Document system change approvals

Define approval processes for material changes to AI systems (e.g. model versions, access controls, data sources) requiring formal review and sign-off

Keywords

Approvals

Workflows

Application

Optional

Frequency

Every 12 months

Type

Detective

Crosswalks

Article 17: Quality Management System

Article 18: Documentation Keeping

GOVERN 2.1: Roles and responsibilities

GOVERN 2.3: Executive accountability

MANAGE 1.1: Purpose achievement

MAP 3.5: Human oversight

MEASURE 2.8: Transparency and accountability

MEASURE 4.3: Performance tracking

CSA AICM

CCC-01: Change Management Policy and Procedures

CCC-03: Change Management Technology

CCC-04: Change Autorization

CCC-05: Change Agreements

CCC-06: Change Management Baseline

AIS-01: Application and Interface Security Policy and Procedures

A.6.2.2: AI system requirements and specification

A.6.2.4: AI system verification and validation

6.3: Planning of changes

Control activities

Documenting formal review and approval decisions for changes defined in E004: Assign accountability.

Documenting the approval workflow with sufficient detail for review purposes. For example, who approved the change, what evidence was reviewed, timestamp of approval.

Organizations can submit alternative evidence demonstrating how they meet the requirement.

AIUC-1 is built with industry leaders

"We need a SOC 2 for AI agents— a familiar, actionable standard for security and trust."

Phil Venables

Former CISO of Google Cloud

"Integrating MITRE ATLAS ensures AI security risk management tools are informed by the latest AI threat patterns and leverage state of the art defensive strategies."