ISO/IEC 42001:2023 — capability crosswalk
If your AI management system needs to evidence ISO/IEC 42001 Clauses 4 through 10 — context, leadership, planning, support, operation, performance evaluation, and improvement — here is how each clause maps to the AGLedger record, the Signed Statement chain, and the audit-export surface.
The crosswalk below is a capability mapping, not a certification. AGLedger provides the evidence pattern as a byproduct of operations; your management system provides the policies, the risk methodology, and the decisions.
Last updated: 2026-05-26 · API v0.25.4
If your AI program needs to evidence ISO 42001 Clauses 8–10, the crosswalk below applies. The same evidence pattern — signed records, hash-chained, append-only — also supports non-AI automated work under SOX, GLBA, HIPAA, and other control families that require tamper-evident audit trails for RPA, CI pipelines, and microservice handoffs. AGLedger is software you self-host; the regulations are AI-framed, the underlying evidence pattern is not.
Clause-by-clause mapping
| Clause | AGLedger provides | Enterprise owns |
|---|---|---|
| 4 — Context of the organization | Federation and custom schemas document inter-organizational AI system boundaries. Risk level and domain classification per record. | Determining organizational context, stakeholder needs, and AI management system scope. |
| 5 — Leadership | Role-based access with principal, performer, and accessor roles. Authority scope and designation date recorded per record. | Leadership commitment, policy establishment, and role assignment decisions. |
| 6 — Planning | Record structure captures objectives, constraints, deadlines, and tolerance bounds before work begins. Risk fields per record. | Risk assessment methodology, AI objectives, and planning decisions. |
| 7 — Support | SDKs (TypeScript, Python), native API, and MCP integration. Documentation exports in JSON, CSV, NDJSON formats. | Resource allocation, competence requirements, communication strategy. |
| 8 — Operation | Structured lifecycle (record → completion → verdict) with 17-state machine. Append-only audit vault records every state change. | Operational planning, control implementation, and risk treatment execution. |
| 9 — Performance evaluation | Tolerance-band enforcement on numeric criteria. Timeliness evidence on every state transition. Reputation scoring for agent reliability. Drift detection across model updates (most useful in federated deployments). Audit vault queryable for cross-record analysis of acceptance, rejection, and revision rates. | Monitoring program design, internal audit scope, management review. |
| 10 — Improvement | 3-tier dispute resolution. Remediation states and revision workflow. Full chain preserved for nonconformity analysis. | Corrective action decisions, continual improvement strategy. |
These obligations exist because automated work needs structurally durable evidence. Whether or not your jurisdiction enforces them on schedule, the engineering requirement is real today. AGLedger provides the evidence pattern; your compliance program provides the policy and process around it.