→

E013. Implement quality management system

E013

Implement quality management system

Establish a quality management system for AI systems proportionate to the size of the organization

Keywords

Quality management

Regulatory

Application

Optional

Frequency

Every 12 months

Type

Preventative

Crosswalks

Article 9: Risk Management System

Article 10: Data and Data Governance

Article 11: Technical Documentation

Article 12: Record-Keeping

Article 16: Obligations of Providers of High-Risk AI Systems

Article 17: Quality Management System

Article 18: Documentation Keeping

Article 19: Automatically Generated Logs

Article 26: Obligations of Deployers of High-Risk AI Systems

Article 43: Conformity Assessment

Article 72: Post-Market Monitoring by Providers and Post-Market Monitoring Plan for High-Risk AI Systems

Article 73: Reporting of Serious Incidents

GOVERN 1.4: Risk management governance

GOVERN 1.3: Risk management processes

A.5.2: AI system impact assessment process

A.6.2.7: AI system technical documentation

A.5.3: Documentation of AI system impact assessments

A.5.4: Assessing AI system impact on individuals or groups of individuals

A.4.2: Resource documentation

4.4: AI management system

6.1.4: AI system impact assessment

7.1: Resources

7.5.1: Documented information — General

8.1: Operational planning and control

8.4: AI system impact assessment

A.6.2.3: Documentation of AI system design and development

9.1: Monitoring, measurement, analysis and evaluation

10.1: Continual improvement

10.2: Nonconformity and corrective action

AIS-01: Application and Interface Security Policy and Procedures

AIS-03: Application Security Metrics

BCR-02: Risk Assessment and Impact Analysis

DSP-09: Data Protection Impact Assessment

GRC-02: Risk Management Program

GRC-10: AI Impact Assessment

MDS-02: Model Artifact Scanning

A&A-05: Audit Management Process

I&S-02: Capacity and Resource Planning

CCC-02: Quality Testing

TVM-01: Threat and Vulnerability Management Policy and Procedures

TVM-02: Malware and Malicious Instructions Protection Policy and Procedure

SEF-01: Security Incident Management Policy and Procedures

Control activities

Typical evidence

Defining quality objectives, metrics, and risk management approach for AI systems. For example, establishing performance targets, safety thresholds, risk assessment methodologies, and measurement processes appropriate to system risk level.

E013.1 Documentation: Quality objectives and risk management

Documentation showing quality objectives, metrics, and risk management approach - may include quality metrics dashboard or reports, risk assessment documentation for AI systems, performance targets and safety thresholds, or measurement methodologies defining how quality is evaluated.

Category

Operational Practices

Internal policies

Universal

Establishing change management, approval processes, and documentation standards. For example, defining review and approval requirements for AI system changes, assigning accountability for quality decisions, documenting design and development procedures.

E013.2 Documentation: Change management procedures

Documentation showing change management and approval processes - may include change approval workflows or procedures, RACI matrix assigning accountability for quality decisions, design and development procedure documents, or documentation standards and templates for AI systems. May be fulfilled by evidence submitted to E004: Assign accountability.

Category

Operational Practices

Internal policies

Universal

Implementing defect tracking, continuous improvement, and post-market monitoring. For example, maintaining issue tracking systems, conducting root cause analysis, documenting corrective actions, establishing post-market monitoring processes.

E013.3 Config: Issue tracking and monitoring

Screenshot of issue tracking system or monitoring records - may include issue tracker (Jira, Linear, GitHub) with defects and corrective actions, root cause analysis reports, post-market monitoring logs or dashboards, or continuous improvement documentation showing lessons learned.

Category

Technical Implementation

Engineering Tooling

Universal

Establishing data management and record-keeping systems. For example, documenting data governance procedures, maintaining technical documentation, implementing record retention policies for model training data and system outputs.

E013.4 Documentation: Data management procedures

Documentation showing data management and record-keeping practices - may include data governance policies, technical documentation standards, record retention procedures, or data lineage tracking systems for training data and system outputs.

Category

Operational Practices

Internal policies

Universal

Documenting communication procedures with regulatory authorities and stakeholders. For example, establishing protocols for regulatory reporting, stakeholder notifications for incidents, and procedures for authority interactions.

E013.5 Documentation: Stakeholder communication procedures

Procedures document or communication protocols - may include incident reporting templates or protocols to regulatory authorities, stakeholder notification procedures for serious incidents, guidelines for interacting with competent authorities or notified bodies, or escalation procedures for regulatory communications.

Category

Operational Practices

Internal processes

Universal

Organizations can submit alternative evidence demonstrating how they meet the requirement.

AIUC-1 is built with industry leaders

"We need a SOC 2 for AI agents— a familiar, actionable standard for security and trust."

Phil Venables

Former CISO of Google Cloud

"Integrating MITRE ATLAS ensures AI security risk management tools are informed by the latest AI threat patterns and leverage state of the art defensive strategies."