![Adoptech-logo-GreyWithoutStrapline-1.png]](https://knowledge.adoptech.co.uk/hs-fs/hubfs/Adoptech-logo-GreyWithoutStrapline-1.png?height=39&name=Adoptech-logo-GreyWithoutStrapline-1.png){kind=logo}
ISO 42001: 2023 - A.8.5 AI System Decommissioning
This article provides guidance on how to implement the ISO 42001: 2023 A.8.5 AI System Decommissioning
ISO 42001 Control Description
The organisation shall plan and manage the decommissioning of AI systems in a controlled manner, ensuring that decommissioning is carried out in an orderly way, that data and model artefacts are disposed of appropriately, and that accountability obligations are fulfilled both during and after the decommissioning process.
Control Objective
To ensure that AI systems are retired from operational use in a planned, documented, and responsible manner that protects the interests of individuals affected by the system, addresses applicable legal and regulatory obligations, and preserves the organisational knowledge and accountability records required for the post-operational period.
Purpose
Decommissioning is the final phase of the AI system lifecycle, but it is not a phase that can be managed as an afterthought. The decisions made when retiring an AI system — concerning the disposal of training data and model artefacts, the handling of operational records, the communication of the decommissioning to stakeholders, and the termination of third-party contracts — have lasting implications for the organisation's legal position, its obligations to affected individuals, and its ability to account for the system's historical operation.
AI system decommissioning presents specific governance challenges that are not fully addressed by conventional IT decommissioning approaches. The training data, model weights, and operational records associated with an AI system may contain personal data subject to data protection legislation, proprietary information subject to intellectual property controls, and accountability records that must be retained for defined periods. The system's decommissioning may also affect individuals who have relied upon it, requiring appropriate communication and transition arrangements.
Responsible AI decommissioning demonstrates that the organisation treats its accountability obligations as enduring beyond the operational life of individual systems, and reflects a mature approach to the full lifecycle governance of AI.
Guidance on Implementation
Decommissioning Triggers and Decision-Making
The organisation shall define the circumstances that may trigger the decommissioning of an AI system, including the end of the system's planned operational life; the availability of a replacement system; an assessment that the system can no longer be maintained within acceptable risk bounds; significant changes to the regulatory environment rendering continued operation infeasible; or a strategic decision to discontinue the use case the system supports.
Decommissioning decisions shall be subject to formal review and approval by an accountable individual or governance body. The decision shall be documented, including the rationale and the anticipated timeline for decommissioning.
Decommissioning Planning
The organisation shall prepare a decommissioning plan for each AI system, addressing the sequence of decommissioning activities, the responsibilities of personnel involved, the timeline for completion, and the arrangements for business processes that currently depend on the system.
Where the AI system supports processes that will continue after decommissioning, the plan shall address how those processes will be performed during and after the transition period. This may involve the implementation of a replacement system, reversion to manual processes, or discontinuation of the underlying activity.
Communication to Stakeholders
The organisation shall communicate the planned decommissioning to relevant stakeholders in advance, with sufficient notice to enable affected parties to make appropriate arrangements. Communication shall address the timeline for decommissioning, the impact on services or processes that stakeholders rely upon, and any alternative arrangements being made. Where the system's outputs have directly affected individuals, communication obligations shall be assessed in accordance with applicable regulatory requirements and ethical commitments.
Data and Model Artefact Disposal
The organisation shall establish and execute a plan for the disposal of data and model artefacts associated with the decommissioned system. Disposal shall comply with applicable data protection legislation, including requirements for the erasure of personal data where retention is no longer legally justified.
The organisation shall determine which artefacts are to be retained for operational, legal, or audit purposes and for what period, and which are to be destroyed. Destruction shall be carried out using methods appropriate to the sensitivity of the information and shall be documented to provide evidence of compliance with disposal obligations.
Retention of Accountability Records
Notwithstanding the disposal of operational data and model artefacts, the organisation shall retain the accountability records associated with the decommissioned system for the period required by applicable law, regulation, and the organisation's document retention policy. Accountability records include risk assessments, impact assessments, verification and validation documentation, incident records, and performance documentation. These records may be required to respond to regulatory enquiries, legal proceedings, or audit activities that arise after the system ceases operation.
Third-Party Contract Termination
Where the AI system involves third-party components, services, or data processing arrangements, decommissioning shall include the orderly termination of relevant contracts and service agreements. Termination activities shall ensure that data held by third parties is handled in accordance with contractual terms and applicable regulatory requirements, and that any ongoing data processing activities are discontinued at the appropriate time.
Post-Decommissioning Review
Following the completion of decommissioning activities, the organisation shall conduct a review to confirm that all planned activities were completed as intended, that outstanding accountability obligations have been addressed, and that any lessons learned from the decommissioning process have been documented for future reference.
Related Controls
- A.6.2.8 – AI System Documentation: Decommissioning records, including the decommissioning plan, disposal records, and post-decommissioning review, shall be maintained as part of the AI system documentation.
- A.4.3 – Data Resources for AI Systems: Data protection and data governance obligations, including data retention and erasure requirements, shall be applied to data disposal activities during decommissioning.
- A.9.3 – AI System Supply Chain: Third-party contract termination activities shall be managed in accordance with the organisation's supply chain governance requirements.
- A.6.1.2 – AI Risk Assessment: The risk profile of the system and any ongoing risks arising from decommissioning shall be assessed as part of the decommissioning planning process.
- A.8.2 – AI System Incident Management: Any incidents arising during the decommissioning process shall be managed in accordance with the incident management process.