Does GenZAgents satisfy ISO 42001 requirements?

Clause 8.2 — operational planning and control: the receipt feed IS the operational log. 8.3 — AI system impact assessment: receipts capture per-AI-use context (project, environment, supervising human) so impact can be evaluated post-hoc. 9.1 — monitoring, measurement, analysis: anomaly detection + dashboard analytics. 9.2 — internal audit: evidence pack generation. 10.1 — non-conformity and corrective action: dispute mechanism with multi-LLM jury.

A.5.1 — AI policy: you write the policy; receipts evidence policy enforcement. A.6.1.4 — supplier AI services: receipts capture which providers process which data. A.7.1.2 — verification and validation: receipts log validation activities (Pact-honour checks). A.8.1.1 — AI lifecycle: receipts evidence ongoing operation.

ISO 42001 is the AI Management System (AIMS) standard. Like ISO 27001's ISMS, it's about the management system, not specific controls. The receipt feed is operational evidence that the AIMS is functioning: AI uses are logged, supervised, monitored, audited. Most auditors accept this as the operational layer their checklist asks for.

ISO 42001 certification: 12-18 months greenfield, 6-9 months with existing ISO 27001 + GenZAgents. The receipt layer shortens the "operational evidence" gap from weeks of manual log assembly to days of evidence-pack generation. Several of our design partners are using us as the evidence layer for their 42001 audits scheduled in late 2026 / early 2027.

The evidence pack generator accepts a custom YAML mapping. If your auditor wants specific Annex A controls mapped specifically (because your AIMS implementation differs), customise once and the pack uses your template thereafter.

Target Q1 2027 for our own ISO 42001 certification of the GenZAgents production deployment. Building toward it via SOC 2 Type 2 (in progress) as the foundation. Will publish certification at /security when complete.