Intended Use of the AI System
Ensure AI systems are used as intended and documented to avoid misuse and its consequences.
Plain language
This control means you need to make sure your AI does exactly what you planned for. Imagine you have a chatbot designed to answer customer queries about hours of operation, but instead, it gives personal advice, leading to upset customers. It's important to avoid such mix-ups.
Framework
ISO/IEC 42001:2023
Control effect
Preventative
Classifications
N/A
Official last update
01 Dec 2023
Control Stack last updated
19 May 2026
Maturity levels
N/A
Official control statement
The organisation shall ensure that the AI system is used according to the intended uses of the AI system and its accompanying documentation.
Why it matters
If you don't clearly define and monitor AI use, it might do something it wasn't supposed to, like giving wrong advice, which could confuse or upset customers.
Operational notes
Update system restrictions and intended use statements whenever you make changes to your AI applications or retrain them with new data.
Implementation tips
- The product owner should create a simple 'intended use' statement for each AI system to share with your team, explaining exactly what the AI is supposed to do. It can be as easy as a one-page document stating that a chatbot should only handle customer service questions and not provide personal advice.
- The AI lead needs to review the AI's use regularly to ensure it fits the original purpose. Arrange monthly meetings to check AI outputs, which could be as simple as sampling recent interactions to spot any irregularities.
- The data steward should ensure the training data used is appropriate and matches the AI's intended use. They could maintain a log, noting where the data came from and why it was chosen, ensuring no unrelated data slips in.
- The CISO should ensure there are safeguards against unwanted uses. Think of simple technical controls that prevent your chatbot from accessing non-related systems or provide off-topic responses.
- Procurement should add a clause in contracts with AI vendors about system uses and restrictions. It’s enough to have a paragraph stating what the AI will and won’t be used for, agreeing on consequences if these terms are broken.
Audit / evidence tips
- AskReview the AI system's intended use statement. GoodThe statement clearly defines what the AI system is intended to do and includes usage limitations.
- AskCheck records of AI use audits. GoodRecords show monthly reviews with documented action items for any identified issues.
- AskAsk to see the data sourcing log. GoodThe log exists, is up-to-date, and matches the AI system's intended application.
- AskInspect the contractual agreement with AI vendors. GoodContracts include clear provisions about the AI's intended and restricted uses.
- AskRequest the configuration settings for the AI system. GoodConfiguration settings include restrictions that prevent the AI system from being used improperly.
Cross-framework mappings
How Annex A 9.4 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.14 | Annex A 9.4 requires the organisation to ensure an AI system is used only as intended per its documentation, which includes constraints o... | |
| handshake Supports (2) expand_less | ||
| Annex A 5.10 | Annex A 9.4 requires the organisation to ensure an AI system is used only in accordance with its intended use and accompanying documentat... | |
| Annex A 8.30 | Annex A 9.4 requires that the AI system be used according to its intended uses and documentation, which depends on clear design assumptio... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| handshake Supports (3) expand_less | ||
| ISM-0027 | Annex A 9.4 requires controlling AI system use so it aligns with intended use and documented constraints | |
| ISM-0042 | Annex A 9.4 requires the organisation to ensure the AI system is used only as intended, which often needs operational procedures, configu... | |
| ISM-0072 | Annex A 9.4 requires AI systems to be used according to intended use and documentation, including constraints relating to confidentiality... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
Want to implement this AI control?
Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.