ISO/IEC 42001
ISO/IEC 42001:2023 is the management-system standard for artificial intelligence. It follows the Annex SL high-level structure shared with ISO 27001 and ISO 9001: Context, Leadership, Planning, Support, Operation, Performance Evaluation, Improvement. The AI-specific surface is concentrated in Annex A, the reference control set. This page documents how chio's shipped primitives align with those clauses and controls, framed as input to a Statement of Applicability, not as a certification artifact.
Management systems are organizational
ISO 42001 certifies organizations, not protocols. What chio contributes is the technical control surface and the signed evidence an AIMS references. The operator still authors the AI policy, runs the management review, and owns the audit program.
Where Chio Contributes
Chio's strongest contribution is to the operational clauses and the reference controls that describe logging and third-party relationships.
| Clause Family | Chio Role |
|---|---|
| Clause 7.5 Documented information | Signed receipts, checkpoints, compliance certificates, evidence bundles: every artifact is canonical JSON with a timestamp and key reference. |
| Clause 8.2 and 8.3 Operational control and life cycle | Guard pipeline, capability lifecycle (issue, delegate, revoke, expire), tool-server lifecycle evidence via signed manifests. |
| Clause 9.1 Monitoring and measurement | Receipt query API, checkpoint monitor, receipt analytics, SIEM export. |
| Annex A.7 AI system logging | Signed receipt per invocation, Merkle-committed batches, DPoP attribution. |
| Annex A.5 Data for AI systems | Data-layer guards: SQL and warehouse access guards, vector store constraints, column-level restrictions, response sanitization. |
Clauses 4 (context), 5 (leadership), most of 6 (planning), 7.1 through 7.4 (resources, competence, awareness, communication), and 10 (improvement) are largely organizational and are marked org-owned below.
Coverage Legend
| Level | Meaning |
|---|---|
supports | Chio's shipped controls directly implement the clause or control at the tool-governance layer. |
evidence-for | Chio supplies part of the control; the organization adds procedures, documents, or review cadence. |
org-owned | Clause is organizational, procedural, or policy-level; chio does not implement it. |
out-of-scope | Addresses concerns outside chio's governance boundary (e.g., training-data curation, workforce). |
Main Body Clause Mapping
Clauses 4 and 5: Context and Leadership
| Clause | Chio Mapping | Coverage |
|---|---|---|
| 4.1 / 4.2 Context and interested parties | Not applicable at the protocol layer. | org-owned |
| 4.3 Scope of the AIMS | Capability issuance demarcates which tool servers are inside the governed scope; deployment-level scope is documented per site. | evidence-for |
| 4.4 AI management system | Operational layer (guards, receipts, revocation) runs continuously and produces signed artifacts. | evidence-for |
| 5.1 Leadership and commitment | Not applicable at the protocol layer. | org-owned |
| 5.2 AI policy | Policy-as-code artifacts compiled from chio-policy; policy hash embedded in every receipt. | evidence-for |
| 5.3 Roles, responsibilities, authorities | Issuer and delegation chain on every capability attribute technical authority; human roles external. | evidence-for |
Clause 6: Planning
| Clause | Chio Mapping | Coverage |
|---|---|---|
| 6.1 Actions to address risks and opportunities | Guard pipeline deny paths, capability scoping, budget caps. | supports |
| 6.1.2 AI risk assessment | Underwriting tier classification; receipt analytics surface aggregates. | evidence-for |
| 6.1.3 AI risk treatment | Revocation runtime, scope tightening, approval tokens for step-up review. | supports |
| 6.1.4 AI system impact assessment | Underwriting risk reasons plus receipt impact data; artifact format is operator-owned. | evidence-for |
| 6.2 AI objectives | Not applicable at the protocol layer. | org-owned |
