07.2 Data for development and enhancement of AI System

The organisation shall define, document and implement data management processes related to the development of AI systems. This control is essential for maintaining governance and ensuring that AI systems are managed responsibly. It should be applied consistently across all relevant organisational processes and reviewed periodically to remain effective.

Business Requirement The purpose of this control is to safeguard organisational integrity, compliance with legal and regulatory requirements, and to promote trustworthiness in AI systems. It ensures that risks are mitigated and that the organisation’s objectives for responsible AI use are achieved.

Data management can include various topics such as, but not limited to: — privacy and security implications due to the use of data, some of which can be sensitive in nature; — security and safety threats that can arise from data dependent AI system development; — transparency and explainability aspects including data provenance and the ability to provide an explanation of how data are used for determining an AI system’s output if the system requires transparency and explainability; — representativeness of training data compared to operational domain of use; — accuracy and integrity of the data. Organisations should implement this control by establishing clear procedures, assigning responsibilities, and maintaining accurate documentation. Practical steps include integrating this control into existing governance frameworks, training relevant personnel, and monitoring compliance through regular audits.