Alignment with Other Organisational Policies
Ensure the organisation's AI objectives align with and impact existing policies.
Plain language
Imagine you've rolled out a new AI program that helps with customer service, but you find it occasionally gives out outdated refund policies. This control is about making sure your new AI system doesn't clash with existing company policies, like those refund rules, so everything works smoothly together.
Framework
ISO/IEC 42001:2023
Control effect
Proactive
Classifications
N/A
Official last update
01 Dec 2023
Control Stack last updated
19 May 2026
Maturity levels
N/A
Official control statement
The organisation shall determine where other policies can be affected by or apply to, the organisation''s objectives with respect to AI systems.
Why it matters
Without alignment, your AI might accidentally violate existing policies, like giving out incorrect terms, leading to customer dissatisfaction and potential legal issues.
Operational notes
Whenever a new AI initiative begins, check how it might affect existing policies, and adjust those policies as necessary to keep everything in sync.
Implementation tips
- The board should ensure there is a process to evaluate how AI objectives fit with current organisational policies. This could be a simple meeting each quarter to review changes and discuss impacts.
- The AI lead should work closely with the head of risk to assess and map out where AI initiatives might influence existing policies. Use a whiteboard session to brainstorm potential areas of overlap.
- In-house counsel should take a detailed look at how AI systems align with legal and regulatory obligations. To help track compliance, maintain a spreadsheet with relevant legal updates.
- Product owners must regularly review their product's AI outputs and report any discrepancies that conflict with organisational rules. A shared document capturing these reviews could highlight any concerns early.
- Data stewards should track the sources and types of data feeding into AI models, ensuring that data use complies with existing data protection and privacy policies. Use a version-controlled log for updates.
Audit / evidence tips
- AskRequest a report of the latest AI and policy alignment review. GoodThe report explains AI objectives, assesses policy impacts, and lists actionable updates.
- AskAsk for meeting notes from the board discussing AI policy alignment. GoodThe notes mention AI's influence on existing policies and record action items.
- AskExamine the risk assessment documents related to AI projects. GoodRisk assessments acknowledge all potential policy impacts and suggest mitigation actions.
- AskLook at the product review documents regarding AI outputs. GoodThe document shows regular scrutiny and steps taken to align AI outputs with company policies.
- AskCheck the data provenance logs. GoodThe logs clearly trace data sources and confirm compliance with applicable policies.
Cross-framework mappings
How Annex A 2.3 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| Annex A 5.1 | Annex A 2.3 requires the organisation to determine where other organisational policies are affected by, or apply to, the organisation’s o... | |
| Annex A 5.10 | Annex A 2.3 requires identifying which existing policies are impacted by or constrain AI objectives | |
| Annex A 5.12 | Annex A 2.3 requires the organisation to determine how AI objectives interact with other organisational policies | |
| handshake Supports (3) expand_less | ||
| Annex A 5.4 | Annex A 2.3 requires determining how AI objectives affect or are constrained by other organisational policies | |
| Annex A 5.31 | Annex A 2.3 requires identifying which organisational policies apply to or are affected by AI objectives | |
| Annex A 5.36 | Annex A 2.3 requires the organisation to identify policy intersections and impacts arising from AI objectives | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
Want to implement this AI control?
Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.