Skip to content
arrow_back
Annex A 4.5
search
Annex A 4.5 psychology ISO/IEC 42001:2023

Document System and Computing Resources Used by AI Systems

Your organisation keeps a written record of the system and computing resources used to run each artificial intelligence (AI) system.

A.4 Resources for AI systems Preventative ISO/IEC 42001:2023 AI Management SystemISO 42001 Annex A 4asset managementrecords managementasset inventory
record_voice_over

Plain language

This control is about keeping a clear record of the computing resources your AI (artificial intelligence) systems rely on. As part of working out what resources your AI management system (AIMS) needs, your organisation must write down the system and computing resources each AI system uses. That means listing things like the servers, cloud services, processing power (for example, the CPUs or GPUs that do the heavy lifting), memory, storage, and networks that let the AI run. Think of it like an asset register, but for the technology behind your AI. If you do not know what your AI runs on, you cannot plan for it, budget for it, secure it, or keep it working reliably. For example, if a forecasting AI quietly depends on a particular cloud service, and nobody recorded that, you could lose the service in a contract change and only discover the dependency when the AI stops working. Writing it down up front means everyone knows what is needed, who provides it, and what would happen if it changed.

Framework

ISO/IEC 42001:2023

Control effect

Preventative

Classifications

N/A

Official last update

01 Dec 2023

Control Stack last updated

18 June 2026

Maturity levels

N/A

Official control statement

As part of resource identification, the organisation shall document information about the system and computing resources utilised for the AI system.
psychology ISO/IEC 42001:2023 Annex A 4.5
priority_high

Why it matters

Without a record of the resources AI systems rely on, hidden dependencies, capacity shortfalls, and outages can go unnoticed until something breaks.

settings

Operational notes

Update the resource record whenever an AI system is added, retired, or moved to different hardware, cloud services, or hosting arrangements.

build

Implementation tips

  • The AI lead should build a simple register that lists, for each AI system, the computing resources it uses: servers, cloud platforms and services, processing hardware such as CPUs and GPUs, memory, storage, and network connections.
  • The IT or infrastructure manager should record whether each resource is owned in-house or supplied by an external provider, and note the provider name and contract reference so dependencies on third parties are visible.
  • System owners should capture the scale and capacity of each resource, such as how much processing power, memory, and storage the AI needs to run and to be trained, so the organisation can plan and budget accurately.
  • The AI lead should keep the register up to date by reviewing it whenever a new AI system is introduced or an existing one changes platforms, hardware, or hosting arrangements.
  • The compliance manager should store the register in a central, access-controlled location and link it to the wider asset inventory so it can be found during planning, audits, and incident response.
fact_check

Audit / evidence tips

  • Askthe documented record of system and computing resources used by the organisation's AI systems, and confirm it exists as a maintained document rather than informal knowledge
  • Look atwhether the record covers the real components an AI system depends on, such as servers, cloud services, processing hardware (CPUs or GPUs), memory, storage, and networks, not just a single line entry
  • Askhow external dependencies are captured and check that the record names third-party providers and the services supplied, so reliance on outside infrastructure is clear
  • Look atthe dates and version history to confirm the record is kept current and was updated when AI systems were added or their hosting or hardware changed
  • Gooda clear, current resource register tied to each AI system, showing what runs where, who provides it, and the capacity involved, and held in a controlled, findable location
link

Cross-framework mappings

How Annex A 4.5 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

E8

Control Notes Details
handshake Supports (2) expand_less
E8-PA-ML1.1 Annex A 4.5 requires the organisation to document the systems and computing resources utilised to run each AI system
E8-PO-ML1.1 Annex A 4.5 requires the organisation to document the systems and computing resources utilised to run each AI system

ASD ISM

Control Notes Details
handshake Supports (3) expand_less
ISM-0041 Annex A 4.5 requires the organisation to document information about the system and computing resources utilised for the AI system
ISM-0336 Annex A 4.5 requires the organisation to document the system and computing resources utilised for each AI system
ISM-1493 Annex A 4.5 requires documenting the system and computing resources used by an AI system

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

psychology

Want to implement this AI control?

Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.

Mapping detail

Mapping

Direction

Controls