risk matrix can help highlight where AI objectives could threaten existing standards.
- Product owners should involve legal and HR when setting AI goals to ensure they meet all regulatory and employee-related policies. A joint review session every quarter can catch any misalignments early.
- The board should receive a summary report of AI-related policy impacts to oversee alignment efforts effectively. A brief, quarterly update can provide assurance that AI use supports the company's broader strategy.
Audit / evidence tips
- AskRequest the AI strategic objectives document. GoodThe document clearly maps AI objectives to existing organisational policies and outlines any potential impacts.
- AskAsk for the procurement contracts related to AI systems. GoodContracts explicitly include terms requiring AI to comply with existing company policies.
- AskSee the last risk assessment report concerning AI projects. GoodThe report highlights potential conflicts between AI projects and organisational policies, with mitigation strategies outlined.
- AskRequest minutes from the last board meeting discussing AI integration. GoodMinutes show that AI policy alignment was discussed with actionable items agreed upon.
- AskCheck the product development logs for a recent AI implementation. GoodLogs confirm that HR and legal departments were consulted to ensure AI compliance with relevant policies.
Cross-framework mappings
How Annex A 10.3 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (4) expand_less | ||
| Annex A 5.10 | Annex A 10.3 requires a supplier-usage process so that external services/products/materials used for AI align with responsible AI practices | |
| Annex A 5.19 | Annex A 10.3 requires the organisation to implement a process ensuring supplier-provided services/products/materials used for AI align wi... | |
| Annex A 5.31 | Annex A 10.3 requires the organisation to govern supplier usage so AI-related services/products/materials align with responsible AI devel... | |
| Annex A 5.34 | Annex A 10.3 requires the organisation to ensure supplier-provided services/products/materials used for AI align with responsible AI deve... | |
| handshake Supports (5) expand_less | ||
| Annex A 5.1 | Annex A 10.3 requires the organisation to establish a process ensuring supplier-provided services, products, or materials used in AI alig... | |
| Annex A 5.12 | Annex A 10.3 requires a process to ensure supplier-provided services/products/materials used in AI align with responsible AI development ... | |
| Annex A 5.14 | Annex A 10.3 requires processes to ensure supplier-provided AI services/products/materials are used in alignment with responsible AI deve... | |
| Annex A 5.20 | Annex A 10.3 requires a process to ensure supplier-provided AI services/products/materials align with responsible AI development and use | |
| Annex A 5.36 | Annex A 10.3 requires a process ensuring supplier-provided AI-related services/products/materials are used in alignment with responsible ... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-1785 | Annex A 10.3 requires the organisation to establish a process ensuring its use of supplier-provided services/products/materials for AI al... | |
| handshake Supports (1) expand_less | ||
| ISM-0047 | Annex A 10.3 requires a defined process to ensure supplier-provided AI services/products/materials align with responsible AI development ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
Want to implement this AI control?
Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.