GRCWatch
Sign inStart free trial

ISO 42001 A.6.1: AI System Design Controls

A.6.1 requires you to embed risk management into AI system design from the ground up. This control ensures your organization proactively addresses intended use, potential misuse, and human oversight—before deployment. For SMBs deploying AI internally or customer-facing, this is where compliance begins.

What this means

Control A.6.1 mandates that organizations establish design-stage controls governing AI system development. Your AI systems must be designed with clear objectives, documented risk treatment strategies, and explicit safeguards. The control spans six key areas: defining intended use and scope, identifying potential misuse scenarios, specifying data requirements and quality standards, establishing human oversight and intervention points, setting explainability thresholds for model decisions, and defining performance and accuracy criteria aligned to your risk profile. This isn't post-deployment monitoring—it's architectural governance at the design phase.

How to comply

  1. 1.Document intended use cases for each AI system, including scope, user roles, and decision contexts
  2. 2.Conduct AI misuse scenario analysis identifying potential harmful applications or failure modes
  3. 3.Define data quality, volume, and lineage requirements tied to system objectives and risk tolerance
  4. 4.Specify human oversight mechanisms: approval workflows, review frequencies, and escalation triggers
  5. 5.Set explainability requirements based on impact level (high-impact decisions require higher transparency)
  6. 6.Establish measurable performance criteria: accuracy thresholds, fairness metrics, and validation benchmarks
  7. 7.Document design rationale and risk decisions in an AI design specification or control matrix
  8. 8.Review design controls with stakeholders before development or procurement begins

Evidence auditors look for

  • AI system design specification document detailing intended use, misuse scenarios, and control measures
  • Data governance policy defining quality standards, labeling protocols, and bias testing for training datasets
  • Human-in-the-loop process documentation: approval requirements, review cadences, and decision logs
  • Explainability framework mapping system risk levels to transparency obligations (e.g., SHAP, LIME for high-risk models)
  • Performance validation report with accuracy, fairness, and robustness test results against defined criteria
  • Risk assessment matrix linking design decisions to specific A.6.1 control objectives
  • Vendor/tool selection checklist ensuring third-party AI systems meet your design control requirements
  • Design review meeting minutes showing stakeholder sign-off on control implementation

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates AI design control documentation by capturing intended use, misuse scenarios, and oversight workflows in a centralized repository, then tracks evidence (design specs, approval logs, performance metrics) through a single dashboard—eliminating manual spreadsheet tracking.

See how GRCWatch handles this control automatically

Start free trial

Related controls

A.5.1 – AI ObjectivesA.5.2 – AI Risk AssessmentA.6.2 – AI System DevelopmentA.7.1 – AI System Monitoring