Document the People and Skills Running Your AI System
The organisation must record who works on its AI system across its whole life and the competences they bring.
Plain language
This control is about knowing, and writing down, which people and what skills are needed to run your artificial intelligence (AI) system safely from start to finish. As part of working out what resources your AI management system (AIMS) needs, you record the human resources involved at every stage: building (developing) the AI, putting it into use (deployment), running it day to day (operation), making changes to it, maintaining it, handing it to someone else (transfer) or shutting it down (decommissioning), as well as checking it works correctly (verification) and connecting it to other systems (integration). For each of these stages you note the people or roles involved and the competences, meaning the knowledge, qualifications and experience, they have. The aim is simple: make sure the right people with the right skills are in place for every part of the AI system's life, so nothing critical depends on luck or one person's memory. This documentation also helps you spot skills gaps, plan training and avoid relying on a single individual who could leave.
Framework
ISO/IEC 42001:2023
Control effect
Preventative
Classifications
N/A
Official last update
01 Dec 2023
Control Stack last updated
18 June 2026
Maturity levels
N/A
Official control statement
As part of resource identification, the organisation shall document information about the human resources and their competences utilised for the development, deployment, operation, change management, maintenance, transfer and decommissioning, as well as verification and integration of the AI system.
Why it matters
Without documenting who runs your AI and their skills, critical stages may be handled by unqualified people, creating safety, compliance and key-person risks.
Operational notes
Review the human resources and competences record whenever staff join, change roles or leave, and at least once a year, so it stays accurate.
Implementation tips
- The AI lead should map every stage of the AI system's life, from development and deployment through operation, change management, maintenance, transfer, decommissioning, verification and integration, and list the roles needed for each stage in a single document.
- The human resources manager should record each person or role against those stages along with their relevant competences, capturing qualifications, training completed, certifications and hands-on experience for every role.
- Managers should review the documented roles and competences whenever a person joins, changes position or leaves, updating the record so it always reflects who is actually responsible for each part of the AI system.
- The AI lead should compare the competences on record against what each stage actually demands, flag any gaps, and arrange training or hiring to close them before they cause problems.
- The organisation should store this human resources record in a controlled location with version history, so the board and auditors can see who is competent to handle each phase of the AI system at any time.
Audit / evidence tips
- Askthe document that lists the human resources and competences used across the AI system's lifecycle, and confirm it covers development, deployment, operation, change management, maintenance, transfer, decommissioning, verification and integration
- Look athow competences are recorded for each role and check they include concrete evidence such as qualifications, certifications, training records and experience rather than vague claims
- Askhow the record is kept current and review version history or update dates to confirm it is revised when people join, move or leave the organisation
- Look atwhether the organisation has identified any competence gaps and check there is a plan, such as training or recruitment, to address them
- Gooda complete, dated and version-controlled record mapping named people or roles and their proven competences to every lifecycle stage of the AI system, kept up to date and clearly owned
Cross-framework mappings
How Annex A 4.6 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.2 | Annex A 4.6 requires the documentation of human resources and competences involved in AI systems, which overlaps with ISO/IEC 27001 Annex... | |
| handshake Supports (1) expand_less | ||
| Annex A 6.3 | Annex A 4.6 supports ISO/IEC 27001 Annex A 6.3 by providing documented information on roles and competences for AI systems, aiding target... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-2020 | Annex A 4.6 requires the organisation to document human resources and competences used throughout the AI system lifecycle | |
| ISM-2035 | Annex A 4.6 involves documenting people and competences for AI systems including operational and decommissioning activities | |
| ISM-2038 | Annex A 4.6 requires documentation of human resources and competences across an AI system's lifecycle, overlapping with ISM-2038's focus ... | |
| handshake Supports (2) expand_less | ||
| ISM-0434 | Annex A 4.6 supports ISM-0434's focus on personnel screening and clearances by requiring documentation of who is involved with AI system ... | |
| ISM-2003 | Annex A 4.6 requires documenting roles and competences involved with AI systems, supporting ISM-2003's focus on governance, metrics, recr... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
Want to implement this AI control?
Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.