A guide to the ISO 42001 Annex A controls
- Annex A defines the AI-specific controls applied within the ISO 42001 management system.
- Control areas span AI policy, organisation, resources, lifecycle, data, transparency, and responsible use.
- Organisations select applicable controls and document their choices via a Statement of Applicability.
- Controls deliver value only when genuinely applied to real systems with evidence, which auditors check.
- Current as of June 2026. This is general information, not legal advice.
What the controls are for
A management system needs to address the specific risks of the thing it governs. For AI, those risks include how AI is decided upon and governed, how data is handled, how AI systems are developed and operated over their lifecycle, how transparency is provided, and how AI is used responsibly. Annex A translates these concerns into concrete control areas so that an organisation's management system actually grips the risks that matter for AI.
The main control areas
The Annex A controls span the lifecycle and governance of AI, including areas such as:
- AI policy and governance: Establishing organisational policy, objectives, and accountability for AI.
- Internal organisation: Roles, responsibilities, and reporting for AI risk.
- Resources for AI systems: Managing the data, tooling, and human resources AI depends on.
- AI system lifecycle: Governing how AI systems are designed, developed, deployed, operated, and retired.
- Data for AI: Managing the data used to develop and run AI, including its quality and provenance.
- Information and transparency: Providing appropriate information about AI systems to users and affected parties.
- Responsible use and oversight: Ensuring AI is used as intended, with human oversight where needed.
The exact controls and their grouping are defined in the standard; the point is that they cover the practical territory of governing AI well.
Selecting and applying controls
Organisations do not apply every control regardless of relevance. They assess which controls apply to their AI and context, implement those, and document the selection and the reasons, including any controls excluded and why. This is the Statement of Applicability approach familiar from ISO 27001, and it is what an auditor reviews to understand how the organisation has scoped its controls.
Keeping controls connected to systems
The value of the controls comes from their being genuinely applied to real AI systems, not merely listed. A control like data governance or lifecycle management only protects you if it is actually operating on the systems it covers, with evidence to show it. As an organisation's AI grows, keeping each control connected to the systems and evidence it relates to is the practical challenge, and the thing that makes the difference between controls that exist on paper and controls that work.
How this supports certification and beyond
In a certification audit, the Annex A controls and the Statement of Applicability are central: the auditor checks that the chosen controls are appropriate and operating. Beyond certification, well-applied controls are exactly the evidence buyers and regulators want to see. Treating the controls as a live, connected part of the management system therefore serves both the audit and the wider trust the standard is meant to build.
Key terms
- Annex A
- ISO 42001's reference list of AI-specific controls.
- Statement of Applicability
- The record of which controls are applied, which are excluded, and why.
- AI lifecycle
- The stages of an AI system's life, from design and development through deployment, operation, and retirement.
- Data governance for AI
- The management of data used for AI, including quality, provenance, and protection.