Review of the AI Policy
Set up a process for reporting concerns about the organisation's role in AI system life cycles.
Plain language
This control is about making sure there's a clear way for anyone to voice concerns if they think your business's AI systems are causing problems. Imagine a customer finding out an AI mistakenly sent their personal details to the wrong person. Having a process in place helps catch issues like these early and fix them before they escalate.
Framework
ISO/IEC 42001:2023
Control effect
Responsive
Classifications
N/A
Official last update
01 Dec 2023
Control Stack last updated
19 May 2026
Maturity levels
N/A
Official control statement
The AI policy shall be reviewed at planned intervals or additionally as needed to ensure its continuing suitability, adequacy and effectiveness.
Why it matters
If concerns about AI are ignored, issues can worsen, like chatbots sharing wrong info, damaging customer trust and potentially causing legal issues.
Operational notes
Keep the AI concern log easily accessible and update it immediately when a new issue is reported or resolved.
Implementation tips
- The head of risk should design and announce an email hotline where employees and customers can report AI-related issues quickly. This can be as simple as setting up a dedicated email address like AIconcerns@yourbusiness.com.
- The AI lead can organise regular briefings with staff explaining why it's crucial to report any odd behaviour from AI tools they use, such as giving incorrect recommendations to clients.
- The board should add a section to quarterly meetings focused on reviewing any AI concerns reported. This ensures the leadership team is aware and can allocate resources to addressing these issues.
- The product owner should maintain an easy-to-understand log of reported AI issues and what actions were taken. Sharing summaries of this log with the team can raise awareness and improve response times.
- The CISO (head of IT security) should integrate the AI concerns reporting into existing IT security incident response plans. Training staff on this process helps ensure they know what to do when they encounter AI-related issues.
Audit / evidence tips
- AskAsk to see the log of reported AI concerns for the last year. GoodThe log is detailed, up-to-date, and shows timely resolution of concerns.
- AskRequest a copy of the AI risk management policy. GoodThe policy clearly explains the process and responsibilities for reporting AI concerns.
- AskInterview the AI lead about staff training sessions. GoodTraining is held semi-annually and includes a segment on reporting AI issues.
- AskRequest minutes from the last board meeting. GoodThe meeting minutes show a discussion about AI issues and assigning follow-up actions.
- AskCheck the email inbox set up for AI concerns. GoodThe inbox is actively monitored, and responses are prompt and constructive.
Cross-framework mappings
How Annex A 2.4 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.1 | Annex A 2.4 requires the organisation to review its AI policy at planned intervals (and as needed) to ensure it remains suitable, adequat... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
Want to implement this AI control?
Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.