Determine and Document AI Reporting Obligations to Interested Parties
Your organisation must identify and write down every obligation it has to report information about its artificial intelligence (AI) systems to interested parties.
Plain language
This control is about working out who you owe information to about your artificial intelligence (AI) systems, and writing those obligations down so nothing slips through the cracks. Interested parties are any people or groups who have a stake in your AI, such as customers, regulators, business partners, suppliers, employees, or members of the public affected by a decision the AI makes. Some of these reporting duties are legal, for example a privacy regulator that requires you to disclose how automated decisions are made, or a law that says a person must be told when they are interacting with AI rather than a human. Others come from contracts, industry codes, or promises your organisation has made. The point of this control is not to decide what you report yet, but first to make a complete and documented list of who you are obliged to inform, what you must tell them, and why that obligation exists. Without that documented list, it is easy to miss a legal duty or break a contract, which can lead to fines, complaints, or loss of trust. Within your AI management system (AIMS, the set of policies and processes you use to govern AI responsibly), this documented register of reporting obligations becomes the foundation for actually delivering the right information to the right people at the right time.
Framework
ISO/IEC 42001:2023
Control effect
Preventative
Classifications
N/A
Official last update
01 Dec 2023
Control Stack last updated
18 June 2026
Maturity levels
N/A
Official control statement
The organisation shall determine and document their obligations to reporting information about the AI system to interested parties.
Why it matters
Missing a documented reporting obligation can breach a law or contract, leading to regulator fines, complaints, and lost trust in your AI.
Operational notes
Review the obligations register whenever laws, contracts or AI systems change, not only at audit time, and reassign owners when staff move on.
Implementation tips
- The compliance manager compiles a register that lists every interested party your AI systems affect, such as customers, regulators, partners and the public, and records what reporting obligation is owed to each one.
- The legal team reviews applicable laws, regulations and industry codes covering AI and automated decisions, then documents each specific reporting duty they create along with the source it comes from.
- The contracts owner examines supplier and customer agreements to find clauses that require you to share information about the AI system, and adds those contractual reporting obligations to the same register.
- The AI management system owner assigns a named person responsible for each documented obligation and sets a defined frequency for review, so the register stays current as systems, laws and contracts change.
- The board or senior leadership formally approves the documented reporting obligations and confirms the organisation has the resources to meet them, recording that approval in meeting minutes.
Audit / evidence tips
- Askthe documented register or list of reporting obligations the organisation owes to interested parties about its AI systems, and confirm it actually exists in writing
- Look atwhether the register names each interested party, states what information must be reported to them, and cites the source of the obligation such as a specific law, regulation or contract clause
- Askhow the organisation identified its legal and regulatory reporting duties, and check that the legal review covering AI and automated decisions is documented and reasonably current
- Look atsupplier and customer contracts to confirm any reporting clauses they contain have been captured in the register, with no obvious obligations missing
- Gooda complete, dated and approved register with a named owner and review date for each obligation, kept up to date as laws, contracts and AI systems change
Cross-framework mappings
How Annex A 8.5 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.31 | Annex A 8.5 requires the organisation to determine and document its obligations to report information about AI systems to interested parties | |
| Annex A 6.8 | Annex A 8.5 requires the organisation to determine and document obligations to report AI-system information to interested parties | |
| handshake Supports (2) expand_less | ||
| Annex A 5.5 | Annex A 8.5 requires the organisation to determine and document AI-system reporting obligations to interested parties | |
| Annex A 5.12 | To meet the obligations of Annex A 8.5 (ISO/IEC 42001), Annex A 5.12 (ISO/IEC 27001) provides support by requiring classification of info... | |
| extension Depends on (1) expand_less | ||
| Annex A 5.34 | Annex A 8.5 requires the organisation to determine and document obligations to report AI-system information to interested parties | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| ISM-0043 | Annex A 8.5 requires determining and documenting obligations to report information about the AI system to interested parties | |
| ISM-1880 | Annex A 8.5 requires the organisation to identify and document obligations to report information about AI systems to interested parties | |
| handshake Supports (1) expand_less | ||
| ISM-0718 | Annex A 8.5 requires determining and documenting AI-system reporting obligations to interested parties | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
Want to implement this AI control?
Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.