09.4 Intended use of the AI system

The organisation shall ensure that the AI system is used according to the intended uses of the AI system and its accompanying documentation. This control is essential for maintaining governance and ensuring that AI systems are managed responsibly. It should be applied consistently across all relevant organisational processes and reviewed periodically to remain effective.

Business Requirement The purpose of this control is to safeguard organisational integrity, compliance with legal and regulatory requirements, and to promote trustworthiness in AI systems. It ensures that risks are mitigated and that the organisation’s objectives for responsible AI use are achieved.

The AI system should be deployed according to the instructions and other documentation associated with the AI system (see B.8.2). The deployment can require specific resources to support the deployment, including the need to ensure that human oversight is applied as required (see B.9.3). It can be necessary that for acceptable use of the AI system, the data that the AI system is used on aligns with the documentation associated with the AI system to ensure that the AI system performance is accurate. The operation of the AI system should be monitored (see B.6.2.6). Where the correct deployment of the AI system according to its associated instructions causes concern regarding the impact to relevant interested parties or the organisation’s legal requirements, the organisation should communicate its concerns to the relevant personnel inside the organisation as well as to any third-party suppliers of the AI system. The organisation should keep event logs or other documentation related to the deployment and operation of the AI system which can be used to demonstrate that the AI system is being used as intended or to help with communicating concerns related to the intended use of the AI system. The time period during which event logs and other documentation are kept depends on the intended use of the AI system, the organisation’s data retention policies and relevant legal requirements for data retention. Organisations should implement this control by establishing clear procedures, assigning responsibilities, and maintaining accurate documentation. Practical steps include integrating this control into existing governance frameworks, training relevant personnel, and monitoring compliance through regular audits.