AI roles and responsibilities across the lifecycle
Primary statement
AI roles per ISO 42001 Clause 4 + A.4.6 (human resources) + A.3.2 (AI roles). Define accountable and responsible across AI lifecycle — developers, operators, deployers, oversight, risk management. EU AI Act + NIST AI RMF.
Audit-fatigue payoff
A unified AI RACI matrix across lifecycle phases satisfies AI roles across all 3 contributing frameworks.
Strictness matrix
Scope
Scope: accountability and responsibility ACROSS AI lifecycle — risk management, impact assessment, development, deployment, monitoring, retirement.
Ceiling source: iso42001:A.3.2
Rationale: ISO 42001 A.3.2 lifecycle-wide scope is comprehensive.
Threshold
Threshold: roles defined for ALL AI lifecycle phases — not just development.
Ceiling source: iso42001:A.3.2
Rationale: ISO 42001 A.3.2 all-phases threshold is the audit-defensible specification.
Method
Method: AI RACI + per-lifecycle-phase accountability + HR records (A.4.6) + EU AI Act provider/deployer/importer/distributor role determination.
Ceiling source: iso42001:A.3.2
Rationale: ISO 42001 + EU AI Act combined are most prescriptive.
Frequency
AI RACI review annual + on organisational change. Per-system role mapping at deployment.
Ceiling source: iso42001:A.3.2
Rationale: Annual RACI with per-deployment mapping is the cadence.
Evidence
Evidence: AI RACI matrix + HR records + per-system role mapping + EU AI Act role determination.
Ceiling source: iso42001:A.3.2
Rationale: ISO 42001 A.3.2 evidence is comprehensive.
Auditor test pattern
Step 1: Inspect AI RACI. Step 2: Verify coverage across lifecycle. Step 3: For one AI system, verify role mapping. Step 4: For EU AI Act in-scope, verify role determination.
Common findings
Common findings: (1) RACI covers development not operation/monitoring; (2) EU AI Act role determination ambiguous; (3) Per-system mapping absent; (4) Operator role undefined.