09.2 Processes for responsible use of AI systems

The organisation shall define and document the processes for the responsible use of AI systems. This control is essential for maintaining governance and ensuring that AI systems are managed responsibly. It should be applied consistently across all relevant organisational processes and reviewed periodically to remain effective.

Business Requirement The purpose of this control is to safeguard organisational integrity, compliance with legal and regulatory requirements, and to promote trustworthiness in AI systems. It ensures that risks are mitigated and that the organisation’s objectives for responsible AI use are achieved.

Depending on its context, the organisation can have many considerations for determining whether to use a particular AI system. Whether the AI system is developed by the organisation itself or sourced from a third party, the organisation should be clear on what these considerations are and develop policies to address them. Some examples are: — required approvals; — cost (including for ongoing monitoring and maintenance); — approved sourcing requirements; — legal requirements applicable to the organisation. Where the organisation has accepted policies for the use of other systems, assets, etc., these policies can be incorporated if desired. Organisations should implement this control by establishing clear procedures, assigning responsibilities, and maintaining accurate documentation. Practical steps include integrating this control into existing governance frameworks, training relevant personnel, and monitoring compliance through regular audits.