ISO/IEC 42001 attestation pack via AEF
This pack maps ISO/IEC 42001 AIMS evidence to AEF records so that an assessor can validate the control narrative and the underlying immutable evidence together.
Pack structure
| Pack section | Purpose | AEF evidence expected |
|---|---|---|
| Scope and context | define the AI management system boundary | model.proposed, vendor.intake, policy.enforced |
| Roles and approvals | prove accountability and signoff | governance.approval, waiver.granted |
| Operational controls | prove deployment, change, and retirement control | model.deployed, model.retired, incident.opened, incident.closed |
| Monitoring and measurement | prove evaluation and review cadence | run.created, run.completed, evidence.pack_exported |
| Corrective action | prove incident and remediation closure | incident.closed, exported CAPA references inside evidence packs |
Reference attestation payload
A machine-readable pack can be built from the template in templates/iso_42001_attestation_pack.json.
Each control family points to one or more AEF record ids and hashes. That lets the attestation report cite exact immutable evidence instead of prose-only assertions.
Assessment workflow
- export the relevant AEF records for the target scope
- populate the attestation pack with control-family mappings
- run the public verifier over the referenced records
- hand the pack and the verifier output to the assessor
Minimal control-family mapping
- Governance and accountability:
governance.approval - Data and lifecycle management:
run.created,run.completed - Deployment and operation:
model.deployed - Incident and improvement handling:
incident.opened,incident.closed - External dependency management:
vendor.intake