ISO/IEC 42001:2023
Artificial Intelligence Management System (AIMS)
Internal Audit Checklist
Organization:
Audit Date:
Lead Auditor:
Audit Ref No.:
Auditee(s):
AI Systems in Scope:
Organization Role (Provider/Operator/Both):
Next Audit Due:
Instructions for Use
This checklist covers all operative clauses of ISO/IEC 42001:2023 (Clauses 4–10) for an Artificial Intelligence Management System (AIMS) internal audit. For each item, review the stated requirement, gather objective evidence using the guidance notes, assign a rating code, and record findings in the notes column. Attach supporting evidence references (document numbers, system records, interview notes, AI system artefacts) to each finding.
Key focus areas unique to ISO 42001: AI risk and impact assessment; responsible AI principles (fairness, transparency, accountability, human oversight); AI system lifecycle controls (design, training, deployment, monitoring, decommissioning); third-party AI supply chain; and AI incident management.
Rating Legend
✓ Conforming
OFI Opportunity
MNC Minor NC
MJC Major NC
N/A Not Applicable
☐ Not Yet Audited
Clause 4: Context of the Organization
Ref.
Audit Requirement
Guidance / Evidence
Rating
Auditor Notes
4.1 Understanding the Organization and Its Context
4.1
The organization determines external and internal issues relevant to its purpose that affect its ability to achieve the intended outcomes of the AI management system (AIMS).
Review strategic plans, AI strategy documents, and board/executive papers; confirm AI-specific issues (regulatory landscape, public trust, technology maturity, talent) are addressed.
☐
4.1
External issues include: evolving AI regulations and standards, societal expectations of trustworthy AI, competitive dynamics, and applicable ethical frameworks.
Check AI regulatory register (EU AI Act, national laws), industry codes of practice, and stakeholder expectation surveys.
☐
4.1
Internal issues include: organizational AI maturity, data quality and governance, AI system lifecycle management capabilities, and existing risk management frameworks.
Review AI maturity assessment reports, data governance policies, and alignment with existing ISO 27001/9001/31000 frameworks if present.
☐
4.1
External and internal issues are monitored and reviewed at planned intervals to detect significant changes affecting the AIMS.
Check management review outputs; verify frequency of context reviews and process for escalating changes.
☐
4.2 Understanding the Needs and Expectations of Interested Parties
4.2
Interested parties relevant to the AIMS are identified, including: AI system users, affected individuals and communities, regulators, customers, suppliers of AI components, employees, and civil society organizations.
Review stakeholder register; confirm all parties impacted by or having interest in AI systems are captured.
☐
4.2
Relevant needs and expectations of interested parties are determined, including requirements related to transparency, explainability, fairness, privacy, and accountability of AI systems.
Verify documented requirements list; check for user feedback mechanisms, regulatory engagement records, and accessibility/inclusion considerations.
☐
4.2
Requirements that are legally binding or that the organization has chosen to adopt (e.g., AI ethics principles, voluntary AI commitments) are identified as compliance obligations.
Cross-check against AI legal register, ethics policy, and voluntary commitment register (e.g., OECD AI Principles, responsible AI frameworks).
☐
4.3 Determining the Scope of the AIMS
4.3
The scope of the AIMS is defined considering: context, interested party requirements, organizational boundaries, and the AI systems and AI system development processes included.
Review scope document; confirm it specifies which AI systems, development activities, and deployment contexts are in scope.
☐
4.3
The scope clearly distinguishes between the organization's roles: AI provider (developing/deploying AI), AI operator (deploying third-party AI), or both.
Verify role clarification in scope; confirm responsibilities differ for provider vs operator roles per Annex B of the standard.
☐
4.3
The scope is available as documented information and communicated to relevant internal and external parties.
Confirm scope is accessible on the intranet, in AI policy documents, and referenced in contracts with AI suppliers/partners.
☐
4.4 AI Management System
4.4
The AIMS processes are established, implemented, maintained, and continually improved in accordance with ISO/IEC 42001:2023.
