ISO standard
ISO/IEC 42001
The first ISO standard for managing AI systems. The auditor does not just want a policy document that says "we control our AI". They want evidence the controls actually ran. IntentGate is that evidence: every agent decision is logged, signed, and replayable from the audit chain, against the specific Annex A clause it answers. The table below maps each clause to the gateway output.
Obligation to evidence
| Obligation | IntentGate output |
|---|---|
| A.6.2 — AI system impact assessment | Per-call evidence the impact controls are being applied at runtime |
| A.7 — data for AI systems | Inputs to the agent captured in the audit row; lineage queryable |
| A.8 — information for interested parties | Operator console with per-agent view; export to the data subject's request |
| A.9.2 — processes for responsible use of AI systems | Rego policy is the responsible-use rules expressed in code; evidence per call |
| Clause 9.1 — monitoring, measurement, analysis | Prometheus metrics on decision counts, latency, refusal rate by category |
| Clause 10 — improvement | Policy version pinned per decision shows the evolution of controls over time |
ISO/IEC 42001 auditors increasingly distinguish between policy on paper and policy enforced at runtime. The audit chain is what proves the latter.
Want the mapping for your specific audit?
Each organisation has a different combination of regulations and a different audit cycle. We can walk through your specific obligations in a 30-minute call.
Start the conversation