--- title: ISO/IEC 42001, AI Agent Compliance Coverage description: How ZioSec evidence satisfies ISO/IEC 42001. Control-by-control mapping with coverage type, supporting evidence, and out-of-scope items. url: https://ziosec.com/ai-compliance/iso-42001 about: ISO/IEC 42001 authority: ISO/IEC reference: ISO/IEC 42001:2023 --- # ISO/IEC 42001 Standard 03 of 05. Certifiable, International. The first international management system standard for AI. Certifiable through accredited bodies, increasingly demanded in enterprise procurement. ## At a glance - **Published:** December 2023 - **Type:** Certifiable - **Structure:** Clauses 4-10, plus Annex A (38 controls) - **Procurement:** Now in enterprise vendor questionnaires ## Control-level coverage Where ZioSec evidence satisfies ISO/IEC 42001: - **A.6.2.4 AI System Verification and Validation** (Full) - Obligation: The organization shall define and document V&V measures. - ZioSec capability: V&V As A Service - Coverage: ZioSec is the verification and validation engine. Continuous offensive testing satisfies V&V at depth. - Evidence: V&V test plans; Pass/fail outcomes; Regression test history - **A.6.2.5 AI System Deployment** (Full) - Obligation: The organization shall document deployment, ensuring requirements are met. - ZioSec capability: Deployment Validation - Coverage: Containerized deployment produces a per-deployment compliance artifact tied to a specific build. - Evidence: Build-pinned attestation; Deployment manifests - **A.6.2.6 AI System Operation and Monitoring** (Full) - Obligation: Define and document the necessary elements for AI system operation. - ZioSec capability: Fleet Governance - Coverage: Single pane of glass for fleet-wide agent observation, with policy enforcement at runtime. - Evidence: Operational dashboards; Policy violation logs - **A.6.2.7 AI System Technical Documentation** (Full) - Obligation: Technical documentation shall be available, current, and complete. - ZioSec capability: Auto-Generated Tech Docs - Coverage: Pentest engagements emit structured technical documentation with versioned findings. - Evidence: Versioned tech docs; Findings catalog - **A.6.2.8 AI System Recording of Event Logs** (Full) - Obligation: Event logs of the AI system shall be recorded. - ZioSec capability: Immutable Telemetry - Coverage: Every agent action logged with cryptographic integrity at the container layer. - Evidence: Immutable event logs; Integrity attestations - **A.7.4 Quality of Data for AI Systems** (Supporting) - Obligation: Define and document data quality requirements. - ZioSec capability: Data-Path Probing - Coverage: Probes detect data quality issues surfacing as exploitable behavior. - Evidence: Data poisoning tests; RAG corruption probes - **A.8.3 External Reporting** (Full) - Obligation: Determine if and how to report relevant information to interested parties. - ZioSec capability: Audit-Ready Reporting - Coverage: Reports formatted for procurement teams, customers, and regulators. - Evidence: Customer-facing summaries; Regulator-grade reports - **A.10.3 Suppliers** (Full) - Obligation: Ensure use of services from suppliers aligns with the AIMS. - ZioSec capability: Third-Party Agent Testing - Coverage: Third-party agents tested under the same regime as first-party. - Evidence: Vendor attestation; Cross-vendor benchmarks ## Customer-owned (out of scope) These obligations are part of ISO/IEC 42001 but pentest cannot satisfy them. They live with your governance, legal, and product teams. - **A.2.2 AI Policy** (Out of Scope (customer-owned)) - Obligation: The organization shall document an AI policy. - ZioSec capability: Customer Governance Fills - Coverage: Policy authorship is a leadership and legal function. - Evidence: Owner: Leadership / Legal - **A.3.2 AI Roles and Responsibilities** (Out of Scope (customer-owned)) - Obligation: Roles and responsibilities for the AIMS shall be defined. - ZioSec capability: Customer Governance Fills - Coverage: Org structure owned by leadership. - Evidence: Owner: Leadership / HR - **A.5.2 AI System Impact Assessment** (Out of Scope (customer-owned)) - Obligation: Assess potential consequences for individuals, groups, and societies. - ZioSec capability: Customer Governance Fills - Coverage: Societal impact assessment is an ethics and legal function. - Evidence: Owner: Legal / Ethics ## Crosswalk available Get the Annex A crosswalk for your AIMS. We will map your agents to the 38 Annex A controls, identify gaps, and propose the evidence chain. What you receive: - Annex A coverage map - Statement of Applicability draft - V&V evidence template - Tech documentation outline - Supplier due-diligence pack - Stage 2 audit briefing Email info@ziosec.com (subject: ISO 42001 Crosswalk) or open the cross-framework matrix at https://ziosec.com/ai-compliance/matrix.