![Adoptech-logo-GreyWithoutStrapline-1.png]](https://knowledge.adoptech.co.uk/hs-fs/hubfs/Adoptech-logo-GreyWithoutStrapline-1.png?height=39&name=Adoptech-logo-GreyWithoutStrapline-1.png){kind=logo}
What AI Records should I add to Appendix A in my Records and Information Management Policy?
It is a requirement of ISO/IEC 42001 to retain specific records relating to your AI systems. These records support traceability, oversight, transparency, performance monitoring, and audit evidence.
AI Records and Retention Guidance (ISO 42001)
Your Records and Information Management Policy includes an Appendix table where you document:
-
the types of records you hold;
-
where you store them; and
-
how long you retain them.
This guide provides examples of AI-related record types you may need to include, and what “good” looks like for retention and evidence.
What AI Records Should Be Included?
AI-related record types will vary depending on:
-
whether the AI system is in-house, third-party, hybrid, or open-source; and
-
the risk category of the system (e.g. Minimal vs High).
At a minimum, most organisations should include record types that cover:
-
AI system inventory and system information
-
AI impact assessment / risk assessment records
-
Oversight and monitoring evidence
-
Change and lifecycle evidence
-
Incident and corrective action records
-
Supplier assurance evidence (where suppliers provide AI systems or AI-enabled services)
Some of this information will be captured in your AI Register (for example: system type, owner, risk category, privacy/bias risk level, oversight defined, monitoring in place, review date, etc.). Other supporting documentation may be stored in your document repository (e.g. SharePoint/Google Drive), ticketing system, monitoring tools, or supplier records.
Examples of AI Records to Add to Your Retention Table
Below are examples of AI record types you may add to Appendix A of the Records and Information Management Policy:
AI Systems Register
What this covers: Records of AI systems and tools used or developed by the Company, including the system’s purpose, ownership, supplier/source, AI system type, approval/status, risk category, impact assessment information, oversight arrangements, monitoring status, review dates, and regulatory relevance (as recorded in the AI Register).
Example location: Adoptech AI Register.
Suggested retention: Retain for as long as the AI system is active, and for a defined period after the system is suspended or retired (e.g. aligned to audit cycles, contractual obligations, and any applicable legal or regulatory requirements).
AI System Impact Assessment Records
What this covers: system impact assessment, individual impact assessment, societal impact assessment, and associated risk notes.
Example location: Adoptech AI Register
Suggested retention: Keep for the lifetime of the AI system + defined period after retirement (commonly aligned to audit cycles and contractual obligations).
AI Monitoring Evidence
What this covers: evidence that monitoring is in place, monitoring results, drift detection (where applicable), performance alerts, review notes.
Example location: monitoring dashboards / logs / internal reporting, with references tracked via governance processes.
Suggested retention: At least long enough to support auditability and investigation (commonly 12–24 months minimum, but may be longer for high-impact systems).
AI Change and Update Records
What this covers: last model update, change approvals, release notes, retraining logs, system decommissioning evidence.
Example location: engineering repositories / change records / tickets
Suggested retention: Keep for the lifetime of the system + post-retirement retention period.
AI Incident and Corrective Action Records
What this covers: incident tickets, investigation notes, corrective actions, post-incident reviews, escalations, communications.
Example location: ticketing system / incident register / action log
Suggested retention: Align to general incident record retention, and ensure records remain available for audits and regulatory reporting where applicable.
Supplier / Vendor AI Assurance Records
What this covers: supplier risk assessments, contracts, DPAs, assurance documentation, supplier incident notifications, AI-specific contractual requirements.
Example location: Vendor Register / contract repository
Suggested retention: Keep for the duration of the supplier relationship + post-termination retention period (aligned with contractual and legal requirements).
Top Tips
-
Be practical: you don’t need one retention entry per AI system — you need retention entries per record type.
-
Use your AI Register to drive completeness: if you have AI systems listed, your retention table should include the record types that support the register (impact assessment, monitoring evidence, incident records, etc.).
-
Set retention proportionate to risk: higher-risk AI systems usually require stronger evidence retention and longer audit trails.
-
Don’t forget retired systems: AI system records often need to remain available after retirement (for auditability, legal/contractual reasons, and future investigations).