| 6.3 Planning of changes | Policy hash in every receipt ties each call to a policy version; request-matching ties the call to a request-schema version. | supports |
Clause 7: Support
| Clause | Chio Mapping | Coverage |
|---|---|---|
| 7.1 / 7.2 / 7.3 Resources, competence, awareness | Not applicable at the protocol layer. | org-owned |
| 7.4 Communication | SIEM export, trust-control dashboard, compliance certificates. | evidence-for |
| 7.5 Documented information | Signed artifacts: receipts, checkpoints, compliance certificates, evidence bundles. | supports |
| 7.5.2 Creating and updating | Canonical JSON (RFC 8785) for every signed artifact; timestamp and key reference recorded. | supports |
| 7.5.3 Control of documented information | Archival via evidence retention; inclusion proofs guarantee integrity of archived entries. | supports |
Clause 8: Operation
| Clause | Chio Mapping | Coverage |
|---|---|---|
| 8.1 Operational planning and control | Guard pipeline, grant-scoped operational controls, fail-closed default. | supports |
| 8.2 AI system impact assessment | Underwriting tiers, capability-tier assignment on every grant. | evidence-for |
| 8.3 AI system life cycle | Capability lifecycle: issue, delegate, revoke, expire. Tool-server lifecycle evidence via signed manifests. Design and training phases are external. | evidence-for |
| 8.4 Third-party relationships | Capability scoping for tool servers; DPoP attribution for outbound calls; manifest verification for counterparties. | supports |
Clauses 9 and 10: Performance Evaluation and Improvement
| Clause | Chio Mapping | Coverage |
|---|---|---|
| 9.1 Monitoring, measurement, analysis, evaluation | Receipt query API, checkpoint monitor, receipt analytics. | supports |
| 9.2 Internal audit | Evidence export bundles, compliance certificates, Merkle inclusion proofs. | supports |
| 9.3 Management review | Compliance certificates summarize operational posture. | evidence-for |
| 10.1 Continual improvement | Receipts feed improvement workflows; automated policy evolution is operator-owned. | evidence-for |
| 10.2 Nonconformity and corrective action | Deny receipts, revocation, scope reduction, approval escalation. | evidence-for |
Receipts are the CAPA anchor
Corrective action workflows benefit from the fact that every deny is signed. When an investigator asks "which policy blocked this action?" or "was a mitigation applied?", the signed receipt chain is the answer, not a support ticket.
Annex A Reference Controls
Annex A of ISO 42001 supplies a reference set of AI-specific controls. Control IDs follow the pattern A.x.y. Chio's strongest Annex A contribution is to A.6 (life cycle), A.7 (data), A.8 (information sharing), A.9 (use), and A.10 (third-party).
| Control | Description | Chio Mapping | Coverage |
|---|---|---|---|
| A.2 | Policies related to AI. | Policy-as-code via chio-policy; policy hash in every receipt. | evidence-for |
| A.3 | Internal organization. | Issuer and delegation chain attribute authority at the protocol layer. | evidence-for |
| A.4 | Resources for AI systems. | Tool manifest catalogs tools; budget caps manage compute spend. | evidence-for |
| A.5 | Assessing impacts of AI systems. | Underwriting tier classification; receipt-based impact aggregation. | evidence-for |
| A.6 | AI system life cycle. | Capability lifecycle runtime; revocation; grant expiry. | evidence-for |
| A.6.2 | Requirements and specification. | Tool definition parameter schemas inside signed manifests. | supports |
| A.6.3 | Design and development. | Workspace-wide clippy -D warnings, denylist on unwrap_used, canonical JSON for every signed payload, Lean 4 proofs for protocol invariants. | supports |
| A.6.4 | Verification and validation. | Workspace-level cargo tests; guard integration tests; conformance harness for external implementations. | evidence-for |
| A.6.5 | Deployment. | Capability issuance, grant constraints, velocity guards. | supports |
| A.6.6 | Operation and monitoring. | Receipt store, dashboard, SIEM export, checkpoint monitor. | supports |
