Customers
Ensure roles for AI tasks are set in line with the organisation's needs.
Plain language
This control is about making sure everyone in your business who works with AI knows exactly what they are responsible for. Imagine if no one knows who should fix the AI app when it gives customers the wrong prices - things could go wrong quickly.
Framework
ISO/IEC 42001:2023
Control effect
Preventative
Classifications
N/A
Official last update
01 Dec 2023
Control Stack last updated
19 May 2026
Maturity levels
N/A
Official control statement
The organisation shall ensure that its responsible approach to the development and use of AI systems considers their customer expectations and needs.
Why it matters
If roles aren't clear, AI issues may go unresolved, leading to wrong customer charges or breaches of privacy laws, damaging your business and reputation.
Operational notes
Make sure everyone knows who's in charge of each AI task. Celebrate clear role assignments in team meetings and update as your needs grow.
Implementation tips
- The AI lead should list out all the tasks linked to your AI system, such as data handling and system updates. Then assign each task to a team member who can handle it, like a data steward for data quality.
- The head of risk should identify potential risks within AI operations and make sure each risk has somebody in charge. This means if the AI starts making errors, there's a clear go-to person ready to address the issue promptly.
- Board members should review and approve the AI roles to ensure they align with the organisation's strategy and risk appetite. A quarterly meeting to discuss roles and task effectiveness ensures accountability.
- The data steward should coordinate with the AI lead to ensure data quality by checking data records regularly. For example, reviewing data sources and correcting inaccuracies in a weekly log book.
- Procurement should include role clarity in contracts when buying AI solutions, ensuring supplier responsibilities are clear. Adding a clause that details the support person from the supplier's side is a practical step.
Audit / evidence tips
- AskRequest the organisational chart showing AI roles. GoodThe chart displays clear and distinct AI roles with names and responsibilities assigned.
- AskAsk for the last meeting minutes discussing AI roles. GoodThe minutes reflect a recent discussion and update of AI roles and responsibilities.
- AskCheck the AI system task list document. GoodThe task list document shows names next to each task with contact details available.
- AskReview the supplier contract for AI solutions. GoodThe contract includes specific clauses on roles and responsibilities for both parties.
- AskLook at the risk management plan for AI. GoodThe risk management plan has roles assigned to all AI risks and includes mitigation steps.
Cross-framework mappings
How Annex A 10.4 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.2 | Annex A 10.4 requires the organisation to ensure its responsible approach to developing and using AI systems explicitly considers custome... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-1997 | Annex A 10.4 involves shaping AI practices per customer expectations, suggesting governance and accountability relevance | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
Want to implement this AI control?
Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.