ISO 42001 A.6.7: Controlling AI System Updates and Changes
AI systems evolve constantly—but uncontrolled changes to models, training data, or configurations can introduce new risks and break compliance. ISO 42001 A.6.7 requires organizations to govern every change to AI systems through formal impact assessment before deployment. This control ensures your AI remains safe, compliant, and performing as intended.
What this means
This control mandates a structured change management process for all AI system modifications. Changes include updates to models, training datasets, system configuration, and operating environments. Before any change goes live, your organization must evaluate its impact on system performance, introduce new risks, and alignment with your AI governance policies. The goal is to prevent unintended consequences, data drift, model degradation, and compliance violations from propagating through your AI infrastructure.
How to comply
- 1.Document all AI systems in your inventory with their current configurations, training data sources, and model versions
- 2.Create a change management policy specific to AI systems that requires impact assessment before any modification
- 3.Establish an AI change review board or designated owner to evaluate proposed changes against risk and performance criteria
- 4.Conduct pre-deployment testing on updated models and training datasets to assess performance impact and new risk introduction
- 5.Maintain a change log that records who authorized each change, when it was implemented, and what safeguards were applied
- 6.Define rollback procedures for changes that degrade performance or introduce compliance violations
- 7.Require sign-off from compliance, security, and AI operations teams before deploying changes to production systems
Evidence auditors look for
- Change request form documenting model update with risk assessment and performance testing results
- Approved change log with dates, approvers, and justifications for AI system modifications
- Training data update record showing validation and bias testing before retraining
- Configuration change documentation with impact analysis on system behavior and compliance posture
- Rollback procedure documentation and execution logs for failed or risky changes
- AI governance policy explicitly addressing AI system change management requirements
- Meeting minutes from AI change review board approvals and risk discussions
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch tracks every AI system change, auto-generates impact assessments, and enforces approval workflows—eliminating manual spreadsheets and ensuring A.6.7 compliance audit-ready.
See how GRCWatch handles this control automatically
Start free trial