Review AIMS process map and procedure register; confirm process owners, performance indicators, and improvement plans.
☐
4.4
The organization considers knowledge gained from AI system operation, incidents, and audits when continually improving the AIMS.
Check lessons-learned log, AI incident register, and management review outputs for evidence of feedback loops.
☐
4.5 AI Policy Considerations (Organizational Context for AI)
4.5
The organization's objectives for developing or using AI systems are clearly defined and documented, including intended benefits, target applications, and ethical boundaries.
Review AI strategy, AI use-case register, and board-approved AI principles; confirm objectives are aligned with organizational values.
☐
4.5
The organization has considered and documented its approach to specific AI-related societal concerns, including: potential for bias and discrimination; impacts on human rights and dignity; environmental impact of AI operations; and effects on employment and society.
Review AI ethics impact assessment, bias and fairness policy, environmental sustainability reports referencing AI compute, and workforce impact assessments.
☐
Clause 5: Leadership
Ref.
Audit Requirement
Guidance / Evidence
Rating
Auditor Notes
5.1 Leadership and Commitment
5.1
Top management demonstrates leadership and commitment by taking accountability for the effectiveness of the AIMS and outcomes of AI systems.
Interview executive/board members; review AI governance charter, board AI committee minutes, and executive sign-off on AI policy.
☐
5.1
Top management ensures that the AI policy and objectives are established, compatible with strategic direction, and reflect the organization's values and ethical commitments.
Confirm AI policy is current, reviewed, and signed by top management; check strategic plan references to responsible AI.
☐
5.1
Top management ensures integration of AIMS requirements into AI development and deployment business processes, including procurement, product development, and customer delivery.
Check AI project gate reviews, procurement checklists for AI tools/components, and product launch processes for AIMS compliance steps.
☐
5.1
Top management ensures adequate resources for the AIMS, including expertise in AI ethics, data science, legal/compliance, and AI risk management.
Review AIMS budget allocations, staffing plans for AI governance roles, and evidence of specialized competency development.
☐
5.1
Top management promotes a culture of responsible AI that values transparency, accountability, human oversight, and continual improvement.
Review internal communications, training records, AI ethics events, and recognition programmes related to responsible AI practices.
☐
5.1
Top management directs and supports persons to contribute to the AIMS and ensures that human oversight of AI systems is maintained.
Verify human oversight mechanisms are mandated by leadership; check escalation procedures and override authority records.
☐
5.2 AI Policy
5.2
An AI policy is established that is appropriate to the organization's context and AI activities, including commitments to: responsible and ethical AI use; human rights and non-discrimination; transparency and explainability; privacy protection; safety and security; and continual improvement.
Review AI policy document against all required commitments; confirm it addresses the organization's specific AI risk profile.
☐
5.2
The AI policy provides a framework for setting AI objectives and is consistent with applicable laws, regulations, and ethical frameworks.
Cross-check policy against AI regulatory requirements, data protection laws (GDPR, etc.), and adopted voluntary frameworks (OECD, UNESCO AI Ethics).
☐
5.2
The AI policy is maintained as documented information, communicated to all relevant personnel, available to interested parties, and reviewed for continuing suitability.
Verify publication on intranet/website, communication campaign records, and awareness confirmation through interviews; check last review date.
☐
5.3 Organizational Roles, Responsibilities and Authorities
5.3
Roles and responsibilities for AI governance are assigned and communicated, including: AI system owner; AI risk officer / responsible AI lead; data governance officer; and AI ethics reviewer.
Review AIMS responsibility matrix (RACI); confirm key AI governance roles are filled with competent individuals.
☐
5.3
Responsibility for reporting AIMS performance and AI system outcomes to top management is clearly assigned.
Confirm a designated AIMS management representative or Chief AI Officer equivalent has documented authority and reporting lines.
☐
5.3
Roles and responsibilities for human oversight of AI systems are defined, communicated, and exercised.
