![Adoptech-logo-GreyWithoutStrapline-1.png]](https://knowledge.adoptech.co.uk/hs-fs/hubfs/Adoptech-logo-GreyWithoutStrapline-1.png?height=39&name=Adoptech-logo-GreyWithoutStrapline-1.png){kind=logo}
ISO 42001: 2023 - A.10.2 Allocating Responsibilities for AI Systems
This article provides guidance on how to implement the ISO 42001: 2023 A.10.2 Allocating Responsibilities for AI Systems
ISO 42001 Control Description
The organisation shall identify, document, and communicate the responsibilities of all parties involved in the AI system lifecycle — including the organisation itself, its partners, suppliers, customers, and other third parties — ensuring that accountability for AI system activities, outcomes, and governance obligations is clearly allocated and does not remain undefined or ambiguous.
Control Objective
To ensure that the governance of AI systems involving multiple parties is supported by clear, documented, and agreed allocations of responsibility that enable each party to understand its obligations, that prevent accountability gaps from arising, and that provide a basis for managing the risks that arise from multi-party AI system arrangements.
Purpose
Responsibility for AI system governance is rarely the concern of a single organisation. AI systems are typically developed, deployed, and maintained in arrangements that involve multiple parties: component providers, data suppliers, development partners, operators, users, and customers. Each of these parties may bear distinct responsibilities for aspects of the AI system's behaviour, its outputs, its data handling, and its impacts on affected individuals. When these responsibilities are not clearly defined and documented, governance failures become more likely and more difficult to address when they occur.
The allocation of responsibilities is particularly consequential in AI system contexts because the consequences of governance failures can be significant and because the causal chain between a governance failure and its impact on an individual may traverse multiple organisational boundaries. An ambiguous or disputed allocation of responsibility for model performance, data quality, incident management, or impact assessment can result in none of the parties taking adequate action, or in the interests of affected individuals being inadequately protected.
This control recognises that the organisation must take an active role in establishing clear responsibility allocations across all of its AI-related third-party arrangements, and that it cannot discharge its governance obligations simply by engaging third parties without ensuring that responsibility for all material aspects of the AI system is appropriately attributed.
Guidance on Implementation
Mapping the AI System Ecosystem
The organisation shall maintain a clear understanding of all parties involved in the lifecycle of each AI system, including parties involved in model development, training data provision, infrastructure and platform provision, system integration and deployment, ongoing operation and maintenance, and the use of AI system outputs. The mapping shall identify the nature of each party's involvement, the aspects of the AI system for which they are responsible, and the points at which responsibility transitions between parties.
For each AI system, the responsibility map shall be documented and maintained, with updates made whenever the AI system's ecosystem changes through the introduction of new third-party arrangements, the modification of existing arrangements, or changes to the system's architecture or operational model.
Principles for Allocating Responsibilities
The organisation shall apply a set of governing principles when allocating responsibilities across parties. Responsibilities shall be allocated to the party best positioned to manage them, taking into account each party's knowledge, capability, and proximity to the activity or risk in question. Allocations shall be made explicit, avoiding reliance on implied or assumed responsibility. Each allocation shall be traceable to a specific party and to the documentation — typically contractual or governance — through which it has been agreed and communicated.
Responsibility allocations shall address, at a minimum: design and development responsibilities; data governance obligations; risk and impact assessment responsibilities; monitoring and performance management obligations; incident management and reporting responsibilities; and obligations to affected individuals, including transparency and redress.
Documenting Responsibilities in Formal Agreements
Responsibilities shall be reflected in formal agreements with external parties, including contracts, data processing agreements, service level agreements, and partnership arrangements. Agreements shall be sufficiently specific to enable each party to understand what it is accountable for and what it may expect from other parties. General or high-level responsibility statements shall be supplemented with more specific provisions where the subject matter warrants it.
The organisation shall ensure that agreements are reviewed and updated whenever material changes occur to the AI system arrangement and that changes to responsibility allocations are reflected in updated documentation. Where existing agreements do not adequately address the allocation of AI-specific responsibilities, the organisation shall work to remedy these gaps through renegotiation or supplemental documentation.
Communicating Responsibilities Internally
Responsibility allocations shall be communicated to relevant internal personnel, including those responsible for managing third-party relationships, those involved in the governance of the AI system, and those who may need to act on the basis of the allocation in response to incidents or governance events. Internal communication shall ensure that personnel understand both the organisation's own responsibilities and those that have been allocated to external parties, so that governance activities can be appropriately coordinated.
Governance of Responsibility Allocations
The organisation shall establish a process for reviewing responsibility allocations at planned intervals and following material changes to the AI system or its third-party arrangements. Reviews shall assess whether allocations remain appropriate and sufficient, whether all material responsibilities are addressed, and whether any gaps or ambiguities have emerged. The results of reviews shall be documented and shall inform updates to formal agreements and internal governance documentation.
Related Controls
- A.9.2 – Processes for Responsible Use of AI Systems: Responsible use processes shall reflect and be consistent with the responsibility allocations established under this control, particularly where users and operators are parties to a multi-party AI system arrangement.
- A.6.2.7 – AI System Deployment: Responsibility allocations relevant to the deployment phase — including responsibilities for deployment environment preparation and acceptance testing — shall be established before deployment activities commence.
- A.8.2 – AI System Incident Management: Incident management responsibilities, including obligations for reporting, investigation, and remediation, shall be clearly allocated across parties and reflected in formal agreements.
- A.10.3 – Supplier Requirements for AI Systems: Supplier-specific responsibility allocations established under this control shall be supported by the supplier governance requirements addressed in A.10.3.
-
A.6.2.8 – AI System Documentation: Responsibility allocation documentation shall be maintained as part of the comprehensive AI system documentation and shall be accessible to relevant governance functions.