Defining and Documenting Ongoing AI System Operation Requirements
Your organisation must define and write down what is needed to keep each artificial intelligence (AI) system running well over time, covering at least monitoring, repairs, updates and support.
Plain language
An artificial intelligence (AI) system is not something you build once and forget. To keep it working safely and reliably after it goes live, your organisation needs to decide in advance what is required to operate it day to day, and then write that down. This control asks you to define and document those operational requirements as part of your AI management system (AIMS, the set of policies and processes you use to govern AI). At a minimum the documentation must cover four things: how you will monitor the system and its performance, how repairs will be handled when something breaks, how updates will be applied, and what ongoing support will be available. Having this written down means the people running the AI know exactly what they are responsible for, problems get caught and fixed instead of being ignored, and the system keeps delivering the results it was meant to rather than quietly drifting or failing.
Framework
ISO/IEC 42001:2023
Control effect
Preventative
Classifications
N/A
Official last update
01 Dec 2023
Control Stack last updated
18 June 2026
Maturity levels
N/A
Official control statement
The organisation shall define and document the necessary elements for the ongoing operation of the AI system. At the minimum, this should include system and performance monitoring, repairs, updates and support.
Why it matters
Without documented operating requirements, AI systems can degrade or fail unnoticed, with no clear owner for monitoring, repairs, updates or support.
Operational notes
Keep one operations document per AI system and update it whenever the system changes, so monitoring, repair, update and support arrangements stay accurate.
Implementation tips
- The AI system owner should produce a written operations document for each AI system that lists, as a minimum, how the system and its performance will be monitored, how repairs are handled, how updates are applied, and what support is available.
- The operations lead should define specific performance measures and thresholds to watch (for example accuracy, response time or error rate) and record how often results are reviewed and who reviews them.
- The IT or service manager should document a clear repair and support process that names who is responsible, how issues are reported, and the expected timeframe for resolving them.
- The change manager should set out how updates to the AI system are planned, tested, authorised and recorded, so changes are controlled rather than ad hoc.
- Senior management should formally approve the operations documentation and schedule a regular review (for example annually or after major changes) so it stays accurate as the system evolves.
Audit / evidence tips
- Askthe documented operating requirements for one or more live AI systems, and confirm a document actually exists rather than relying on informal knowledge
- Look atwhether the document covers all four minimum elements named in the control: system and performance monitoring, repairs, updates and support
- Askwho is responsible for each element and check that named roles or owners are recorded, not left vague
- Look atevidence that the documented process is actually followed, such as monitoring reports, logs of repairs, and records of updates that match what the document describes
- Gooda current, approved operations document for each AI system that clearly defines monitoring, repairs, updates and support, with matching records showing it is being used in practice
Cross-framework mappings
How Annex A 6.2.6 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 8.6 | Annex A 6.2.6 requires the organisation to define and document the necessary elements for ongoing AI system operation, including system/p... | |
| Annex A 8.32 | Annex A 6.2.6 requires defining and documenting ongoing AI system operation requirements, including handling of updates and repairs | |
| handshake Supports (1) expand_less | ||
| Annex A 5.7 | Annex A 6.2.6 requires ongoing AI system operation and monitoring, including defining what to monitor and how operational issues are handled | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (4) expand_less | ||
| E8-MF-ML2.9 | Annex A 6.2.6 requires documented processes for ongoing operation of an AI system, including system/performance monitoring and support | |
| E8-AH-ML2.12 | Annex A 6.2.6 requires the organisation to define and document ongoing AI system operation elements, including monitoring, repairs, updat... | |
| E8-PO-ML3.6 | Annex A 6.2.6 requires the organisation to define and document ongoing AI system operation including repairs, updates and support | |
| E8-PO-ML3.8 | Annex A 6.2.6 requires documented processes for operating and maintaining the AI system, including updates and repairs | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| ISM-0042 | Annex A 6.2.6 mandates defining and documenting ongoing AI system operational requirements, such as monitoring, repairs, updates and support | |
| ISM-2114 | Annex A 6.2.6 requires documenting the requirements for ongoing AI system operation, like system and performance monitoring | |
| handshake Supports (2) expand_less | ||
| ISM-0912 | Annex A 6.2.6 requires documented ongoing operational requirements for an AI system, including repairs and updates | |
| ISM-1211 | Annex A 6.2.6 requires defining and documenting what is necessary to keep an AI system operating, including repairs and updates | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
Want to implement this AI control?
Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.