External Reporting
Provide ways for stakeholders to report negative effects of the AI system to ensure issues are addressed.
Plain language
This control means your business should have a simple way for people to tell you if your AI is causing any problems, like giving customers incorrect recommendations or saying something inappropriate. It matters because catching these issues quickly helps you fix them before harming your business reputation.
Framework
ISO/IEC 42001:2023
Control effect
Responsive
Classifications
N/A
Official last update
01 Dec 2023
Control Stack last updated
19 May 2026
Maturity levels
N/A
Official control statement
The organisation shall provide capabilities for interested parties to report adverse impacts of the AI system.
Why it matters
If there isn't a way to report AI problems, small issues can fester into large problems, damaging customer trust and possibly leading to legal trouble.
Operational notes
Have the head of customer service check all incoming formal complaints weekly to see if any relate to issues with the AI - don't wait for quarterly reviews.
Implementation tips
- The head of customer service should create a straightforward email or online form that employees and customers can use to report any strange or wrong outputs from the AI system. Keeping it simple encourages more people to report issues, like when AI gives the wrong product details.
- The AI lead should set up a monthly meeting to review all the reports of AI issues and decide on the next steps. This can be as easy as going through a spreadsheet of reported problems during staff meetings.
- The head of risk should add a system that flags widespread or repeated issues reported about the AI, so they can be addressed promptly before causing bigger impacts. Even a simple traffic light system (red, amber, green) can highlight when attention is needed.
- Procurement should ensure that any new AI service contracts have a clause requiring the vendor to accept feedback and act on any negative effects reported. This could be just a paragraph in contracts referencing the necessity for prompt corrective actions.
- The board should periodically check that the processes for reporting AI issues are working by requesting updates from the head of customer service. This might be as simple as a quarterly report on issues encountered and how they were resolved.
Audit / evidence tips
- AskAsk for the document that outlines the process for external reporting of AI issues. GoodThe document outlines a clear process for reporting AI issues and names responsible staff.
- AskRequest to see a log of reported AI incidents over the last six months. GoodThe log is regularly updated, includes all important details, and shows follow-up on reported issues.
- AskAsk to speak to an employee who submitted a report about an AI issue. GoodThe employee reports that the process was simple and they received feedback about the resolution.
- AskRequest information on how often the reporting process is reviewed and updated. GoodThe process has been reviewed within the last year and shows improvements made over time.
- AskAsk to see a recent board meeting agenda or minutes that discuss AI issue reporting. GoodBoard meeting minutes show regular discussions on AI issue reporting.
Cross-framework mappings
How Annex A 8.3 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 6.8 | Annex A 8.3 requires the organisation to provide capabilities for interested parties to report adverse impacts of an AI system | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
Want to implement this AI control?
Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.