• qa_deck_100#slide 92 · Standards and policy interoperability

RAIDT aligns with ISO/IEC 42001 because both treat AI governance as an organisational discipline that must be evidenced, reviewed, and improved rather than merely declared. In the policy-pathways paper, ISO/IEC 42001 is presented as a certifiable AI management system built around policies, roles, controls, documented information, internal audit, management review, and continual improvement. RAIDT fits that logic by turning one materially important use of generative AI into an inspectable governance object: run as the unit of governance. For each such use, RAIDT produces a run-level evidence pack and a score profile, allowing organisational claims about oversight, documentation, and control to be examined against preserved artefacts rather than broad policy statements alone.

The alignment is substantive across the five pillars (Responsibility, Auditability, Interpretability, Dependability, Traceability). Responsibility maps to leadership commitment, role clarity, and escalation authority; Auditability maps to documented information, internal audit, and management review; Interpretability maps to communication quality and stakeholder-facing documentation; Dependability maps to performance monitoring, corrective action, and improvement; and Traceability maps to provenance, retention, and control of documented information. RAIDT's structured scoring, using anchors 1=missing / 3=partial / 5=audit-ready, gives ISO/IEC 42001 a practical measurement hinge: internal auditors can sample runs, identify where evidence is thin, and feed those findings into corrective action. In that sense, RAIDT does not replace the AI management system. It operationalises it at the point where generative-AI risk, challenge, and review actually materialise.

In a public-service eligibility workflow, a case worker uses a generative AI tool to explain why a claimant appears ineligible for a benefit. Under ISO/IEC 42001, the organisation needs clear roles, documented controls, internal review, and a route for continual improvement. RAIDT makes those requirements operational by capturing a run-level evidence pack: the exact prompt, the policy clause and version retrieved, the model deployment, the output hash, and the reviewer decision. The score profile then shows whether the five pillars (Responsibility, Auditability, Interpretability, Dependability, Traceability) are strong enough for this use.

If the pack contains the clause text but not its version identifier, Auditability and Traceability may sit at 3 rather than 5. That gives internal audit a concrete basis for management review and corrective action. The workflow can then be amended so future runs preserve the exact policy version, moving the process towards audit-ready evidence rather than retrospective guesswork.

• 10-RAIDT_Policy_Pathways_M_V50
• 16-RAIDT-Audit-Accountability_M_v05