Home · Synthesis · cl-ai-policy

AI policy and AIMS leadership commitment

EU AI ActISO 42001MeitY AINIST AI RMF

Primary statement

AI policy per ISO 42001 Clauses 5 + 7 + A.2.4 (review) + EU AI Act Article 53 (GPAI obligations including technical documentation) + MeitY AIGG2025.14 (regulatory sandbox participation for high-risk and novel AI) + NIST AI RMF. The AI policy + leadership commitment + resources form the AIMS foundation.

Audit-fatigue payoff

A Board-approved AI policy + ISO 42001 AIMS leadership evidence + resource allocation satisfies AI policy requirements across all 4 contributing frameworks.

Strictness matrix

Scope
Scope: top management leadership and commitment to the AIMS including AI policy + objectives + resources. Ceiling source: iso42001:Cl.5 Rationale: ISO 42001 Cl.5 leadership scope is comprehensive.
Threshold
Threshold: AI policy reviewed on planned cycle AND whenever something material changes (new regulation, new AI use case, post-incident). Ceiling source: iso42001:A.2.4 Rationale: ISO 42001 A.2.4 review threshold is the audit-defensible specification.
Method
Method: top management leadership + AI policy approved at appropriate management level + AIMS objectives + resources provided (Cl.7) + policy review (A.2.4) + alignment with EU AI Act Article 53 GPAI documentation + MeitY regulatory sandbox readiness. Ceiling source: iso42001:Cl.5 Rationale: ISO 42001 Cl.5 + Cl.7 + A.2.4 combined are the most prescriptive.
Frequency
Policy review: planned cycle (annual typical) + on material change. Leadership commitment: continuous. Ceiling source: iso42001:A.2.4 Rationale: Annual policy review is the audit-defensible cadence.
Evidence
Evidence: AI policy + Board / top management approval + AIMS objectives + resource allocation + policy review records. Ceiling source: iso42001:Cl.5 Rationale: ISO 42001 Cl.5 evidence is comprehensive.

Auditor test pattern

Step 1: Inspect AI policy. Step 2: Verify Board / top management approval. Step 3: Verify AIMS objectives. Step 4: Inspect resource allocation evidence. Step 5: Verify policy review cycle.

Common findings

Common findings: (1) AI policy absent; (2) Policy approved at IT level, not top management; (3) Resources allocated to AI development but not AI governance; (4) Policy review not triggered by regulatory change.