10.2 Allocating responsibilities

The organisation shall ensure that responsibilities within their AI system life cycle are allocated between the organisation, its partners, suppliers, customers and third parties. This control is essential for maintaining governance and ensuring that AI systems are managed responsibly. It should be applied consistently across all relevant organisational processes and reviewed periodically to remain effective.

Business Requirement The purpose of this control is to safeguard organisational integrity, compliance with legal and regulatory requirements, and to promote trustworthiness in AI systems. It ensures that risks are mitigated and that the organisation’s objectives for responsible AI use are achieved.

In an AI system life cycle, responsibilities can be split between parties providing data, parties providing algorithms and models, parties developing or using the AI system and being accountable with regard to some or all interested parties. The organisation should document all parties intervening in the AI system life cycle and their roles and determine their responsibilities. Where the organisation supplies an AI system to a third party, the organisation should ensure that it takes a responsible approach to developing the AI system. See the controls and guidance in B.6. The organisation should be able to provide the necessary documentation (see B.6.2.7 and B.8.2) for the AI system to relevant interested parties and to the third party that the organisation is supplying the AI system to. When processed data includes PII, responsibilities are usually split between PII processors and controllers. ISO/IEC 29100 provides further information on PII controllers and PII processors. Where the privacy of PII is to be preserved, controls such as those described in ISO/IEC 27701 should be considered. Based on the organisation’s and AI system’s data processing activities on PII and the organisation’s role in application and development of the AI system through their life cycle, the organisation can take on the role of a PII controller (or joint PII controller), PII processor or both. Organisations should implement this control by establishing clear procedures, assigning responsibilities, and maintaining accurate documentation. Practical steps include integrating this control into existing governance frameworks, training relevant personnel, and monitoring compliance through regular audits.