ISO 42001 Reference Card: Annex A Control A.6

May 9, 2026 · View on GitHub

Purpose

A.6 requires the organisation to manage AI systems across their full lifecycle — from initial concept and design through development, testing, deployment, operation, monitoring, and eventual decommissioning. Each stage carries distinct risks that require specific controls.

What the control requires

The organisation must apply appropriate governance at each stage of the AI system lifecycle:

Design and development:

  • Define the intended purpose, scope, and boundaries of the AI system
  • Identify risks, bias potential, and safety constraints at design stage
  • Apply security and privacy considerations from the outset

Testing and validation:

  • Test AI system performance against defined success criteria
  • Assess behaviour at the edges and in adversarial conditions
  • Document test results as evidence of fitness for deployment

Deployment:

  • Obtain appropriate approval before going live
  • Ensure human oversight mechanisms are in place where required
  • Communicate deployment to relevant stakeholders

Operation and monitoring:

  • Monitor AI system behaviour and outputs continuously or at defined intervals
  • Detect and respond to drift, degradation, or unexpected behaviour
  • Maintain records of operational performance

Decommissioning:

  • Define triggers for retiring an AI system (e.g. performance, regulation, use change)
  • Manage data retention, deletion, and handover obligations
  • Document the decommissioning decision and process

Why it matters

AI systems are not static. Their performance can change as data changes, as the world changes, or as usage patterns evolve. Lifecycle management ensures that risks are managed at every stage, not just at launch.

Common audit questions

  • Does the organisation have a defined process for each stage of the AI lifecycle?
  • How are design-stage risks identified and documented?
  • What approval is required before an AI system is deployed?
  • How are AI systems monitored after deployment?
  • Is there a process for decommissioning AI systems safely?

Connections

A.6 outputUsed by
Design recordsA.5 (impact assessment inputs)
Deployment approvalsClause 8 (operational planning and control)
Monitoring outputsClause 9 (performance evaluation)
Decommissioning recordsA.7 (data management obligations)

Reference catalogue entry — use this as source material for matching funny and professional infographic cards.