GRCWatch
Sign inStart free trial

ISO 42001 A.6.3: AI System Verification and Validation

AI systems must be rigorously tested before they go live. ISO 42001 A.6.3 requires you to verify your AI performs as designed and validate it works reliably across real-world scenarios, edge cases, and adversarial inputs. This control is critical for organizations deploying AI responsibly.

What this means

Your organization must establish and execute verification and validation processes for all AI systems before initial deployment and after any significant changes. Verification confirms the system was built according to its design specifications. Validation ensures the system actually meets its intended business purpose and performs acceptably across diverse use contexts, including edge cases and adversarial scenarios that could break or manipulate the system. This dual approach protects against both build errors and design flaws.

How to comply

  1. 1.Define verification and validation criteria for each AI system based on its intended use and risk level
  2. 2.Create a pre-deployment testing protocol that covers normal operations, edge cases, and adversarial inputs
  3. 3.Document the verification process confirming the system matches its design specifications
  4. 4.Conduct validation testing in representative use contexts to confirm acceptable performance
  5. 5.Establish a change management process requiring re-verification and re-validation after significant updates
  6. 6.Maintain test results, logs, and sign-off documentation for audit evidence
  7. 7.Test for bias, accuracy drift, and security vulnerabilities in AI models before deployment
  8. 8.Define 'significant change' thresholds that trigger re-testing (e.g., model retraining, data source changes)

Evidence auditors look for

  • AI system verification and validation plan documenting test scope and acceptance criteria
  • Pre-deployment test reports showing verification against design specifications
  • Validation test results demonstrating acceptable performance across intended use contexts
  • Edge case and adversarial input test scenarios and outcomes
  • Change management logs showing which updates triggered re-verification or re-validation
  • Test data sets and methodologies used for verification and validation
  • Sign-off documentation from technical leads and stakeholders confirming readiness for deployment
  • Post-deployment monitoring data showing system continues to meet validation criteria

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates AI system testing documentation and tracks verification/validation status across your systems, helping you maintain audit-ready evidence of compliance with A.6.3 without manual spreadsheet management.

See how GRCWatch handles this control automatically

Start free trial

Related controls

ISO 42001 A.6.1 — AI System Design and DevelopmentISO 42001 A.6.2 — AI System Monitoring and ControlISO 42001 A.7 — AI System Incident Management