Review human-in-the-loop procedures; confirm decision points where human review is mandatory are documented and enforced.
☐
Clause 6: Planning
Ref.
Audit Requirement
Guidance / Evidence
Rating
Auditor Notes
6.1 Actions to Address Risks and Opportunities
6.1.1
Risks and opportunities associated with the AIMS — considering context, interested parties, scope, and AI-specific factors — are determined.
Review AI risk register; confirm methodology addresses AI-specific risks (model drift, adversarial attacks, bias, data poisoning, hallucination).
☐
6.1.1
AI-specific risks to consider include: unintended discrimination; privacy violations; safety failures; security vulnerabilities; lack of transparency; accountability gaps; and societal harms.
Cross-check risk register against AI risk taxonomy; confirm each risk type has an assessed likelihood, impact, and treatment plan.
☐
6.1.1
Actions to address AI risks and opportunities are planned, integrated into AIMS processes, and their effectiveness is evaluated.
Verify action plans linked to risk register; check closure evidence and post-implementation effectiveness assessments.
☐
6.1.2 AI Risk Assessment
6.1.2
A process for assessing AI-specific risks is established and applied consistently, covering the full AI system lifecycle: design, data collection, model training, validation, deployment, monitoring, and decommissioning.
Review AI risk assessment procedure; confirm lifecycle stages are explicitly addressed and risk assessments are completed before deployment.
☐
6.1.2
AI risk assessments consider: intended use and foreseeable misuse; affected populations and potential for disparate impact; data quality, bias, and representativeness; model robustness and explainability; and human oversight adequacy.
Inspect completed AI risk assessments for a sample of systems; verify these dimensions are systematically evaluated.
☐
6.1.2
AI risk assessments are reviewed and updated when significant changes occur (model updates, new data sources, new use contexts, changes in regulatory requirements).
Check risk assessment revision history; verify change management triggers re-assessment.
☐
6.1.2
Results of AI risk assessments are retained as documented information and used to inform AI system design and control decisions.
Confirm risk assessment reports are filed, accessible, and referenced in AI system design documents and governance approvals.
☐
6.1.3 AI Impact Assessment
6.1.3
The organization conducts AI impact assessments to evaluate potential positive and negative impacts of AI systems on individuals, groups, and society.
Review AI impact assessment procedure and completed assessments; confirm human rights, fairness, privacy, and societal impact dimensions are covered.
☐
6.1.3
AI impact assessments are conducted prior to deployment and at significant lifecycle milestones; results are used to inform design, deployment, and monitoring decisions.
Check impact assessment records aligned with project milestones; verify assessments influenced control measures and deployment decisions.
☐
6.1.3
Affected and potentially affected communities and individuals are considered in impact assessments; consultation processes are used where appropriate.
Review stakeholder consultation records for high-impact AI systems; confirm diverse and representative perspectives were included.
☐
6.2 AI Objectives and Planning to Achieve Them
6.2.1
AI objectives are established at relevant functions and levels; are consistent with AI policy; are measurable; consider applicable requirements and risk assessment results.
Confirm objectives are SMART and traceable to AI policy commitments and risk/impact assessment findings.
☐
6.2.1
AI objectives address key dimensions of responsible AI: fairness and non-discrimination; transparency and explainability; safety and robustness; privacy; security; accountability; and environmental sustainability.
Verify at least one objective addresses each responsible AI dimension relevant to the organization's AI systems.
☐
6.2.2
Plans for achieving AI objectives define: what will be done; required resources; responsible person(s); completion timescale; how results will be evaluated; and how objectives are integrated into AI development and deployment processes.
Review AI objective action plans or AI governance programme; confirm all planning elements are addressed for each objective.
☐
Clause 7: Support
Ref.
Audit Requirement
Guidance / Evidence
Rating
Auditor Notes
7.1 Resources
7.1
Resources needed for the establishment, implementation, maintenance, and continual improvement of the AIMS are determined and provided, including: AI governance personnel; specialized expertise (ethics, fairness, security); compute and data infrastructure; and tools for AI testing and monitoring.
