AI System Verification and Validation
Organisations must set standards to check their AI systems work as intended and are fit for purpose.
Plain language
This control means that you need to check that your AI system is doing what you want and working correctly. Imagine you run a small shop and use AI to manage stock; if the AI incorrectly orders the wrong products, you could end up with losses or unsatisfied customers. By setting standards for checking your AI, you can prevent such issues.
Framework
ISO/IEC 42001:2023
Control effect
Preventative
Classifications
N/A
Official last update
01 Dec 2023
Control Stack last updated
19 May 2026
Maturity levels
N/A
Official control statement
The organisation shall define and document verification and validation measures for the AI system and specify criteria for their use.
Why it matters
If checks are not in place, the AI might make decisions that cost money or harm your reputation-like restocking products incorrectly.
Operational notes
Review and update verification and validation plans whenever the AI system or its data input process changes.
Implementation tips
- The AI lead should clearly outline what tasks the AI needs to perform and how to test if it's working well. Start with a list of key functions, like predicting sales, and create simple tests to see if predictions match reality.
- The data steward should regularly check the accuracy of data that feeds the AI. A simple spreadsheet that logs when data is reviewed and if any errors are found can keep quality in check.
- The product owner should involve team members who use the AI daily to report issues. Setting up a simple shared document or chat group where employees note down any strange AI behaviour can catch problems early.
- The head of risk should establish a process for handling AI system errors. This could be as straightforward as defining who to notify when the AI behaves incorrectly and how to stop it from causing damage, like a protocol sheet on the office wall.
- Procurement should include a clause in supplier contracts that obligates them to disclose changes in their AI systems. This ensures you can re-verify and re-validate their performance whenever suppliers update or alter their algorithms.
Audit / evidence tips
- AskRequest the verification plan for the AI system. GoodThe plan lists specific tests for each key function the AI performs.
- AskAsk for the log of data quality checks conducted by the data steward. GoodRegular checks are logged, and issues are promptly addressed with corrective actions.
- AskRequest feedback records from employee reports on AI behaviour. GoodFeedback is systematically recorded and issues are consistently resolved.
- AskSpeak with the head of risk about the error handling process. GoodA simple documented process exists and staff are aware of it.
- AskReview supplier contracts provided by procurement. GoodContracts contain clear clauses requiring supplier transparency in AI changes.
Cross-framework mappings
How Annex A 6.2.4 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.29 | Annex A 6.2.4 requires defining and documenting verification and validation measures for an AI system, with criteria for when they are ap... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (4) expand_less | ||
| ISM-0402 | Annex A 6.2.4 requires documented AI system verification and validation measures and criteria for their use | |
| ISM-1524 | Annex A 6.2.4 requires defined and documented verification and validation measures to confirm an AI system performs as intended against s... | |
| ISM-1636 | Annex A 6.2.4 requires the organisation to define and document AI system verification and validation measures and criteria to confirm the... | |
| ISM-2102 | Annex A 6.2.4 requires the organisation to define and document verification and validation measures for an AI system, including criteria ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
Want to implement this AI control?
Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.