![Adoptech-logo-GreyWithoutStrapline-1.png]](https://knowledge.adoptech.co.uk/hs-fs/hubfs/Adoptech-logo-GreyWithoutStrapline-1.png?height=39&name=Adoptech-logo-GreyWithoutStrapline-1.png){kind=logo}
ISO 42001: 2023 - A.7.2 Establishing Processes, Functions and Tools for AI Operation
This article provides guidance on how to implement the ISO 42001: 2023 A.7.2 Establishing Processes, Functions and Tools for AI Operation
ISO 42001 Control Description
The organisation shall establish the operational processes, organisational functions, and technical tools required to operate AI systems in a controlled, effective, and accountable manner throughout their operational lifecycle.
Control Objective
To ensure that the operational environment for AI systems is supported by defined processes, appropriately resourced functions, and adequate tooling, enabling AI systems to be operated consistently, safely, and in conformance with the organisation's policies and applicable legal requirements.
Purpose
The transition of an AI system from development into operation requires more than the technical deployment of the system itself. Sustainable and responsible AI operation depends on the establishment of the broader organisational infrastructure needed to manage the system day-to-day: the processes that govern routine operation and exception handling, the organisational functions with defined responsibilities for oversight and management, and the technical tools that enable operational visibility and control.
Without this infrastructure, organisations risk operating AI systems in an improvised manner that undermines accountability, creates gaps in oversight, and leaves the organisation poorly positioned to identify and respond to operational issues. As AI systems become more deeply embedded in organisational processes, the quality of the operational infrastructure that surrounds them becomes increasingly consequential for both the organisation and the individuals whose interests are affected by system outputs.
This control recognises that operational readiness must be assessed and confirmed before a system enters service, and that the processes, functions, and tools established for AI operation must be commensurate with the system's risk profile and operational complexity.
Guidance on Implementation
Defining Operational Processes
The organisation shall document the processes required to operate each AI system throughout its operational lifecycle. Operational processes shall address routine system operation, including the scheduling and management of inference activities; data input management and quality assurance in the operational context; output review and approval workflows where human oversight is required; incident identification and escalation; and scheduled maintenance activities, including model retraining and updates.
Processes shall be documented at a level of detail sufficient to enable consistent execution by competent personnel, including personnel who were not involved in the system's development.
Organisational Functions and Responsibilities
The organisation shall assign clear responsibilities for the operational management of each AI system. Responsibilities shall address day-to-day operation and system monitoring; first-line response to operational issues and incidents; escalation of issues to appropriate technical or management functions; maintenance of operational documentation; and liaison with development and risk management functions as required.
Accountability for the operational performance and governance of each AI system shall be assigned to a named individual or role at an appropriate level of organisational authority. This accountability shall be formally documented and communicated to relevant parties.
Operational Tooling
The organisation shall identify and provision the tools required to support AI system operation, including tools for system monitoring and performance tracking, alerting and incident notification, operational logging, and the management of system inputs and outputs. Where operational tooling is provided by third parties, it shall be assessed for adequacy and managed in accordance with the organisation's supply chain governance requirements.
Tooling shall be configured to provide the operational visibility needed to detect performance degradation, unusual system behaviour, and conditions that may indicate the onset of model drift or data quality issues.
Operational Readiness Assessment
Before an AI system is placed into production operation, the organisation shall conduct an operational readiness assessment to confirm that the operational infrastructure is in place and adequate. This assessment shall cover the completeness and accuracy of operational process documentation; the assignment and communication of operational responsibilities; the availability and configuration of operational tooling; the provision of appropriate training to operational personnel; and the activation of monitoring and alerting mechanisms.
The operational readiness assessment shall be documented, and any deficiencies identified shall be remediated before the system commences operational use.
Integration with Organisational Operations
Operational processes for AI systems shall be integrated with the organisation's broader operational governance, including its incident management procedures, change management processes, and business continuity arrangements. AI system operational processes shall not exist in isolation but shall be connected to the organisational functions and escalation pathways that provide effective oversight and response capability.
Where AI systems support or inform critical operational processes, business continuity plans shall address the availability requirements for the AI system and the procedures to be followed in the event of system unavailability.
Continuous Improvement of Operational Processes
The organisation shall establish mechanisms for reviewing and improving operational processes over time, drawing on operational experience, monitoring data, incident records, and the outcomes of periodic audits. Lessons learned from operational events shall be fed back into process improvements, and operational documentation shall be updated accordingly.
Related Controls
- A.6.2.7 – AI System Deployment: Operational processes and functions shall be established and confirmed as ready prior to deployment.
- A.7.5 – AI System Monitoring: Monitoring activities are a core operational function and shall be governed by the processes established under this control.
- A.8.2 – AI System Incident Management: Incident management processes shall be integrated with AI operational processes and shall define escalation pathways for AI-related incidents.
- A.6.2.8 – AI System Documentation: Operational process documentation forms part of the comprehensive AI system documentation maintained throughout the lifecycle.
- A.9.3 – AI System Supply Chain: Third-party operational tooling and services shall be governed in accordance with supply chain management requirements.