Review the AI Policy at Planned Intervals to Keep It Effective
Your organisation regularly reviews its artificial intelligence (AI) policy, and reviews it again whenever circumstances change, to confirm it remains suitable, adequate and effective.
Plain language
An AI policy is the document that sets out how your organisation will use and govern artificial intelligence (AI). Like any rulebook, it can drift out of date as your business grows, as you adopt new AI tools, or as laws and risks change. This control requires you to look over the policy on a set schedule (for example once a year) and also out of cycle whenever something important happens, such as a new regulation, a serious incident, or a major change to how you use AI. The review checks three things: is the policy still suitable (does it fit what the business now does), is it adequate (does it cover everything it should), and is it effective (is it actually working in practice). If gaps are found, the policy is updated and re-approved. This keeps your AI management system (AIMS, the overall framework you use to govern AI) anchored to reality rather than to a document that was written once and forgotten.
Framework
ISO/IEC 42001:2023
Control effect
Detective
Classifications
N/A
Official last update
01 Dec 2023
Control Stack last updated
18 June 2026
Maturity levels
N/A
Official control statement
The AI policy shall be reviewed at planned intervals or additionally as needed to ensure its continuing suitability, adequacy and effectiveness.
Why it matters
If the AI policy is never reviewed, it drifts out of date as tools, laws and risks change, leaving AI use governed by rules that no longer fit.
Operational notes
Set a recurring calendar reminder for the planned review, and keep a short trigger list of events (new law, incident, major change) that force an extra review.
Implementation tips
- Top management or the person who owns the AI management system sets a fixed review cycle for the AI policy (commonly every 12 months) and records the next review date in a calendar or governance schedule so it is never missed.
- The AI policy owner triggers an additional out-of-cycle review whenever a significant change occurs, such as a new AI law, a major incident, a new high-risk AI use case, or a substantial change to the business, and writes down what prompted the review.
- Whoever leads each review gathers practical inputs first (incident reports, audit findings, regulatory updates, results of AI risk assessments, and feedback from staff) so the review judges the policy against real evidence rather than opinion.
- The reviewers assess the policy against the three required tests (continuing suitability, adequacy and effectiveness), note any gaps, and update and re-approve the wording so the changes take formal effect.
- The AI policy owner records each review in writing (date, who attended, what was found, what changed, and who approved it) and communicates any updated policy to all affected staff so everyone follows the current version.
Audit / evidence tips
- Askthe schedule or procedure that defines how often the AI policy is reviewed, and confirm a planned interval is actually set rather than left open-ended
- Look atdated records of the most recent reviews and check that they happened on time according to that schedule, with no large unexplained gaps
- Askwhat would trigger a review outside the normal cycle, and look for evidence that out-of-cycle reviews really took place after major changes or incidents
- Look atthe review records to confirm the policy was judged against all three criteria (suitability, adequacy and effectiveness) using real inputs such as incidents, audit results and regulatory changes, not just a quick sign-off
- Gooda current, approved AI policy with a documented review history showing dated reviews, identified gaps, resulting updates, formal re-approval, and communication of changes to staff
Cross-framework mappings
How Annex A 2.4 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.1 | Annex A 2.4 requires the organisation to review its AI policy at planned intervals and as needed to ensure it is suitable, adequate, and ... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-2074 | Annex A 2.4 calls for periodic and as-needed reviews of the AI policy to ensure its effectiveness | |
| handshake Supports (1) expand_less | ||
| ISM-0888 | Annex A 2.4 necessitates the review of the AI policy at planned and additional intervals to maintain its effectiveness | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
Want to implement this AI control?
Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.