• workshop_dense_100#slide 85

ISO/IEC 42001 is the international standard that frames AI governance as an AI management system. In the RAIDT papers, it is treated as a certifiable organisational standard requiring policies, defined roles, documented information, internal controls, internal audit, management review, corrective action, and continual improvement. This matters because it moves AI governance away from aspiration alone and into the ordinary language of organisational control. However, the papers also note a practical limit: ISO/IEC 42001 increases the expectation that governance should be routinised, documented, monitored, and reviewable, but it does not by itself define a standard proof object for one configured generative-AI use in context.

RAIDT matters here because it supplies that missing operational layer. It keeps run as the unit of governance and translates system-level expectations into inspectable artefacts: a run-level evidence pack, a score profile, and scoring across the five pillars (Responsibility, Auditability, Interpretability, Dependability, Traceability). The anchors 1=missing / 3=partial / 5=audit-ready make the evidence interpretable for auditors and managers, while preserving trade-offs across the full profile. This is especially important because influence methods as governance interventions can alter outputs and evidence conditions at run time. In practice, ISO/IEC 42001 can govern the organisation's AI management system, and RAIDT can show whether a specific use within that system was actually documented, reviewable, and challengeable.

A bank uses generative AI to draft an adverse-action explanation after a credit refusal. ISO/IEC 42001 requires clear governance around roles, communication, documented information, and review. RAIDT operationalises that requirement by capturing a run-level evidence pack with the decision reason codes, the explanation template identifier, the linked policy fields, any uncertainty statement, and the human review step before the letter is sent. The score profile then shows whether Responsibility, Interpretability, and Traceability are strong enough for this high-impact communication.

If the explanation is fluent but the underlying reason codes or policy links are missing, the run may be understandable on the surface yet remain below audit-ready standard. Using anchors 1=missing / 3=partial / 5=audit-ready, the bank can show precisely why the run falls short and what must change before similar letters are used again.

• 10-RAIDT_Policy_Pathways_M_V50
• 14-RAIDT-Policy-Motivation_M_v11