| A.6.7 | Technical documentation. | Signed tool manifests, compliance certificates. | supports |
| A.6.8 | Recording of event logs. | Signed receipt per invocation (allow or deny), Merkle checkpoints over batches. | supports |
| A.7 | Data for AI systems. | Data-layer guards: SQL, warehouse, vector store; response sanitization; column-level constraints. | supports |
| A.7.2 | Data acquisition. | Egress allowlist and internal-network guards limit the acquisition surface. | evidence-for |
| A.7.4 | Data provenance. | Workload identity, DPoP attribution, receipt capability chain. | evidence-for |
| A.8 | Information for interested parties. | Compliance certificates, evidence export bundles. | evidence-for |
| A.9 | Use of AI systems. | Capability scoping, delegation attenuation, approval tokens. | supports |
| A.9.2 | Intended use. | Tool manifest descriptions and GovernedAutonomyTier declarations. | evidence-for |
| A.9.3 | Objectives for responsible use. | Budget and velocity caps, guard suite. | evidence-for |
| A.10 | Third-party and customer relationships. | Capability-scoped access to third-party tools, manifest verification signatures. | supports |
Statement of Applicability Patterns
A typical ISO 42001 Statement of Applicability names each Annex A control, states whether the control is applicable, justifies the decision, and identifies implementation evidence. Chio makes the evidence column concrete.
soa-excerpt.yaml
A.6.8:
title: Recording of event logs
applicability: applicable
implementation_evidence:
- chio signed receipt per invocation (allow or deny)
- merkle checkpoint batches signed by kernel keypair
- inclusion proofs available via chio checkpoint prove
A.7:
title: Data for AI systems
applicability: applicable
implementation_evidence:
- SqlQueryGuard column constraints
- vector store guard for retrieval governance
- response_sanitization for output redaction
- data_flow guard for cross-tool transfer limitsAudit Evidence Patterns
Internal audit under Clause 9.2 needs repeatable evidence assembly. Chio's evidence export plus the receipt query API are the mechanical answer.
bash
# Export the evidence bundle for the audit window.
$ chio evidence export \
--policy ./policy.yaml \
--receipt-db ./receipts.sqlite3 \
--since 2026-01-01T00:00:00Z \
--until 2026-03-31T23:59:59Z \
--output ./q1-iso-42001-evidence
# Show the Annex A.6.8 log-sample surface (100 allow + 100 deny).
$ chio receipts sample \
--receipt-db ./receipts.sqlite3 \
--decision allow --limit 100 > samples/allow.jsonl
$ chio receipts sample \
--receipt-db ./receipts.sqlite3 \
--decision deny --limit 100 > samples/deny.jsonl
# Produce a session compliance certificate for the management review.
$ chio cert session \
--policy ./policy.yaml \
--receipt-db ./receipts.sqlite3 \
--since 2026-01-01T00:00:00Z \
--until 2026-03-31T23:59:59Z \
--output ./q1-session-certificate.jsonTraining is not in scope
Clause 8.3 expects controlled treatment of the AI system life cycle. Chio implements the deployment and operational portions:
ToolManifest at authoring, capability issuance at deployment, signed receipts during runtime, revocation plus evidence archival at retirement. The design, training, and evaluation phases of a model live outside chio's governance boundary and require training-pipeline tooling of their own.Known Gaps
- A.7.3 Data quality: out of scope at the tool-governance layer. Data-quality programs run in the data platform.
- A.7.5 Data preparation: out of scope. Preparation pipelines are operator-owned.
- A.6.3 SDLC evidence: chio's own build pipeline enforces clippy, tests, and canonical JSON, but the customer's SDLC for their agent and its tool servers is operator-owned.
- Management review outputs: chio's compliance certificates summarize operational posture, but the written management-review minutes remain an organizational artifact.
For the regulation-driven mapping against Article 19, Article 14, and Annex IV, see EU AI Act. For SOC 2, HIPAA, and PCI DSS control mappings, see Compliance Frameworks.