Running a surveillance audit

A surveillance audit for ISO 42001 assesses ongoing conformity of the AIMS after certification. These audits are typically conducted annually and usually cover 25–50% of the scope assessed during the Stage 2 audit. Over the three-year certification cycle, surveillance audits collectively review the entire AIMS before recertification. It verifies continual improvement (clause 10), new risks, and changes since the last audit, using internal or external auditors.​ Preparation steps: Align with your internal audit program (clause 9.2) but scale it to meet certification body expectations.

• Update evidence packs: Refresh model cards, risk registers, monitoring logs, oversight records, and incident reports for sampled AI systems.​
• Review changes: Document new AI models, risk treatments, incidents, and management review outcomes since the prior audit.​
• Self-assess: Run gap analysis against prior findings, nonconformities, and Annex A controls using checklists.​

Audit execution: 1–3 days on-site/remote, focusing on effectiveness rather than completeness.​

• Auditor sampling: Auditors typically sample approximately 20–30% of AI systems, prioritising those with higher risk profiles or recent changes, and trace lifecycle evidence end-to-end.
• Interviews: Interviews are conducted with AI and ML teams, governance owners, and leadership to discuss recent improvements, control effectiveness, and ongoing challenges.
• Evidence review: Evidence review commonly includes live demonstrations of monitoring and drift detection, examination of recent intervention and escalation logs, and verification of corrective and preventive action (CAPA) closures arising from nonconformities.

Common focus areas