Review AIMS resource plans; confirm budget allocations for AI governance, ethics review, and testing infrastructure.
☐
7.2 Competence
7.2
Competence requirements for persons performing work affecting AI system quality, safety, fairness, and compliance are determined.
Review AI competency framework; confirm requirements are defined for AI developers, data scientists, product managers, and AI governance roles.
☐
7.2
Personnel are competent based on appropriate education, training, or experience; deficiencies are identified and addressed.
Check training records, AI ethics training completion rates, professional certifications, and evidence of competency gap remediation.
☐
7.2
Competence in AI-specific areas is addressed, including: understanding of AI bias and fairness; AI security threats; explainability techniques; data quality and governance; and responsible AI principles.
Verify training curricula address AI-specific competency areas; check subject-matter expert designations and their credentials.
☐
7.2
Competence records are retained as documented information.
Confirm training matrix is current; individual training records are filed and accessible; expiry and renewal processes are in place.
☐
7.3 Awareness
7.3
Personnel working under the organization's control are aware of: the AI policy; their contribution to AIMS effectiveness; benefits of responsible AI; implications of non-conformance; and AI-specific risks relevant to their roles.
Interview a cross-section of AI developers, product managers, and business users; review onboarding and refresher training records.
☐
7.3
Awareness extends to AI-related ethical obligations, including the importance of data quality, model transparency, avoiding harmful bias, and protecting user privacy.
Check awareness training content for ethical dimensions; verify comprehension through assessments or interview questions.
☐
7.4 Communication
7.4.1
Internal and external AI communication processes are established covering: what to communicate about AI systems and the AIMS; when; with whom; and how.
Review AIMS communication plan; confirm channels are defined for AI system documentation, incident reporting, and stakeholder disclosures.
☐
7.4.2
Internal communication on AI systems includes: AI system purpose and capabilities; known limitations and risks; required human oversight actions; and changes to AI systems or AIMS processes.
Check AI system documentation packages, change notification records, and team briefing logs for deployed AI systems.
☐
7.4.3
External communication on AI systems includes: transparency disclosures to users and affected parties; regulatory reporting; and communication with AI component suppliers.
Review AI transparency notices, user-facing AI disclosures, regulatory filings, and supplier AI requirement communications.
☐
7.5 Documented Information
7.5.1
Documented information required by ISO/IEC 42001 and determined as necessary for AIMS effectiveness is established and maintained, including: AI system records; risk and impact assessments; training and validation datasets documentation; model performance records; and incident logs.
Review document master list against all ISO 42001 mandatory documented information requirements; check AI system lifecycle records.
☐
7.5.2
Documented information is appropriately created, identified (title, version, date, owner), reviewed, and approved.
Verify document control procedure; inspect a sample of AI system documentation for completeness, version control, and approval signatures.
☐
7.5.3
Documented information is controlled for: availability and suitability for use; protection from unauthorized modification or disclosure; distribution, access, retrieval; storage and preservation; and retention and disposal.
Check document management system access controls, AI model artefact versioning, retention schedules, and secure disposal procedures for AI datasets.
☐
Clause 8: Operation
Ref.
Audit Requirement
Guidance / Evidence
Rating
Auditor Notes
8.1 Operational Planning and Control
8.1
Processes needed to meet AIMS requirements are planned, implemented, controlled, and maintained by establishing operating criteria for AI development, deployment, and monitoring activities.
Review AI development lifecycle (SDLC/MLOPS) documentation; confirm AIMS requirements are embedded as checkpoints throughout.
☐
8.1
Controls are applied to AI system operations in accordance with risk assessment results and the hierarchy of risk treatment (avoid, reduce, share, accept).
Cross-check AI risk register treatment decisions with implemented controls; verify high-risk AI systems have commensurate controls.
☐
8.1
Documented information is maintained to demonstrate that AI system processes are carried out as planned and that AI systems perform within intended operating parameters.
