Every clause in ISO 42001 maps to a control that needs proof it's working. Auricen captures that proof automatically signed, auditor-ready, and mapped to each clause.
Published in December 2023, ISO/IEC 42001 defines requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS). It follows the same high-level structure as ISO 27001 and ISO 9001 which means auditors will evaluate it the same way.
That means documentation alone won't pass. Auditors need evidence that each clause's controls are actually operating not just written down. This is exactly what Auricen captures.
The standard is already in force. Early certifications began in 2024. Customer and regulatory demand is accelerating especially from organisations already holding ISO 27001.
ISO 42001 shares the Annex SL high-level structure with ISO 27001. If you're already certified, many controls overlap Auricen evidence records satisfy both simultaneously.
The EU AI Act's technical requirements for high-risk AI systems align closely with ISO 42001 clauses. Certification to 42001 provides a strong basis for EU AI Act compliance.
Accredited certification bodies will audit against each clause. They need evidence records not Word documents that controls operated during the audit period.
This is the mapping your auditor will work from. Auricen captures evidence for every clause that requires operating proof automatically tagged, signed, and stored.
| Clause | Requirement | Evidence Auricen captures | How captured |
|---|---|---|---|
| §4.1 | Internal and external issues Understanding AI-related risks in your operating context |
Risk Assessment AI Interaction | Extension capture |
| §4.2 | Interested parties and requirements Documenting stakeholder expectations for AI governance |
Policy Acknowledgement | Extension capture |
| §4.3 | Scope of the AIMS Defining which AI systems are in scope |
Chatbot Discovery AI System Inventory | Auto-discovery |
| Clause | Requirement | Evidence Auricen captures | How captured |
|---|---|---|---|
| §5.2 | AI policy Establishing and communicating an AI governance policy |
Policy Acknowledgement | Extension capture |
| §5.3 | Roles and responsibilities Assigning AI governance roles with documented accountability |
Policy Acknowledgement Human Review | Extension capture |
| Clause | Requirement | Evidence Auricen captures | How captured |
|---|---|---|---|
| §6.1 | Risks and opportunities AI-specific risk identification and treatment planning |
Risk Assessment Incident Report | Extension capture |
| §6.2 | AI governance objectives Setting measurable objectives and tracking progress |
Policy Acknowledgement Model Evaluation | Extension capture |
| Clause | Requirement | Evidence Auricen captures | How captured |
|---|---|---|---|
| §8.4 | AI system inventory Maintaining a register of all AI systems in use including third-party |
Chatbot Discovery Deployed AI System | Auto-discovery |
| §8.5 | AI system development Records of model selection, testing, and approval decisions |
Model Evaluation Risk Assessment | Extension capture |
| §8.6 | AI system use monitoring Evidence that AI systems are being monitored during operation |
Prompt & Response AI Interaction | Extension capture |
| §8.7 | Human oversight Proof that human review and override mechanisms are functioning |
Human Review Human Override | Extension capture |
| Clause | Requirement | Evidence Auricen captures | How captured |
|---|---|---|---|
| §9.1 | Monitoring, measurement, and analysis Structured records of AI system performance over time |
Model Evaluation Risk Assessment | Extension capture |
| §9.2 | Internal audit Evidence that internal AI governance audits were conducted |
Chatbot Risk Review Chatbot Escalation | Extension capture |
| §9.3 | Management review Records of leadership review of the AI management system |
Policy Acknowledgement Human Review | Extension capture |
| Clause | Requirement | Evidence Auricen captures | How captured |
|---|---|---|---|
| §10.2 | Nonconformity and corrective action Signed records of AI incidents, their investigation, and resolution |
Incident Report Human Override | Extension capture |
| §10.3 | Continual improvement Evidence of systematic improvement actions over time |
Risk Assessment Model Evaluation | Extension capture |
| ISO 42001 requirement | With Auricen | Without Auricen |
|---|---|---|
| AI system inventory (§8.4) | ✓ Auto-discovered, signed record | Manual spreadsheet, easily outdated |
| Human oversight evidence (§8.7) | ✓ Captured per-interaction with actor and rationale | ✗ No audit trail exists |
| AI use monitoring (§8.6) | ✓ Every AI interaction captured and signed | ✗ No systematic record |
| Incident records (§10.2) | ✓ Signed incident report with full context | Email threads, no tamper-evidence |
| Risk assessment documentation (§6.1) | ✓ Structured risk assessment captured and mapped | Word documents, no chain of custody |
| Policy acknowledgement (§5.2, §5.3) | ✓ Signed per-person acknowledgement with timestamp | DocuSign or email not compliance-mapped |
| Auditor verification | ✓ Single URL no system access required | ✗ Evidence request back-and-forth |
| Cryptographic tamper evidence | ✓ Every record hashed and signed at capture | ✗ Not possible with manual methods |
Activate AI Gov Mode in the Chrome extension. Auricen automatically fingerprints 25 chatbot and AI vendors across any page you navigate instantly building your §8.4 AI system inventory with signed discovery records.
For every governance-relevant AI interaction human review, override decision, risk assessment, incident the extension surfaces a capture panel. Evidence is mapped to the specific ISO 42001 clause automatically.
Every record has a cryptographically verifiable URL. Your auditor navigates to it no system access, no evidence requests, no back-and-forth. The hash chain proves records haven't been altered since capture.
ISO 42001 and the EU AI Act are structurally aligned. Evidence captured for ISO 42001 §8.7 human oversight directly satisfies EU AI Act Article 14. Evidence for §8.4 AI system inventory maps to Article 6 risk classification. Auricen captures once and maps across both saving the duplication every other approach creates.
Every day without an evidence trail is a gap your auditor will find. Auricen starts capturing the moment you install the extension.