← All themesOpen in explorer →
Documentation & Records across ISO 42001, NIST AI RMF and the EU AI Act
// theme · documentation
Documentation & Records
Technical documentation, logs, evidence and traceability.
// Do once → satisfies all three
ONE technical documentation pack laid out to EU Annex IV, version-controlled, that also serves as the ISO documented information.
Annex IV is the most prescriptive - write to it once and ISO/NIST documentation duties fall out as a side effect.
ISO 42001
Cl.7.5
NIST AI RMF
GOVERN 1.4 · MAP 4.2 · MEASURE 2.1
EU AI Act
Art.11 · Art.12 · Art.18
// Evidence auditors expect
- ✓ Technical documentation pack (EU Annex IV style)
- ✓ Versioned change log for model, data and prompts
- ✓ Retention schedule for logs, datasets and decisions
- ✓ Reproducibility manifest (code, data, params, environment)
// Common pitfalls
- ⚠ Documentation written for the audit, not maintained between audits.
- ⚠ Annex IV pack missing - EU Art.11 requires it BEFORE placing on market.
- ⚠ Logs collected but never retained long enough to investigate incidents.
ISO 42001
8Cl.7.5 governs documented information across the AIMS.
Clause 7.5
Documented information
Create, control and retain documented information required by the AIMS.
Annex A.4.2
Resource documentation
Identify and document the resources (data, tooling, compute, people) needed for each AI system.
Annex A.4.4
Tooling resources
Document the tools used to develop, deploy and operate AI systems.
Annex A.5.3
Documentation of impact assessments
Document the results of AI system impact assessments and keep them available for review.
Annex A.6.2.3
Documentation of AI system design and development
Document the design and development of AI systems to support review and audit.
Annex A.6.2.7
AI system technical documentation
Produce technical documentation that describes the AI system to stakeholders and regulators.
Annex A.6.2.8
AI system recording of event logs
Record event logs from AI systems to support traceability, monitoring and incident response.
Annex A.8.2
System documentation and information for users
Provide system documentation and information so users can use the AI system correctly.
NIST AI RMF
4GOVERN 1.4 requires documenting risk-management processes and outcomes.
GOVERN 1.4
Risk management processes documented
Risk management processes and outcomes are documented and reviewed.
MAP 4.2
Internal risk controls documented
Internal risk controls for third-party AI are documented.
MEASURE 2.1
Test sets, metrics, details documented
Test sets, metrics and methodology details documented for evaluation.
MANAGE 1.3
Risk responses documented
Responses to high-priority risks documented.
EU AI Act
4Art.11 + Annex IV define a mandatory technical documentation package for high-risk AI before placing on the market.
Article 11
Technical documentation
Technical documentation drawn up before placing on market, kept up to date (Annex IV).
Article 12
Record-keeping (logs)
High-risk AI must automatically log events for traceability throughout its lifecycle.
Article 18
Documentation keeping
Providers keep technical documentation, QMS docs, declarations for 10 years.
Article 53
Obligations for providers of GPAI models
Technical docs, info to downstream providers, copyright policy, training data summary.