Review AI system runbooks, inference logs, model performance dashboards, and operational procedure compliance records.
☐
8.2 AI System Design and Development
8.2
A process for responsible AI system design and development is established covering: requirements definition (including ethical requirements); data collection and preparation; model architecture selection; training and validation; testing for fairness, robustness, and security; and documentation.
Review AI development methodology; confirm ethics and fairness requirements are captured at design phase alongside functional requirements.
☐
8.2
Data used for AI system training, validation, and testing is managed with documented controls for: data quality; data provenance and lineage; consent and legal basis for use; representativeness and bias assessment; and security and access control.
Review data governance documentation for AI datasets; inspect data quality reports, bias assessments, consent records, and data lineage maps.
☐
8.2
AI models are trained, validated, and tested against defined performance criteria that include accuracy, fairness across demographic groups, robustness to adversarial inputs, and explainability requirements.
Review model validation reports; confirm fairness metrics (e.g., equal opportunity, demographic parity) and robustness tests are documented alongside accuracy metrics.
☐
8.2
AI system design incorporates privacy-by-design principles, including data minimization, purpose limitation, and appropriate anonymization or differential privacy techniques.
Check design documentation for privacy engineering decisions; verify privacy impact assessments are linked to AI system design.
☐
8.2
AI system security is addressed at design stage, including: threat modelling for AI-specific attacks (adversarial examples, model inversion, data poisoning); secure model storage; and API security.
Review AI security threat models and penetration testing records; confirm AI-specific security controls are implemented.
☐
8.3 AI System Deployment and Operation
8.3
AI systems are deployed only after appropriate governance approval, including: satisfactory completion of risk and impact assessments; completion of testing requirements; and authorization by designated AI system owner.
Review AI system deployment approval records; confirm governance gate sign-offs are evidenced before production deployment.
☐
8.3
Human oversight mechanisms are implemented and operational, including: human-in-the-loop processes for high-risk decisions; override and intervention capabilities; and escalation procedures.
Verify human oversight controls are active in production systems; check override audit logs and escalation records.
☐
8.3
AI system users and operators are provided with appropriate information and training to use AI systems responsibly, including: intended use; known limitations; how to interpret outputs; when to override AI recommendations; and how to report concerns.
Review user documentation, training materials, and onboarding records for AI system users; check comprehension assessments.
☐
8.3
Controls are in place to prevent AI systems from being used outside their intended scope or for purposes that were not assessed and approved.
Check access controls, use-case guardrails, and terms-of-use enforcement mechanisms; review misuse incident records.
☐
8.4 AI System Monitoring and Maintenance
8.4
Deployed AI systems are continuously monitored for: performance drift; fairness degradation; data distribution shift; unexpected or harmful outputs; and security anomalies.
Review AI system monitoring dashboards, alerting configurations, and drift detection records; confirm monitoring covers fairness and safety metrics.
☐
8.4
Thresholds are defined for acceptable AI system performance; processes are in place to trigger review, retraining, or decommissioning when thresholds are breached.
Inspect defined performance thresholds and SLA documents; check records of threshold breach alerts and responses.
☐
8.4
AI model updates, retraining, and version changes are managed through a controlled change process with re-assessment of risks and impacts before redeployment.
Review AI model change management records; confirm re-assessment and re-approval are required for model updates.
☐
8.4
AI system maintenance activities are documented and records are retained, including retraining events, model version history, dataset updates, and performance re-evaluations.
Check AI model registry, retraining logs, and version control records; verify audit trail completeness.
☐
8.5 AI System Decommissioning
8.5
A process for decommissioning AI systems is established covering: planned end-of-life; data retention and deletion; model artefact disposal; user notification; and knowledge transfer.
Review AI decommissioning procedure; check records of decommissioned systems for compliance with data disposal and notification requirements.
☐
8.5
Risks associated with AI system decommissioning (residual data risk, service continuity, dependent system impacts) are assessed and managed.
