![Adoptech-logo-GreyWithoutStrapline-1.png]](https://knowledge.adoptech.co.uk/hs-fs/hubfs/Adoptech-logo-GreyWithoutStrapline-1.png?height=39&name=Adoptech-logo-GreyWithoutStrapline-1.png){kind=logo}
ISO 42001: 2023 - A.6.2.8 AI System Documentation
This article provides guidance on how to implement the ISO 42001: 2023 A.6.2.8 AI System Documentation
ISO 42001 Control Description
The organisation shall create and maintain comprehensive documentation for each AI system throughout its lifecycle, encompassing design and development artefacts, operational information, risk assessments, verification and validation records, and information necessary to support ongoing management, audit, and eventual decommissioning of the system.
Control Objective
To ensure that each AI system is supported by documentation that is accurate, complete, and accessible, enabling the system to be understood, operated, maintained, audited, and decommissioned in a controlled manner, and supporting the organisation's accountability and transparency obligations.
Purpose
Documentation is the primary means by which an organisation preserves and communicates knowledge about its AI systems. Without adequate documentation, AI systems become opaque: the rationale for design decisions is lost, risk assessments cannot be meaningfully reviewed, system behaviour cannot be explained to affected parties, and operational teams lack the information needed to manage the system responsibly.
The importance of documentation is amplified by characteristics specific to AI systems. The complexity of modern AI models, the dependency on data that may evolve over time, and the potential for system behaviour to change following retraining or updates all create ongoing documentation requirements that extend well beyond the development phase. Documentation must therefore be treated as a live component of AI system governance, maintained throughout the operational life of the system and reviewed whenever significant changes occur.
Comprehensive documentation also underpins the organisation's ability to demonstrate compliance — to regulators, customers, and other stakeholders — by providing the evidence base for claims about how systems were designed, tested, and governed. It supports effective incident investigation, enables knowledge transfer when personnel change, and provides the foundation for responsible decommissioning decisions.
Guidance on Implementation
Documentation Scope and Structure
The organisation shall define the documentation requirements for each AI system based on its risk profile, intended use, and applicable regulatory obligations. At minimum, documentation shall address the system's intended purpose and operational context; the requirements specification; design documentation and design rationale; data governance records, including data sources, quality assessments, and dataset composition; implementation records, including version histories and training logs; verification and validation plans and results; risk assessment and impact assessment records; deployment authorisation and deployment records; operational guidance for users and operators; and records of post-deployment monitoring and incidents.
For higher-risk systems, documentation requirements shall be more extensive, reflecting the greater accountability obligations associated with systems that have significant impacts on individuals or critical processes.
Model Cards and System Factsheets
The organisation shall produce a system-level summary document — commonly referred to as a model card or AI system factsheet — for each deployed AI system. This document shall provide a concise, accurate summary of the system's intended use, capabilities, limitations, performance characteristics, and the conditions under which its outputs should and should not be relied upon.
Model cards and factsheets shall be maintained as living documents, updated when material changes are made to the system, and made available to relevant internal stakeholders and, where appropriate, to external parties including users and affected individuals.
Version Control and Change History
All AI system documentation shall be subject to version control, with a complete history of changes maintained. Each version of a document shall record the date of the change, the nature of the change, and the identity of the person responsible. The current version of each document shall be clearly identified, and superseded versions shall be retained for audit purposes in accordance with the organisation's document retention policy.
Documentation Quality Assurance
The organisation shall establish processes to ensure that documentation remains accurate and current. Responsibilities for maintaining each category of documentation shall be clearly assigned, and documentation reviews shall be incorporated into the workflow for system changes, risk assessment updates, and periodic governance reviews.
Processes shall also address the identification and correction of documentation inaccuracies when these are discovered, including through operational experience or audit findings.
Accessibility and Confidentiality
Documentation shall be stored in a manner that ensures it is accessible to those with a legitimate need to consult it, while protecting sensitive information — including proprietary model details and personal data — from unauthorised disclosure. Access controls shall be applied in accordance with the sensitivity of the information and the organisation's information security policies.
Where documentation contains information that is relevant to transparency or accountability obligations — such as information about how an automated decision system reaches conclusions — processes shall be in place to make appropriate extracts available to relevant parties in a timely manner.
Retention and Decommissioning Records
Documentation shall be retained throughout the operational life of the AI system and for a defined period following decommissioning, as required by applicable law, regulation, and the organisation's record management policy. Records of the decommissioning process, including the rationale for the decommissioning decision and the disposal of data and model artefacts, shall themselves be retained in accordance with applicable requirements.
Related Controls
- A.6.2.2 through A.6.2.7 – AI System Lifecycle Controls: Documentation shall capture the outputs of each lifecycle stage, from requirements through deployment.
- A.6.1.1 – AI System Impact Assessment: Impact assessment records are a core component of AI system documentation.
- A.7.5 – AI System Monitoring: Monitoring records, incident reports, and performance data shall be incorporated into the ongoing documentation of the system.
- A.8.5 – AI System Decommissioning: Decommissioning records shall be created and retained as part of the AI system documentation.
- A.5.4 – Human Oversight of AI Systems: Documentation shall include information sufficient to support the exercise of meaningful human oversight, including descriptions of system capabilities, limitations, and failure modes.