ISO 42001 A.6.4: AI System Documentation
ISO 42001 A.6.4 requires organizations to document every AI system comprehensively—from architecture to limitations to human oversight. For SMBs deploying AI, this control ensures transparency, auditability, and risk management across your AI lifecycle. Without proper documentation, you can't prove due diligence to auditors or stakeholders.
What this means
A.6.4 mandates that your organization create and maintain detailed documentation for each AI system in use. This documentation must cover: the system's description and intended use case; technical architecture and component details; training and validation datasets; performance metrics and evaluation outcomes; known constraints and limitations; operating conditions and deployment environment; and mechanisms for human oversight and intervention. The goal is to create an auditable record that demonstrates your organization understands what each AI system does, how it works, what data it uses, how well it performs, where it falls short, and how humans stay in control.
How to comply
- 1.Create an AI system inventory spreadsheet or database listing every AI system your organization uses or develops.
- 2.For each system, document its intended business purpose and the specific use case it addresses.
- 3.Record the system architecture, including inputs, outputs, key components, and any third-party tools or models.
- 4.Document all training and validation datasets: source, size, composition, preprocessing steps, and any known biases.
- 5.Define and track performance metrics relevant to your use case (accuracy, precision, recall, etc.) and document actual evaluation results.
- 6.Identify and list known limitations, failure modes, and edge cases where the system may underperform.
- 7.Document the operating environment: hardware, software dependencies, data pipelines, and acceptable input ranges.
- 8.Describe human oversight mechanisms: who reviews outputs, how often, and what escalation procedures exist.
- 9.Store documentation in a centralized, version-controlled location accessible to compliance, technical, and audit teams.
- 10.Review and update documentation annually or whenever the AI system is materially modified.
Evidence auditors look for
- AI system inventory with descriptions and deployment dates for all in-use models.
- System architecture diagrams showing data flow, components, and integration points.
- Training dataset documentation including source, size, date range, and preprocessing methods.
- Performance evaluation reports with accuracy metrics, test results, and benchmark comparisons.
- Known limitations document detailing failure modes, bias findings, and edge cases.
- Operating procedure documentation specifying hardware, software versions, and input constraints.
- Human oversight logs showing review frequency, decision gates, and escalation procedures.
- Audit trail showing documentation version history and dates of updates.
- Third-party model cards or datasheets for any external AI systems deployed.
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates AI system inventory creation, documentation templates for architecture and datasets, performance metric tracking, and audit-ready evidence collection—enabling your team to maintain compliant, version-controlled AI documentation in minutes, not weeks.
See how GRCWatch handles this control automatically
Start free trial