10.4 Customers

The organisation shall ensure that its responsible approach to the development and use of AI systems considers their customer expectations and needs. This control is essential for maintaining governance and ensuring that AI systems are managed responsibly. It should be applied consistently across all relevant organisational processes and reviewed periodically to remain effective.

Business Requirement The purpose of this control is to safeguard organisational integrity, compliance with legal and regulatory requirements, and to promote trustworthiness in AI systems. It ensures that risks are mitigated and that the organisation’s objectives for responsible AI use are achieved.

The organisation should understand customer expectations and needs when it is supplying a product or service related to an AI system (i.e. when it is itself a supplier). These can come in the form of requirements for the product or service itself during a design or engineering phase, or in the form of contractual requirements or general usage agreements. One organisation can have many different types of customer relationships, and these can all have different needs and expectations. The organisation should particularly understand the complex nature of supplier and customer relationships and understand where responsibility lies with the provider of the AI system and where it lies with the customer, while still meeting needs and expectations. For example, the organisation can identify risks related to the use of its AI products and services by the customer and can decide to treat the identified risks by giving appropriate information to its customer, so that the customer can then treat the corresponding risks. As an example of appropriate information, when an AI system is valid for a certain domain of use, the limits of the domain should be communicated to the customer. See B.6.2.7 and B.8.2. Organisations should implement this control by establishing clear procedures, assigning responsibilities, and maintaining accurate documentation. Practical steps include integrating this control into existing governance frameworks, training relevant personnel, and monitoring compliance through regular audits.