GRCWatch
Sign inStart free trial

ISO 42001 A.11.5: AI Safety Controls and Risk Management

AI safety isn't optional—it's a foundational control under ISO 42001. A.11.5 requires your organization to systematically assess and manage the risks your AI systems pose to people, the environment, and critical infrastructure. Without proportionate safety controls in place, you're exposed to operational, reputational, and regulatory risk.

What this means

This control mandates that organizations implement safeguards ensuring AI systems operate safely and predictably. You must identify potential harms—from bias and data poisoning to system failures and unexpected behaviors—and implement controls proportionate to each AI system's risk level. Safety measures should cover failure modes, degradation scenarios, and scenarios where the AI behaves outside its intended parameters. The control recognizes that different AI applications carry different risk levels and require different safety approaches.

How to comply

  1. 1.Conduct AI risk assessments for each AI system in your organization, identifying potential harms to people, environment, and critical systems
  2. 2.Classify AI systems by risk level (low, medium, high) based on the severity and probability of potential harm
  3. 3.Design and implement safety controls proportionate to each system's risk classification
  4. 4.Document failure modes and unexpected behavior scenarios for each AI system
  5. 5.Establish monitoring and testing protocols to detect unsafe behavior in production
  6. 6.Create incident response procedures for AI system failures or safety violations
  7. 7.Review and update safety controls regularly as AI systems evolve or are retrained

Evidence auditors look for

  • AI risk assessment reports documenting identified harms and risk classifications
  • Safety control matrices mapping controls to specific AI systems and risk levels
  • System failure mode analysis and mitigation documentation
  • Monitoring logs and test results demonstrating safe AI behavior in production
  • Incident reports and remediation records for AI safety issues
  • Control review and update records showing ongoing management of AI safety

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates AI risk assessment and safety control mapping across your systems, generates compliance documentation, and tracks safety incidents—reducing the manual work of managing A.11.5 compliance.

See how GRCWatch handles this control automatically

Start free trial

Related controls

ISO 42001 A.11.1 - AI System GovernanceISO 42001 A.11.2 - AI System Design and DevelopmentISO 42001 A.11.3 - AI System DocumentationISO 42001 A.11.4 - AI System Testing and Validation