Home · Synthesis · cl-ai-data-governance

AI data governance — provenance, preparation, external reporting

DPDPA ISO 27701 ISO 42001 CERT-In EU AI Act MeitY AI NIST AI RMF

Primary statement

AI data governance operates per ISO 42001 + DPDPA + emerging frameworks: (1) data provenance — tracking where each dataset came from and what has happened (creation, updates, transformations, validation, transfers, sharing) (ISO 42001 A.7.5); (2) data preparation techniques documented as acceptable/not acceptable per use (ISO 42001 A.7.6); (3) external reporting mechanism for problems / complaints / unexpected behaviour (ISO 42001 A.8.3); (4) DPDPA reasonable security safeguards (Section 8(5)) extended to AI processing; (5) DPDPA Section 9 children's data protection extended to AI training; (6) DPDPA breach notification extended to AI-related incidents.

Audit-fatigue payoff

A unified AI data governance programme — provenance tracking + preparation standards + external reporting channel + DPDPA-aligned safeguards — satisfies AI data requirements across all 7 contributing frameworks. ISO 42001 IS the AI-specific audit standard; DPDPA extends the regulatory layer.

Strictness matrix

Scope

Scope: ALL datasets used in AI systems — training, validation, test, evaluation, fine-tuning, inference. Provenance tracking across the full data lifecycle including third-party data sources. Ceiling source: iso42001:A.7.5 Rationale: ISO 42001 A.7.5 full-lifecycle provenance scope is the most comprehensive AI-specific scope.

Threshold

Threshold for data preparation: documented determination of which techniques are ACCEPTABLE and which are NOT — per use case. Threshold is binary: technique on the acceptable list or not. Ceiling source: iso42001:A.7.6 Rationale: ISO 42001 A.7.6 acceptable/not-acceptable threshold is the binary specification.

Method

Method: (1) data provenance tracking per dataset (source, lineage, transformations) per A.7.5; (2) data preparation standards (acceptable/not acceptable techniques per use) per A.7.6; (3) external reporting channel for AI-related problems (A.8.3); (4) DPDPA reasonable security safeguards (Section 8(5)) applied to AI processing; (5) DPDPA Section 9 children's data protection in training data; (6) personal data breach notification extended to AI incidents (DPDPA DPDP.8); (7) data subject rights extended to AI (access, correction, erasure of training data — DPDPA DPDP.9). Ceiling source: iso42001:A.7.5 Rationale: ISO 42001 A.7.5 + A.7.6 + A.8.3 combined with DPDPA extensions form the most comprehensive method.

Frequency

Provenance tracking: continuous (per dataset event). Preparation standards review: annual + on new technique adoption. External reporting channel: continuously available. AI data governance audit: annual minimum. Ceiling source: iso42001:A.7.5 Rationale: Continuous provenance tracking with annual standards review is the audit-defensible cadence.

Evidence

Required evidence: (1) data provenance register per dataset; (2) preparation standards document (acceptable/not acceptable techniques); (3) external reporting channel evidence + sample reports handled (A.8.3); (4) DPDPA Section 8(5) safeguards extension to AI; (5) children's data exclusion / protection in training data (DPDPA Section 9); (6) AI incident breach notification evidence; (7) data subject rights extension to AI training data. Ceiling source: iso42001:A.7.5 Rationale: ISO 42001 A.7.5 evidence with provenance register is uniquely strict for AI systems.

Auditor test pattern

Step 1: Inspect the data provenance register. Step 2: Sample 1 dataset and trace provenance from source through transformations. Step 3: Inspect preparation standards (A.7.6) — acceptable/not acceptable. Step 4: Inspect the external reporting channel (A.8.3); sample one report handled. Step 5: For DPDPA-scope processing, verify Section 8(5) safeguards. Step 6: Verify children's data protection in training data. Step 7: Verify data subject rights apply to AI training data.

Common findings

Common 2024–26 findings: (1) Data provenance tracked at file level but not transformation level; (2) Preparation standards absent — techniques ad-hoc per data scientist; (3) External reporting channel absent or buried in privacy policy; (4) DPDPA safeguards designed for non-AI processing; AI-specific gaps; (5) Children's data not excluded from training; (6) Data subject erasure does not propagate to AI models — machine unlearning absent.