Document the Tooling Resources Used for AI Systems
Your organisation must keep written records of the tools used to build, run and support each AI (artificial intelligence) system, as part of identifying the resources your AI management system (AIMS) depends on.
Plain language
AI (artificial intelligence) systems are built and run using a range of tools: software libraries, development platforms, machine learning frameworks, data labelling tools, model training environments, testing tools and the third-party services that support them. This control asks your organisation to write down which of these tools each AI system actually uses. The reason is simple. If you do not know what your AI is built on, you cannot keep it secure, maintain it, fix it when it breaks, or replace a tool that becomes unsupported or risky. Documenting tooling resources is part of a wider step in the ISO 42001 AI management system (AIMS) called resource identification, where you record all the people, data, computing power and tools your AI depends on. For tools specifically, you keep an up to date list or register that names each tool, what it is used for, who provides it, and which AI system relies on it. This does not need to be complicated. A maintained spreadsheet or register is often enough. The point is that someone can look at any AI system in your organisation and quickly see the tools behind it, so the system can be managed responsibly over its whole life.
Framework
ISO/IEC 42001:2023
Control effect
Preventative
Classifications
N/A
Official last update
01 Dec 2023
Control Stack last updated
18 June 2026
Maturity levels
N/A
Official control statement
As part of resource identification, the organisation shall document information about the tooling resources utilised for the AI system.
Why it matters
Without documented tooling, the organisation cannot maintain, secure or replace the tools its AI depends on, and one unsupported tool can break or expose several systems unnoticed.
Operational notes
Keep the tooling register current: update it whenever a tool is added, upgraded or retired, and review it at planned intervals so it always matches the tools in real use.
Implementation tips
- The AI or technical lead should build a tooling register that lists every tool used to develop, train, test, deploy and run each AI system, recording the tool name, its purpose, the provider or vendor, the version where relevant, and which AI system uses it.
- Development and data science teams should record the tooling they use at the point they adopt it, so new libraries, frameworks, platforms or labelling tools are captured as the AI is being built rather than reconstructed from memory later.
- The person who owns the AI management system should set a simple rule that the tooling register is updated whenever a tool is added, upgraded or retired, and should review it at planned intervals to confirm it still matches what is actually in use.
- Procurement and IT should feed any AI related software, cloud services or platform subscriptions they purchase into the tooling register, so externally sourced tools are documented alongside ones built or chosen in house.
- The AI lead should link each tool in the register to the AI system it supports, so that if a tool is found to be insecure, unsupported or non-compliant, the organisation can immediately see which AI systems are affected.
Audit / evidence tips
- Askthe documented tooling register or resource records for AI systems, and check that documenting tools is treated as a defined part of resource identification rather than something done ad hoc
- Look atwhether the records name the specific tools used to develop, train, test, deploy and run each AI system, including the provider and what each tool is used for, not just a vague mention that tools exist
- Askto trace one or two live AI systems back to their documented tooling, and check the listed tools genuinely match the development platforms, frameworks and services those systems actually use
- Look atthe update history or version dates on the register to confirm it is kept current when tools are added, upgraded or removed, rather than written once and left to go stale
- Gooda maintained, owned tooling register where every AI system can be linked to its tools, recently reviewed, with clear accountability for keeping it accurate
Cross-framework mappings
How Annex A 4.4 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.9 | Annex A 4.4 requires the organisation to document the tooling resources utilised for each AI system as part of AIMS resource identification | |
| handshake Supports (1) expand_less | ||
| Annex A 5.37 | Annex A 4.4 stipulates documenting AI system tooling resources | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| ISM-1493 | Annex A 4.4 requires the organisation to document information about the tooling resources utilised for an AI system as part of identifyin... | |
| ISM-1643 | Annex A 4.4 requires documented information about tooling resources used by an AI system to support resource identification within the AIMS | |
| handshake Supports (1) expand_less | ||
| ISM-0041 | Annex A 4.4 requires the organisation to document information about the tooling resources utilised for an AI system as part of AI resourc... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
Want to implement this AI control?
Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.