ISO 42001 AI Risk Management
Enforce AI risk assessment and treatment requirements per ISO 42001 Annex A.2 controls.
About This Policy Template
Policy for organizations pursuing ISO/IEC 42001:2023 certification for AI management systems. Enforces Annex A.2 controls requiring systematic AI risk identification, assessment, and treatment. Detects AI deployments lacking documented risk assessments, flags high-risk AI decisions made without risk treatment plans, identifies residual risks accepted without proper authority, and ensures AI entries exist in organizational risk registers. Covers A.2.2 (AI risk assessment), A.2.3 (AI risk treatment), and A.2.4 (residual risk acceptance). Essential for demonstrating AIMS conformity to auditors.
Policy Rules(6)
Critical Severity
(1)High-Risk AI Without Treatment Plan
Flag high-risk AI decisions or outputs lacking risk treatment documentation (A.2.3)
High Severity
(3)AI Deployment Without Risk Assessment
Detect AI system deployments or changes lacking a documented risk assessment (A.2.2)
AI Risk Not Reviewed After System Change
Detect AI system changes that proceed without risk reassessment (A.2.2)
Residual Risk Accepted Without Authority
Detect residual AI risk acceptance without proper management authority (A.2.4)
Medium Severity
(2)Missing AI Risk Communication to Stakeholders
Detect AI risk information not communicated to relevant stakeholders (A.2.3)
Risk Register Missing AI System Entries
Detect risk register or risk management content that omits AI-specific risk entries (A.2.2)
Enforcement by Integration
What happens when a violation is detected, based on the enforcement mode and integration type.
| Integration | Block | Approval | Warn | Monitor |
|---|---|---|---|---|
Version Control GitHub, GitLab, Bitbucket | Fail check run / merge request status | Pending check run — held for review | Neutral check run / comment on PR | Pass check run (silent) |
Email — Gmail Gmail | Quarantine label; + violation label (outbound) | Quarantine label — held for review | Add warning label | Log only |
Email — Outlook Outlook | Move to quarantine folder; + flag (outbound) | Move to quarantine — held for review | Flag + categorize | Log only |
Messaging Slack, Teams | Post violation warning in channel | Post 'held for review' warning | Post warning in channel | Log only |
Storage Google Drive, Dropbox, OneDrive | Move file to quarantine folder | Quarantine file — held for review | Log only | Log only |
AI Proxy OpenAI, Anthropic, Gemini, MCP, Agent | Block request (return 403) | Hold request — return review ID | Allow request + audit trail | Log only |
API REST API | Return BLOCK outcome (client decides) | Return APPROVAL_REQUIRED + poll URL | Return WARN outcome | Log only |
Version History
1 version published
Initial release
ISO 42001 questionnaire?
Answer ISO 42001 AIMS questions with controls Aguardic enforces
Ready to Install ISO 42001 AI Risk Management?
Get started with pre-built governance policies in minutes.