Free preview: AI Management System Policy

Policy Statement

[Company Name] develops and uses artificial intelligence to advance its business objectives while protecting the rights, safety and legitimate interests of individuals, groups and society. Top management is committed to operating an AI Management System (AIMS) aligned with ISO/IEC 42001:2023 and to maintaining readiness for applicable regulatory obligations, including the EU AI Act where [Company Name] acts as a provider or deployer of in-scope AI systems.

All AI systems within the scope of the AIMS must be governed throughout their life cycle in accordance with this policy, the responsible AI principles defined in Section 2, and the supporting documents listed in Section 5. No AI system may be placed into production use without completing the assessments required by the AI System Impact Assessment Procedure and the AI Risk Assessment and Treatment Procedure and obtaining the approvals defined in AI Roles, Responsibilities and Resources.

Responsible AI Principles

The following principles direct the design, acquisition, operation and retirement of every AI system in scope. Each principle is operationalized through one or more named AIMS documents, and the [AI Management System Lead] must verify, at least annually as part of the AIMS Management Review Procedure, that each principle remains adequately implemented.

Where two principles conflict in a specific deployment decision, the conflict must be escalated to the [AI Governance Committee], which must document the rationale for the chosen resolution in the meeting record.

Governance and Accountability

Top management retains ultimate accountability for the AIMS. Day-to-day governance authority is delegated as defined in AI Roles, Responsibilities and Resources, which establishes the [AI Governance Committee], the [AI Management System Lead] role, and per-system ownership. This policy does not duplicate those role definitions; it requires that they exist, remain filled, and are reviewed when the organization changes.

• The [AI Governance Committee] must meet at least [quarterly] and must approve all changes to this policy before publication.
• The [AI Management System Lead] must maintain the documented AIMS scope statement and present it for confirmation at each management review conducted under the AIMS Management Review Procedure.
• Measurable AI objectives consistent with this policy must be set and tracked in accordance with the AI Objectives and Continual Improvement Procedure.
• Conformity of the AIMS with this policy must be independently evaluated at least [annually] through the AIMS Internal Audit Procedure.
• Every in-scope AI system must be recorded and kept current in the inventory required by the AI System Inventory and Documentation Standard before it is used in production.

Alignment with Other Organizational Policies

This policy operates alongside, and must remain consistent with, [Company Name]'s wider policy framework. The [AI Management System Lead] must perform a documented consistency check against the policies listed below whenever this policy is revised and whenever any listed policy is materially revised, and must resolve identified conflicts within [30] calendar days through the change process in Section 8.

Where another organizational policy imposes a stricter requirement than this policy for a given AI activity, the stricter requirement prevails and the conflict must still be logged for resolution.

• [Information Security Policy]: security controls for AI infrastructure, models, pipelines and credentials, including protection of training data and model artifacts.
• [Privacy and Data Protection Policy]: lawful basis, data subject rights and privacy impact assessment obligations for personal data processed by AI systems, coordinated with the Data Management for AI Systems Policy.
• [Procurement and Vendor Management Policy]: due diligence and contracting requirements that the Third-Party AI Supplier and Customer Policy extends for AI-specific risks.
• [Human Resources and Code of Conduct policies]: acceptable workplace use of AI tools, coordinated with the Responsible Use of AI Policy, and competence requirements for AI roles.
• [Business Continuity and Incident Management Policy]: escalation interfaces with the AI Incident Response and Concern Procedure.
• [Quality Management Policy], where applicable: testing, validation and release discipline coordinated with the AI System Life Cycle Management Policy.