AI System Recording of Event Logs
Organisations are required to determine logging phases for AI systems, at minimum during usage.
Plain language
This control is about keeping a record of what your AI system does and when it does it. Picture a situation where your AI chatbot tells a customer something that's not true-having detailed logs helps you track down what went wrong and fix it quickly.
Framework
ISO/IEC 42001:2023
Control effect
Detective
Classifications
N/A
Official last update
01 Dec 2023
Control Stack last updated
19 May 2026
Maturity levels
N/A
Official control statement
The organisation shall determine at which phases of the AI system life cycle, record keeping of event logs should be enabled, but at the minimum when the AI system is in use.
Why it matters
Without proper event logs, it becomes difficult to understand or fix AI errors, leaving customers frustrated or possibly harmed by incorrect information.
Operational notes
Keep log analysis a routine task-review every time the system updates or deploys new features, not just during audits.
Implementation tips
- The AI lead should establish a clear plan for when and what to log during the AI system's lifecycle, such as when it's actively being used or during updates. A simple online calendar or project management tool can help schedule these logging checkpoints.
- The head of IT security (CISO) should ensure that logs are securely stored and protected against unauthorized access. Using a cloud-based service with encryption, like AWS or Azure, can make this practical and reliable for small businesses.
- The product owner needs to set up a system to check logs regularly and follow up on any strange entries or warnings. This could be as straightforward as setting a reminder in their calendar to review logs weekly.
- Data stewards should implement categorisation for logs, making it easier to track specific events or anomalies over time. Using a colour-coded spreadsheet could be an easy way to keep this organized.
- Procurement must include a requirement for log access rights and retention policies in all AI software contracts. They can use a template contract clause that specifies minimum retention periods and user access levels.
Audit / evidence tips
- AskAsk to see the AI system's logging plan. GoodThe plan clearly states logging is enabled during system use and any other specified phases.
- AskRequest access to a sample of logs from the AI system. GoodThe logs include event details from active system use.
- AskInterview the head of IT security about log storage security. GoodThey describe using encryption and access controls for log storage.
- AskRequest evidence of regular log review by the product owner. GoodRecords show weekly log reviews with notes on any issues.
- AskLook at contracts from software suppliers. GoodContracts have clear provisions for log access and retention policies.
Cross-framework mappings
How Annex A 6.2.8 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.15 | Annex A 6.2.8 requires the organisation to determine at which AI system life cycle phases event logging should be enabled, at minimum whe... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-AC-ML2.6 | Annex A 6.2.8 requires the organisation to enable event logging for AI systems during defined life cycle phases, at minimum when the AI s... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-0585 | Annex A 6.2.8 requires enabling event logs for AI systems at defined life cycle phases, at minimum during operational use | |
| handshake Supports (1) expand_less | ||
| ISM-0580 | Annex A 6.2.8 requires the organisation to decide during which AI system life cycle phases event logging is enabled (at minimum during use) | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
Want to implement this AI control?
Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.