Inspect decommissioning risk assessments; confirm downstream dependencies and data residual risks are addressed.
☐
8.6 Third-Party and Supply Chain AI Management
8.6
A process for managing AI components, models, datasets, and services obtained from third parties is established, including: supplier AI ethics and governance assessment; contractual AI requirements; and ongoing supplier monitoring.
Review AI supplier management procedure; check supplier AI due diligence questionnaires, contract clauses, and periodic review records.
☐
8.6
Third-party AI systems and components are assessed for compliance with the organization's AI policy, risk thresholds, and applicable legal requirements before adoption.
Inspect pre-adoption assessment records for third-party AI tools and foundation models; check risk acceptance decisions.
☐
8.6
The organization understands and documents the limitations, biases, and risks of third-party AI components it integrates into its own systems.
Review third-party AI system documentation, model cards, and bias disclosures; confirm limitations are reflected in own risk assessments.
☐
Clause 9: Performance Evaluation
Ref.
Audit Requirement
Guidance / Evidence
Rating
Auditor Notes
9.1 Monitoring, Measurement, Analysis and Evaluation
9.1.1
Criteria for evaluating AIMS performance are determined; monitoring and measurement processes covering AI system performance, fairness, safety, security, and compliance are planned and implemented.
Review AIMS KPI framework; confirm both AI system-level metrics and AIMS process metrics are tracked.
☐
9.1.1
AI system performance metrics include: accuracy, precision, recall, and relevant task-specific metrics; fairness metrics across demographic groups; safety and harm incident rates; explainability scores; and user trust/satisfaction indicators.
Review AI system monitoring reports; confirm fairness and safety metrics are reported alongside accuracy metrics for all deployed systems.
☐
9.1.1
AIMS process performance metrics include: AI risk assessment completion rates; AI impact assessment timeliness; governance approval cycle times; training completion rates; and corrective action closure rates.
Review AIMS performance dashboard or management report; confirm process metrics are tracked and trends analysed.
☐
9.1.2
Compliance with legal AI requirements and other requirements (ethics frameworks, voluntary commitments) is evaluated at planned intervals; results are documented and reported to top management.
Review AI compliance evaluation records; confirm all applicable regulations (EU AI Act, data protection, sector-specific AI rules) are assessed.
☐
9.2 Internal Audit
9.2.1
Internal audits of the AIMS are conducted at planned intervals to determine whether the system conforms to requirements and is effectively implemented.
Review audit schedule; confirm all clauses, all AI system types (high-risk, limited risk), and all lifecycle stages are included within the audit cycle.
☐
9.2.2
An AIMS audit programme is established considering AI governance importance, changes to AI systems, and results of previous audits; auditor competence includes AI domain knowledge.
Check audit programme documentation; verify auditors possess AI technical and governance competence, not just generic audit skills.
☐
9.2.2
Audit results are reported to relevant management; corrective actions are implemented without undue delay; effectiveness of corrective actions is verified.
Review audit reports, distribution lists, and CAR register; check average time-to-close and evidence of effectiveness verification.
☐
9.3 Management Review
9.3
Top management reviews the AIMS at planned intervals to ensure its continued suitability, adequacy, and effectiveness in managing AI risks and achieving responsible AI objectives.
Review management review meeting minutes; confirm frequency (at least annually), top management attendance, and AI-specific agenda items.
☐
9.3
Management review inputs address all required topics: status of previous review actions; changes in external/internal issues (including AI regulatory developments); AI system performance data; fairness and safety outcomes; compliance status; audit results; AI incidents and near-misses; risks and opportunities; and continual improvement opportunities.
Cross-check meeting minutes and data packs against all clause 9.3 input items; confirm AI incident trends and regulatory updates are always on the agenda.
☐
9.3
Management review outputs include decisions and actions on: AIMS changes; resource needs; AI policy or objective updates; and continual improvement priorities.
Verify action items are SMART, assigned, tracked, and closed; confirm outputs are communicated to relevant AI teams and governance functions.
