ISO 42001 A.11.3: Managing Intellectual Property Rights in AI Systems
As your organization deploys AI systems, you must secure intellectual property rights across training data, model weights, and generated outputs. Control A.11.3 requires documented policies governing third-party AI models and open-source components—a critical gap for most SMBs navigating AI compliance.
What this means
This control requires your organization to establish comprehensive governance around IP ownership and usage rights related to AI systems. You must define who owns training data, clarify licensing for pre-trained models, manage third-party model dependencies, and document policies for AI-generated content. This includes addressing open-source AI components and ensuring your organization doesn't inadvertently infringe on external IP when deploying or fine-tuning models.
How to comply
- 1.Conduct an IP audit of all AI systems in use, including third-party models, training datasets, and model weights
- 2.Document data provenance for training datasets—verify licenses, ownership rights, and permissible use cases
- 3.Create a third-party AI model policy that covers commercial tools, open-source frameworks, and API-based services
- 4.Establish clear ownership rules: define who owns fine-tuned models, generated outputs, and derivative works
- 5.Implement license compliance scanning for open-source AI components in your deployment pipeline
- 6.Define usage restrictions and acceptable purposes for each AI system, aligned with licensing agreements
- 7.Create templates for AI vendor contracts that specify IP ownership, indemnification, and confidentiality
- 8.Document policies on employee-created AI content and outputs as organizational IP
Evidence auditors look for
- AI system inventory with license, ownership, and third-party dependency documentation
- Data sourcing agreements showing rights to training data and compliance with data licensing
- Third-party AI model policy document detailing approved tools, usage restrictions, and escalation procedures
- Open-source component manifest and license compatibility matrix
- AI-generated output ownership policy defining organizational IP claims
- Vendor contracts with IP ownership, indemnification, and restricted-use clauses
- Model fine-tuning agreements specifying derivative work ownership
- License audit logs and SBOM (Software Bill of Materials) for AI components
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates AI system inventory, tracks third-party model licenses and dependencies, and maintains version-controlled IP ownership policies—eliminating manual spreadsheet management and ensuring audit-ready documentation for A.11.3.
See how GRCWatch handles this control automatically
Start free trial