Skip to content
arrow_back
Annex A 3.2
search
Annex A 3.2 psychology ISO/IEC 42001:2023

AI Roles and Responsibilities

Organisations must document AI system data details for transparency and compliance.

A.3 Internal organisation Preventative ISO/IEC 42001:2023 AI Management SystemISO 42001 Annex A 3rolesdata governanceasset managementcompliance obligations
record_voice_over

Plain language

This control means you need to keep track of all the data that your AI system uses. Think of it like keeping a list of ingredients for a recipe. If you don't know what's in your AI, you can't be sure it's safe or fair for everyone.

Framework

ISO/IEC 42001:2023

Control effect

Preventative

Classifications

N/A

Official last update

01 Dec 2023

Control Stack last updated

19 May 2026

Maturity levels

N/A

Official control statement

Roles and responsibilities for AI shall be defined and allocated according to the needs of the organisation.
psychology ISO/IEC 42001:2023 Annex A 3.2
priority_high

Why it matters

Not knowing your AI's data sources can lead to privacy breaches or biased outputs, which might harm customers or break laws.

settings

Operational notes

Ensure every change in data or data source, however minor, is documented immediately-don't wait for the regular update schedule.

build

Implementation tips

  • The person in charge of data (data steward) should create a simple list or spreadsheet detailing all data sources your AI uses. This can be a straightforward table showing where the data comes from, who manages it, and any conditions for using that data.
  • Your AI lead should ensure a process is in place to update this list whenever new data is added or current data is changed. A monthly check-in to cross-reference updates with existing records can help catch changes in data use.
  • The procurement team should make sure any outside services supplying data have confirmed what it's used for and allow you to document this. Simple confirmation emails or contract clauses can help confirm this.
  • The head of risk should review whether the documented data might pose any legal or ethical risks. Having a meeting every six months to evaluate this with relevant staff should keep this in check.
  • The board should get a report quarterly that summarises any changes to documented data resources so they’re aware if anything could affect the organisation's reputation or legal standing.
fact_check

Audit / evidence tips

  • AskAsk for the latest version of the AI data documentation list. GoodThe list is complete, clearly shows all data sources, and is updated within the last month.
  • AskRequest the contract or agreement with any data suppliers. GoodThe contracts clearly state data usage terms and have appropriate permissions.
  • AskAsk the data steward about updates in data use. GoodThe data steward explains a consistent process for updating the documentation and can show recent examples.
  • AskRequest minutes or notes from board meetings discussing AI data. GoodThe minutes reflect regular discussions on data resource updates with clear follow-up actions.
  • AskRequest evidence of data risk assessments. GoodThe risk assessments are comprehensive and regularly updated to reflect new data acquisitions.
link

Cross-framework mappings

How Annex A 3.2 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control Notes Details
handshake Supports (1) expand_less
Annex A 5.8 Annex A 3.2 requires the organisation to define and allocate AI roles and responsibilities

ASD ISM

Control Notes Details
sync_alt Partially overlaps (1) expand_less
ISM-0043 Annex A 3.2 requires the organisation to define and allocate AI roles and responsibilities
handshake Supports (4) expand_less
ISM-0041 Annex A 3.2 requires defined and allocated AI roles and responsibilities to ensure accountable AI governance
ISM-0726 Annex A 3.2 requires defined and allocated AI roles and responsibilities
ISM-1071 Annex A 3.2 requires the organisation to define and allocate AI roles and responsibilities to meet organisational needs
ISM-1525 Annex A 3.2 requires defined and allocated AI roles and responsibilities across the AI lifecycle

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

psychology

Want to implement this AI control?

Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.

Mapping detail

Mapping

Direction

Controls