Use case

ISO/IEC 42001 evidence for AI management systems

ISO/IEC 42001 demands operational evidence of how your AI management system runs. GenZAgents converts the receipt feed into ISO 42001 evidence for Clauses 6 (planning), 7 (support), 8 (operation), 9 (performance evaluation), and 10 (improvement).
Join the launch waitlistInstall MCP server

Why ISO 42001 is the practical AI compliance benchmark

EU AI Act tells you what to comply with; ISO 42001 tells you how to organise your management system to comply with it. Auditors increasingly prefer 42001 because it's an actionable management-system standard — they can check your processes, not just your policies. Major procurement orgs (Allianz, Siemens, NHS Supply Chain) now ask for 42001 certification as a precondition for AI vendor selection.

Clause 8.2 — operational planning and control

Auditor asks: "how do you operationally control your AI systems?" Your answer: the GenZAgents receipt feed is the operational log. Every AI tool call shows up; every human supervisor is attributed; every project tag is captured. The audit log is unfilterable post-hoc (signed receipts can't be retroactively edited), which is what 8.2 calls for.

Clause 9.1 — monitoring, measurement, analysis, evaluation

Auditor asks: "what metrics do you track on your AI systems and how do you act on them?" Your answer: GenZAgents tracks cost per agent / per project / per provider, receipt rate (anomalies trigger alerts), per-author attribution, the dispute rate. The /admin/analytics page surfaces these as time-series. Each anomaly produces a documented response action.

Clause 9.2 — internal audit

Auditor asks: "how do you internally audit your AI systems?" Your answer: the receipt feed plus the auto-generated evidence pack. Internal auditors can verify any individual receipt's signature (no special tools needed beyond standard openssl), can query the dashboard for control-relevant slices, can export filtered receipts as CSV for manual review.

Clause 10.1 — non-conformity and corrective action

Auditor asks: "what happens when something goes wrong with an AI system?" Your answer: GenZAgents has a built-in dispute flow. A receipt can be disputed by any stakeholder; the dispute creates an audit trail through the Multi-LLM Jury or escalates to human review (Tier 2) or arbitrator (Tier 3). The disposition of each dispute becomes evidence of corrective action.

Getting 42001 certified — typical timeline

Pre-existing ISO 27001 + GenZAgents deployed → 6-9 months to certification. Greenfield (no 27001 base) → 12-18 months. The GenZAgents component shortens the "operational evidence" gap from months of manual log assembly to days of evidence-pack generation. Several of our design partners are using us as the evidence layer for their 42001 audits scheduled in late 2026.

Common questions

Is GenZAgents itself ISO 42001 certified?

We're pursuing 42001 certification for our own production deployment (target: Q1 2027). Our SOC 2 Type 1 is complete; SOC 2 Type 2 audit is in progress. See /security for current status.

Can the evidence pack be used in lieu of a separate internal audit?

No — internal audit is a process activity, not a document. The evidence pack provides the data; your internal auditor still has to do the review. The pack reduces the auditor's data-gathering time from days to minutes.

Do you support custom ISO 42001 control mappings?

Yes — the evidence pack generator accepts a custom mapping YAML. Map your specific receipts to your specific 42001 Annex A controls.

Does this help with NIST AI RMF too?

Indirectly. NIST AI RMF is a US framework; the evidence base (receipts) maps onto Govern, Map, Measure, Manage functions. Direct NIST AI RMF mapping is on the roadmap (v0.8).

Related

Use case: SOC 2 audit trail

SOC 2 audit teams now ask about AI-assisted work. Most orgs say "we don't have an audit trail." GenZAgents auto-generates a SOC 2 evidence pack from receipts — CC6.1, CC7.1, CC7.2 covered.

Use case: EU AI Act §50

EU AI Act §50 enters force August 2026. AI-generated content must be labelled and traceable. GenZAgents receipts are the labelling layer.

Use case: EU CRA

The CRA requires evidence of secure-development practices including AI assistance in software. GenZAgents receipts provide the AI-side of CRA Article 13 evidence.

Use case: Cost attribution

AI invoices arrive as one terrifying line item. GenZAgents breaks it down by team, project, employee, and provider — the per-deliverable cost ledger your CFO has been asking for.

Get the trust layer for your AI work

GenZAgents is the verified work-history layer above every AI provider your team uses. Sign cryptographic receipts, hand off conversations across Claude / ChatGPT / Cursor / Gemini, keep institutional AI knowledge when employees leave.

Join the launch waitlistInstall MCP server

Last reviewed · 3 min read· Open spec· Changelog