Maintain audit and assurance readiness.
HumanWox helps governance teams maintain the records, reviews, evidence and decisions required for ISO/IEC 42001 and ongoing assurance across their AI systems.
| AI system | Owner | Risk | Lifecycle |
|---|---|---|---|
| Underwriting Assistant | R. Patel | High | In production |
| Claims Triage Model | M. Owen | High | In production |
| Fraud Signal Scoring | S. Ahmed | Limited | In review |
| Broker Copilot | J. Byrne | Limited | Piloting |
- Evidence expires in 6 daysUnderwriting Assistant
- Control test overdueClaims Triage Model
- Deployment approval pendingBroker Copilot
Assign business, technical and risk ownership.
Register each AI system with its purpose, classification and lifecycle status. Assign the people accountable for it: a business owner, a technical owner and a risk owner, together with the reviewers responsible for oversight.
Leadership and auditors can see which systems are governed and who holds responsibility for each.
- D. Cole, Responsible AI LeadQuarterly
- L. Fernández, Internal AuditAnnually
System profile. Ownership, classification and reviewers on the record.
Keep every system current.
Keep the whole portfolio current as systems change: evidence maintained, controls tested on cadence, reviews run and risks treated across every system. The record flags what is due for review before it lapses, so nothing goes stale unnoticed.
Two facts worth stating plainly: evidence reaches Approved only once it is mapped to a requirement, and a reviewer cannot sign off work they own.
Authored by the control owner against the AI system it supports.
Submitted for review, mapped to Control C-08 and a requirement it addresses.
An independent reviewer verifies the mapping. Reviewers cannot sign off work they own.
Approved only once mapped to a requirement. Hash, version and review date recorded.
- Control testBias review, Q2in 4 days
- Evidence reviewModel Test Report v4in 6 days
- DecisionDeployment approvaloverdue by 2 days
- Risk treatmentData drift assessmentin 11 days
- Evidence reviewData Governance Policyin 21 days
Audit readiness is maintained through a governance record that connects each AI system to its accountable owners, applicable risks and controls, supporting evidence and decision history.
Make governance verifiable.
Produce a report the auditor, the customer and the board can each rely on, drawn from the same record. Every assurance report is signed and independently timestamped, and the reader verifies it themselves at verify.humanwox.com with no login and no account.
Framework coverage is calculated from the risks, controls and evidence the team already maintains, and shows gaps honestly rather than a flattering percentage.
- Scope
- Systems, risks, controls, evidence, decisions
- Signed by
- HumanWox, on behalf of the organisation
- Timestamp
- eIDAS advanced, 10 Apr 2026 14:22 UTC
- Manifest
- sha-256 · 9c1a…f8d2
- Verify at
- verify.humanwox.com/r/UA-2026-04
- Clause 4, Context8 covered1 partial0 gap
- Clause 5, Leadership5 covered2 partial0 gap
- Clause 6, Planning6 covered1 partial2 gap
- Clause 7, Support9 covered2 partial1 gap
- Clause 8, Operation11 covered3 partial2 gap
- Clause 9, Evaluation4 covered2 partial1 gap
- Clause 10, Improvement3 covered1 partial0 gap
Identify unregistered AI use.
Discover the AI systems in use, including those never registered, through identity-provider scanning and attestation campaigns, and bring them onto the record.
External systems can post events in through an authenticated API, so new AI activity surfaces as work rather than going unnoticed.
- IdP scanGitHub Copilot for Engineering142 users
- AttestationSales-side pricing scriptDeclared by 3 teams
- Events APIClaims summarisation prototypePosted by MLOps
- IdP scanNotion AI, workspace-wide318 users
Discovery surfaces new AI activity as work, not as noise.
Guidance for the record.
Practical guides, briefings and research on maintaining audit and assurance readiness across ISO/IEC 42001 and adjacent frameworks.
The AI Accountability Playbook
How to maintain a trusted record of AI systems, ownership, risk, evidence, decisions and oversight. Includes the five records every organisation needs and a 7-day starter plan.
What is an AI system record and why does it matter
The single object every governance framework now expects you to maintain.
The governance record explained
How ownership, evidence, and review fit together across the AI lifecycle.
Register your AI systems and start the record.
Register each system, assign its business, technical and risk owners, and begin maintaining the evidence, reviews and decisions required for audit and assurance.
Practical intelligence for AI governance teams.
Monthly analysis of audit readiness, assurance requirements, governance failures and the operating practices emerging across the field.

