Define and Document Processes for Responsible Use of AI Systems
Your organisation must define and write down the processes that govern how artificial intelligence (AI) systems are used responsibly.
Plain language
This control asks your organisation to set out, in writing, how people are allowed to use your artificial intelligence (AI) systems in a responsible way. "Processes" here simply means the agreed steps, rules and ways of working that staff follow when they use an AI system in their day-to-day work. Think of it like a set of operating instructions for a piece of equipment. You would not let people use a forklift without a clear procedure for how to operate it safely. AI systems are similar. Without documented processes, each person decides for themselves what is acceptable, which leads to inconsistent and sometimes harmful use. Responsible use means things like checking AI output before acting on it, keeping people in the loop for important decisions, not feeding sensitive or confidential information into systems that should not see it, and using the AI only for the purposes it was approved for. The point of this control is to make those expectations explicit and written down, not left to assumption, so that everyone who touches an AI system knows exactly what they should and should not do. Because this is part of an AI management system (AIMS, the formal way your organisation manages AI), the processes need to be documented and kept current, not just spoken about informally.
Framework
ISO/IEC 42001:2023
Control effect
Preventative
Classifications
N/A
Official last update
01 Dec 2023
Control Stack last updated
18 June 2026
Maturity levels
N/A
Official control statement
The organisation shall define and document the processes for the responsible use of AI systems.
Why it matters
Without documented processes, staff use AI inconsistently and unsafely, leading to errors, data exposure and unaccountable decisions that harm people and the organisation.
Operational notes
Keep each AI system's responsible-use process current; review it whenever the system, its purpose or relevant law changes, and confirm staff follow it.
Implementation tips
- The AI management system owner should write a short procedure for each AI system describing the approved uses, the steps staff must follow, and what is not allowed, then store it where all relevant staff can find it.
- Managers should require staff to review AI-generated output before they rely on it or share it externally, and document this human-check step inside the use process so it is not skipped.
- The compliance manager should define rules on what information can and cannot be entered into each AI system, especially personal, confidential or commercially sensitive data, and record these rules in the documented process.
- Department heads should map out where AI fits into existing workflows and specify the points where a person must stay involved in or approve a decision, writing these checkpoints into the process document.
- The AI management system owner should schedule a regular review (for example every six or twelve months) to update each documented process when the AI system, its purpose or the law changes, and keep dated versions as a record.
Audit / evidence tips
- Askthe documented processes covering responsible use of each AI system the organisation runs, and confirm a process exists for every system in use, not just one or two
- Look atwhether each process actually describes how the system should be used: approved purposes, required human checks, data handling rules and restrictions, rather than vague statements of intent
- Askstaff who use the AI systems to explain the process they follow, and check that what they describe matches the documented version, showing the process is real and not just paperwork
- Look atversion history or review dates on the process documents to confirm they are kept current and updated when systems or purposes change
- Goodclear, current, written processes for responsible use that name approved uses, prohibited actions and human oversight points, with evidence that staff understand and follow them
Cross-framework mappings
How Annex A 9.2 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.1 | Annex A 9.2 demands defined processes for responsible AI use | |
| Annex A 5.10 | Annex A 9.2 mandates defining and documenting AI use processes | |
| handshake Supports (1) expand_less | ||
| Annex A 5.4 | Annex A 5.4 requires management to ensure personnel apply established policies, supporting Annex A 9.2's AI-use processes | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| ISM-0041 | Annex A 9.2 requires organisations to define and document processes for responsible AI use | |
| ISM-2074 | Annex A 9.2 requires process documentation for responsible AI use | |
| handshake Supports (4) expand_less | ||
| ISM-0047 | Annex A 9.2 mandates defining and documenting responsible AI use processes | |
| ISM-0888 | Annex A 9.2 requires documented processes for responsible AI use | |
| ISM-1602 | Annex A 9.2 sets out the need for documented processes for responsible AI use | |
| ISM-1999 | ISM-1999 aligns cyber security strategy with business goals, supporting Annex A 9.2 by ensuring AI-use processes reflect organisational o... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
Want to implement this AI control?
Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.