Consider Customer Expectations and Needs When Using AI
Make sure your responsible approach to building and using artificial intelligence (AI) takes account of what your customers expect and need.
Plain language
This control is about keeping your customers in mind whenever you build or use artificial intelligence (AI). An AI management system (AIMS) is the set of policies and practices you use to govern AI responsibly. This control says that responsible AI is not only about your own rules and risks; it must also reflect what the people who buy from or rely on you actually expect and need. For example, customers may expect to know when they are talking to an AI chatbot rather than a person, to have a human they can reach if the AI gets something wrong, or to trust that an AI tool will not treat them unfairly or misuse their personal information. If you ignore those expectations, you can lose customer trust even when the technology works as designed. So this control asks you to find out what your customers expect from your AI, take those expectations seriously, and let them shape how you develop and run your AI systems.
Framework
ISO/IEC 42001:2023
Control effect
Proactive
Classifications
N/A
Official last update
01 Dec 2023
Control Stack last updated
18 June 2026
Maturity levels
N/A
Official control statement
The organisation shall ensure that its responsible approach to the development and use of AI systems considers their customer expectations and needs.
Why it matters
Ignoring customer expectations for AI erodes trust, drives complaints and churn, and can breach consumer or privacy obligations, harming revenue and reputation.
Operational notes
Refresh your view of customer expectations regularly, as they shift with new AI features and public concern. Feed complaints back into AI design.
Implementation tips
- The AI lead should gather customer expectations about your AI systems through surveys, support tickets, complaints and feedback forms, then write them into a short customer expectations summary that informs AI design decisions.
- The product owner should set clear, customer-facing standards for each AI system, such as telling customers when they are interacting with AI, offering a way to reach a human, and explaining how their data is used.
- The compliance manager should map customer needs to the relevant rules and commitments, for example privacy obligations, consumer protection law and any promises made in marketing, so AI behaviour stays consistent with what customers were told.
- The customer service team should give people an easy path to question or appeal an AI-driven outcome, such as a refund decision or a recommendation, and feed the patterns from those appeals back to the AI lead.
- Senior management should review customer feedback and complaints about AI at regular intervals and require changes to AI systems when customer expectations are not being met.
Audit / evidence tips
- Askevidence that the organisation has identified its customers' expectations and needs for AI systems, such as survey results, complaint logs or feedback summaries Gooda documented, current record that clearly informs AI decisions
- Askhow customers are told when they are interacting with AI and how they can reach a human Look atthe actual customer-facing messages or interfaces Goodplain, visible disclosure and an easy escalation route
- Askto see how customer expectations were used to shape a specific AI system Look atdesign notes, requirements or change records that reference customer needs Gooda traceable link from customer feedback to AI changes
- Askthe process that handles customer complaints or appeals about AI outcomes Look atrecent cases and how they were resolved Goodtimely responses with evidence that recurring issues led to AI improvements
- Askhow senior management reviews whether AI meets customer expectations Look atmeeting minutes or review records Goodregular management review with decisions and follow-up actions recorded
Cross-framework mappings
How Annex A 10.4 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.2 | Annex A 10.4 requires the organisation to ensure its responsible approach to developing and using AI systems explicitly considers custome... | |
| Annex A 5.34 | Annex A 10.4 mandates consideration of customer expectations and needs when developing and using AI systems, often including expectations... | |
| handshake Supports (3) expand_less | ||
| Annex A 5.1 | Annex A 10.4 requires the organisation’s responsible approach to developing and using AI systems to consider customer expectations and needs | |
| Annex A 5.8 | Annex A 10.4 requires that customer expectations and needs are considered as part of a responsible approach to AI development and use | |
| Annex A 5.31 | Annex A 10.4 calls for a responsible AI approach that takes into account customer expectations and needs, including those influenced by c... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-1997 | Annex A 10.4 involves shaping AI practices per customer expectations, suggesting governance and accountability relevance | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
Want to implement this AI control?
Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.