☐
Clause 10: Improvement
Ref.
Audit Requirement
Guidance / Evidence
Rating
Auditor Notes
10.1 General
10.1
The organization identifies opportunities for improvement in AI systems and the AIMS, and implements necessary actions to achieve intended outcomes.
Review AI improvement register, AI ethics review recommendations, benchmarking reports, and technology horizon scanning records.
☐
10.2 AI Incident Management and Corrective Action
10.2
A process for reporting, classifying, investigating, and responding to AI incidents and nonconformities is established; AI incidents include: harmful outputs; fairness failures; privacy breaches; security incidents; safety failures; and AIMS process nonconformities.
Review AI incident management procedure; confirm AI-specific incident types are defined and classification criteria are documented.
☐
10.2
AI incidents are investigated by competent persons to determine root causes, including: model failures; data quality issues; design flaws; operational errors; and AIMS process gaps.
Review completed AI incident investigation reports; verify investigations include model and data layer analysis, not just surface-level symptoms.
☐
10.2
Corrective actions address root causes of AI incidents and nonconformities; they are appropriate to the severity and potential impact on affected individuals and communities.
Check corrective action records; confirm actions target systemic causes (design, data, governance) and proportionality to harm is documented.
☐
10.2
Affected individuals and communities are notified of significant AI incidents that impact them; regulatory notifications are made as required.
Review incident notification records; confirm affected party communication and regulatory reporting obligations were fulfilled.
☐
10.2
The effectiveness of corrective actions is reviewed before closure; changes to AI systems and AIMS processes resulting from corrective actions are documented.
Check effectiveness review records; confirm AI system or AIMS process changes are reflected in updated documentation.
☐
10.2
Documented information is retained on the nature of AI incidents, actions taken, and results; lessons learned are shared across the organization.
Confirm AI incident register and CAR database completeness; check lessons-learned communication records and integration into training materials.
☐
10.3 Continual Improvement
10.3
The organization continually improves the suitability, adequacy, and effectiveness of the AIMS, with a focus on advancing responsible and trustworthy AI practices.
Review multi-period trend data on AI system performance, fairness metrics, incident rates, and AIMS process metrics; confirm improving trajectories or documented justification.
☐
10.3
The organization engages with external AI research, emerging standards, and best practice communities to identify and adopt improvements to responsible AI practices.
Check records of participation in AI standards development, industry working groups, academic collaborations, and responsible AI conferences.
☐
10.3
Lessons learned from AI incidents, near-misses, audits, and management reviews are systematically integrated into AI development practices and AIMS procedures.
Verify that lessons-learned outputs are tracked to specific updates in AI development guidelines, risk assessment templates, or governance procedures.
☐
AIMS Performance & AI System KPI Snapshot
AIMS Performance & AI System KPI Snapshot
AIMS / AI Metric
Unit / Basis
Target
Actual (Period)
Status / Trend
AI Systems in Scope (Total)
Count
AI Risk Assessments Completed On Time
% of deployments
AI Impact Assessments Completed On Time
% of deployments
AI Systems with Human Oversight Controls Active
% of deployed systems
AI Governance Approval Cycle Time
Average days
AI Incidents Reported
Count
AI Incidents Closed Within Target Time
% of total
Fairness Metric Threshold Breaches
Count
Model Performance Drift Alerts Triggered
Count
AI Ethics / Responsible AI Training Completion
% of relevant staff
Third-Party AI Supplier Assessments Completed
% of suppliers
Corrective Actions Closed On Time
% of total CARs
Legal / Regulatory AI Non-Compliances
Count
Audit Summary & Sign-off
Audit Summary
Total Items Audited
Conforming (✓)
Nonconformities (MNC+MJC)
OFIs
AIMS Maturity Trend vs Previous Audit:
☐ Improving ☐ Stable ☐ Declining
Overall Audit Conclusion & Recommendation:
Lead Auditor Signature
Date
Management Rep. Signature
Date