AI System Operation and Monitoring
Organisations must establish processes for operating and maintaining AI systems, including monitoring, repairs, and updates.
Plain language
This control means you need to keep an eye on your AI systems, just like you would a car, making sure they're running smoothly. Without this, your AI might suggest irrelevant products to customers or provide outdated information, harming your business reputation.
Framework
ISO/IEC 42001:2023
Control effect
Proactive
Classifications
N/A
Official last update
01 Dec 2023
Control Stack last updated
19 May 2026
Maturity levels
N/A
Official control statement
The organisation shall define and document the necessary elements for the ongoing operation of the AI system. At the minimum, this should include system and performance monitoring, repairs, updates and support.
Why it matters
If AI systems aren't monitored, customers could receive wrong suggestions or outdated information, leading to a loss of trust and revenue.
Operational notes
Schedule a team review meeting after each AI update or repair to ensure everyone’s aware of changes and can operate smoothly.
Implementation tips
- The AI lead should set up a basic system to monitor the AI’s performance, like a simple weekly report checking if the results still make sense. For instance, if an AI used for recommending products starts suggesting winter coats in summer, it might need adjusting.
- The head of risk should ensure there is a clear plan for fixing issues with the AI system quickly. This plan should include steps like who's responsible and how to contact them immediately, similar to having a go-to mechanic for unexpected car troubles.
- Data stewards should schedule regular updates for the AI's information to keep it current, much like updating your smartphone's apps to improve functionality and security. Set reminders for quarterly updates at minimum.
- The CISO can implement basic security measures, like regular password updates and firewall checks to protect the AI from unauthorized access. For example, having all users use two-factor authentication is a simple starting point.
- Product owners should gather user feedback regularly to spot anything the AI is getting wrong. Create a simple form customers can fill out if they see an error or get incorrect information from your AI.
Audit / evidence tips
- AskRequest the AI system performance logs from last month. GoodPerformance logs are detailed, regularly reviewed, and highlight immediate corrective actions for issues detected.
- AskAsk for the AI repair and update plan. GoodThe plan is comprehensive, with clear responsibility assignments and is updated within the past year.
- AskRequest the record of the latest AI system update. GoodThe update record is recent, detailed, and signed by the authorised person.
- AskRequest the user feedback forms from the last six months. GoodUser feedback is collected monthly, and pertinent issues have been addressed.
- AskAsk for the security check reports of the AI system. GoodSecurity reports are thorough, show documented checks, and corrective actions are taken for any vulnerabilities.
Cross-framework mappings
How Annex A 6.2.6 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 5.7 | Annex A 6.2.6 requires ongoing AI system operation and monitoring, including defining what to monitor and how operational issues are handled | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (4) expand_less | ||
| E8-MF-ML2.9 | Annex A 6.2.6 requires documented processes for ongoing operation of an AI system, including system/performance monitoring and support | |
| E8-AH-ML2.12 | Annex A 6.2.6 requires the organisation to define and document ongoing AI system operation elements, including monitoring, repairs, updat... | |
| E8-PO-ML3.6 | Annex A 6.2.6 requires the organisation to define and document ongoing AI system operation including repairs, updates and support | |
| E8-PO-ML3.8 | Annex A 6.2.6 requires documented processes for operating and maintaining the AI system, including updates and repairs | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
Want to implement this AI control?
Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.