![Adoptech-logo-GreyWithoutStrapline-1.png]](https://knowledge.adoptech.co.uk/hs-fs/hubfs/Adoptech-logo-GreyWithoutStrapline-1.png?height=39&name=Adoptech-logo-GreyWithoutStrapline-1.png){kind=logo}
ISO 42001: 2023 - A.6.2.5 AI System Implementation
This article provides guidance on how to implement the ISO 42001: 2023 A.6.2.5 AI System Implementation
ISO 42001 Control Description
The organisation shall implement AI systems in accordance with the approved design documentation, applying controlled development practices, maintaining traceability between implementation artefacts and requirements, and ensuring that implementation activities are conducted by personnel with appropriate competence.
Control Objective
To ensure that AI system implementation translates approved designs into functioning systems in a controlled, auditable, and quality-assured manner, and that the resulting implementation faithfully realises the intended design while remaining within the bounds of documented requirements and organisational policies.
Purpose
Implementation is the stage at which design decisions become executable systems. The choices made during implementation — concerning model training procedures, hyperparameter configuration, code structure, dependency management, and operational integration — directly influence whether the completed system performs as intended and whether risks identified during design have been adequately addressed in practice.
AI system implementation presents distinctive governance challenges compared with conventional software development. The empirical and iterative nature of machine learning development means that implementation activities can produce systems whose behaviour is not fully predictable from the design specification alone. This characteristic makes the application of rigorous implementation controls, including comprehensive logging of training runs, careful management of code and model artefacts, and structured quality assurance, especially important.
This control provides the framework within which implementation activities are governed, ensuring that the organisation can demonstrate that its AI systems were built in accordance with approved designs, that deviations were managed through appropriate change control, and that implementation artefacts provide a sound basis for subsequent verification and ongoing operations.
Guidance on Implementation
Development Environment Controls
The organisation shall establish controlled development environments for AI system implementation, with appropriate separation between development, testing, and production environments. Access to development environments shall be managed in accordance with the principle of least privilege, and controls shall be in place to prevent unauthorised modification of code, data, or model artefacts.
Configuration management practices shall be applied to the development environment, ensuring that environment specifications are documented and that environment changes are managed through a controlled process.
Code and Model Artefact Management
All code, scripts, configuration files, and model artefacts produced during implementation shall be placed under version control. The version control system shall maintain a complete history of changes, enabling the state of the system at any point in the development lifecycle to be reconstructed if required.
Model training runs shall be logged in sufficient detail to enable reproducibility, including records of training data versions used, hyperparameter configurations, random seeds where applicable, and performance metrics achieved. This logging supports both quality assurance during development and audit activities throughout the system lifecycle.
Conformance with Design
Implementation activities shall be conducted in conformance with the approved design documentation. Where deviations from the design are identified as necessary during implementation, these shall be subject to a formal change control process before being adopted. Changes shall be assessed for their impact on requirements conformance, risk profile, and verification planning, and shall receive appropriate authorisation.
The organisation shall maintain traceability from implementation artefacts to the design documentation and requirements specification, enabling conformance to be assessed at any stage of the development process.
Competence of Implementation Personnel
Implementation activities shall be conducted by personnel with appropriate technical competence, including familiarity with the relevant algorithms, frameworks, and tools, and an understanding of the quality and safety requirements applicable to the system. The organisation shall assess and document the competence of personnel involved in implementation, and shall provide training or supervision where competence gaps are identified.
Dependency and Third-Party Component Management
The organisation shall maintain an inventory of third-party libraries, frameworks, pre-trained models, and other external components used in the AI system implementation. Each component shall be assessed for suitability, including its licensing terms, security posture, and any implications for the organisation's compliance obligations.
Processes shall be in place to monitor identified components for the emergence of vulnerabilities or licensing changes, and to manage the update or replacement of components in a controlled manner.
Implementation Quality Assurance
Quality assurance activities shall be applied throughout the implementation process, including code reviews, unit testing of non-model components, and structured review of training configurations and results. Quality assurance records shall be maintained as part of the AI system documentation.
Where implementation activities reveal issues with the requirements specification or design — such as requirements that are ambiguous, contradictory, or infeasible — these shall be escalated through appropriate channels and resolved before implementation proceeds further.
Related Controls
- A.6.2.4 – AI System Design: Implementation activities shall be conducted in conformance with the approved design documentation, and deviations shall be managed through change control.
- A.6.2.3 – Data for Development and Testing of AI Systems: Implementation activities shall use data that has been through the quality assessment and governance processes established under A.6.2.3.
- A.6.2.6 – AI System Verification and Validation: Implementation artefacts, including code, configurations, and training logs, shall provide the evidence base for verification and validation activities.
- A.6.2.8 – AI System Documentation: Implementation records, version histories, and training logs form part of the comprehensive AI system documentation maintained throughout the lifecycle.
- A.9.3 – AI System Supply Chain: Third-party components used in implementation shall be governed in accordance with the supply chain management requirements.