What does ISO 42001 Clause 9.1 require for AI performance monitoring?

Clause 9.1 requires organizations to determine AI system performance indicators, establish methods for monitoring, and retain documented evidence of results. For AI agents, performance indicators must be behavioral: decision rate by category, confidence score distributions, override rate, decision category frequency, and model version provenance. Infrastructure metrics (latency, errors, uptime) confirm the system is operational — they do not confirm it is performing as intended. Behavioral monitoring from decision records is required.

What is an ISO 42001 nonconformity for an AI agent?

ISO 42001 Clause 10.2 requires documentation and corrective action for nonconformities. For AI agents, nonconformities include: decisions that violated documented policy, behavioral drift beyond established monitoring thresholds, systematic override patterns indicating consistent AI errors, context integrity failures in multi-agent pipelines, and model version divergence from approved specifications. Each nonconformity requires root cause analysis documentation and evidence of effective corrective action.

Which ISO 42001 Annex A controls require AI decision records?

Several Annex A controls require per-decision evidence: A.6.2 (AI system impact assessment) requires empirical impact data, not just theoretical assessment; A.7.4 (AI system transparency) requires information sufficient to explain individual decisions; A.8.5 (AI system documentation) requires operational condition records; A.9.3 (AI system human oversight) requires records of when humans reviewed or overrode AI outputs. System-level model documentation satisfies A.8.5 but not A.7.4 — the latter requires per-decision reasoning records.

How does ISO 42001 relate to EU AI Act compliance?

ISO 42001 and EU AI Act overlap substantially but are distinct. EU AI Act is regulation imposing legal obligations on specific high-risk AI categories with fines up to €35M or 7% of global revenue. ISO 42001 is a voluntary management system standard applicable to all AI uses. Many EU AI Act compliance programs use ISO 42001 as the organizational management framework because the standard provides the controls structure that the regulation requires but doesn't prescribe. ISO 42001 certification demonstrates that an AI management system is in place; EU AI Act compliance demonstrates that specific high-risk AI requirements are met.

Does ISO 42001 require tamper-evident AI decision records?

ISO 42001 Clause 7.5 requires that documented information be controlled to protect it from loss of integrity. For AI decision records used as compliance evidence, integrity protection means records must be provably unaltered since capture. Cryptographic signing (SHA-256 hash plus Ed25519 signature per record) satisfies the Clause 7.5 integrity requirement. ISO 42001 auditors from major certification bodies increasingly expect tamper-evident records for high-stakes AI systems, even though tamper-evidence is not explicitly mandated in the standard text.

What evidence does an ISO 42001 auditor ask for related to AI agents?

An ISO 42001 auditor evaluating Clause 8.4, 9.1, and 10.2 will request: AI system operation records showing what decisions were made and under what conditions, performance monitoring records showing baselines and anomaly history, incident and nonconformity records for AI system failures, corrective action records showing effectiveness evidence, AI risk and impact assessment documentation, and records of human oversight activities. Decision audit records with structured outputs, tamper-evident signing, and queryable history satisfy all six categories.

How long must ISO 42001 AI management system records be retained?

ISO 42001 Clause 7.5.3 requires that documented information be retained in a way that preserves fitness for purpose — it does not specify a fixed retention period. In practice, AI operation records under Clause 8.4 should align with the longest applicable sector-specific requirement: EU AI Act minimum 6 months post-decommissioning, HIPAA minimum 6 years, MiFID II minimum 5 years. Where multiple frameworks apply, use the strictest requirement. Most ISO 42001-certified organizations maintain AI decision records for 5-7 years.

ISO 42001 AI Management System: What the Standard Actually Requires for AI Audit Trails

ISO/IEC 42001:2023 is the first international standard for AI management systems. Organizations deploying AI in consequential workflows need to understand three core requirements: Clause 8.4 requires documented evidence that AI processes were carried out as planned; Clause 9.1 requires behavioral performance baselines and monitoring evidence; Clause 10.2 requires nonconformity records and corrective action documentation. System logs satisfy none of these. Decision audit records satisfy all three.

What ISO 42001 Is and Who Needs It

ISO/IEC 42001:2023 is the international standard for AI management systems. It applies to any organization developing, providing, or using AI systems. ISO 42001 certification is increasingly required in EU public sector procurement, enterprise AI vendor assessments, AI-related insurance underwriting, and due diligence in AI company transactions. Organizations that cannot demonstrate a structured AI management system face growing commercial and reputational barriers even outside regulated sectors.

Clause 8.4: AI System Operation Records

Clause 8.4 requires organizations to retain documented information to have confidence that AI processes were carried out as planned. For AI agents, this requires structured records showing: what inputs the AI processed, what decision it reached, what reasoning it applied, which policy version governed the decision, and evidence the record is unaltered. Application logs showing API requests and response codes do not satisfy Clause 8.4 — they record that the system ran, not that it ran correctly per documented specifications.

Clause 9.1: Performance Monitoring and Measurement

Clause 9.1 requires organizations to determine AI system performance indicators, establish monitoring methods, and retain documented evidence of results. For AI agents, performance indicators include: decision rate by category, confidence score distributions, override rate by reviewer, decision category frequency, and model version provenance. Infrastructure metrics confirm the system is running — they do not confirm it is behaving as intended. Behavioral monitoring from decision records satisfies Clause 9.1.

Clause 10.2: Nonconformity and Corrective Action

Clause 10.2 requires that when a nonconformity occurs, it must be documented with root cause analysis and corrective action evidence. AI agent nonconformities include policy violations detected in decision records, behavioral drift beyond monitoring thresholds, systematic override patterns, and context integrity failures. ISO 42001 auditors sample nonconformity records and request the corresponding AI decision records that triggered each finding, analysis documentation, and evidence of effective corrective action.

Annex A Controls: Transparency and Human Oversight

ISO 42001 Annex A.7.4 requires information sufficient to explain AI decisions. Annex A.9.3 requires records of when humans reviewed or overrode AI outputs. Both require per-decision evidence. System-level model documentation satisfies the system description requirement but not individual decision explanation. Per-decision reasoning records with factor-level explanation satisfy A.7.4. Override and confirmation records satisfy A.9.3.

Implementation: Decision Records for ISO 42001

A single Tenet decision record satisfies evidence requirements for Clause 8.4, 9.1, 10.2, and Annex A.6.2, A.7.4, A.9.3 simultaneously. Configure TenetClient with policy_version and system_id to attach documented control evidence to every record. Use ctx.snapshot_context() for Clause 8.4 operation evidence. Attach monitoring_signals for Clause 9.1 baseline tracking. Override records satisfy Annex A.9.3. Cryptographic signing satisfies Clause 7.5 integrity requirements.