ISO 42001 AI System Life Cycle Process (SDLC/MLLC Procedure for AI)
This document is a controlled Artificial Intelligence Management System (AIMS) procedure that defines how the organization governs AI systems across their full life cycle.
It translates high-level AI governance into an operational, repeatable lifecycle process so that activities such as initiation, requirements, design, development, testing, deployment, operation, monitoring, change, and retirement are planned and carried out in a consistent manner. That purpose aligns with ISO/IEC 42001, which requires the organization to establish and document the AIMS, including the processes needed and their interactions, and with ISO/IEC 5338, which defines AI system life cycle processes for the definition, control, management, execution and improvement of AI systems.
Why this Procedure is important
This procedure is important because AI systems create management challenges that a standard software lifecycle alone does not fully address.
ISO notes issues such as automated decision-making, limited transparency or explainability, data- and machine-learning-based development, and systems that can continue learning and change their behaviour during use. The introduction to ISO/IEC 42001 also highlights lifecycle-wide trustworthiness concerns such as security, safety, fairness, transparency and data quality.
A tailored AI lifecycle procedure gives the organization one controlled method for setting lifecycle stages, stage gates, required reviews, evidence points and escalation rules so these risks are handled consistently and in an audit-ready way.
What This Template Is Designed To Do
This document is used by organizations that develop, provide, integrate or use AI-based products or services, which is the intended audience of ISO/IEC 42001.
It is especially useful for Engineering Leads, product teams, data science and ML teams, MLOps or operations teams, security, privacy, procurement, risk and compliance functions that need one shared operating model for AI work. It is also highly relevant where third-party models, tools, platforms, datasets or outsourced services are involved, because ISO/IEC 42001 requires relevant externally provided processes, products and services to be controlled as part of AIMS operations.
What It Covers
AI System Life Cycle Process Template
includes the core building blocks needed for an AI lifecycle procedure, including lifecycle stages, stage-gate expectations, responsibilities, control points, handoffs, required records, and review triggers. It is structured to support the full operating journey of an AI system, including:
Lifecycle Governance
Defines the overall lifecycle model, governance principles, accountability expectations, and how the procedure applies across AI-related activities.
Roles and Responsibilities
Clarifies ownership across engineering, product, risk, compliance, security, operations, and oversight functions so responsibilities are clearly assigned and understood.
Lifecycle Stages and Gates
Provides a practical stage-based structure covering initiation, requirements, design, development, validation, deployment, operation, monitoring, change, and retirement.
Control Points and Evidence
Explains what records, reviews, decisions, and approvals should exist to demonstrate that lifecycle activities were completed as planned.
Third-Party and Outsourced Dependencies
Supports control of external tools, platforms, models, services, datasets, and suppliers that influence the AI lifecycle.
Change and Ongoing Monitoring
Helps organizations define how updates, retraining, redesign, operational issues, or significant changes are assessed and governed after deployment.
Alignment with ISO/IEC 42001
From an ISO/IEC 42001 perspective, this document aligns most strongly with Clause 8.1 Operational planning and control, which requires the organization to plan, implement and control the processes needed to meet requirements, establish process criteria, apply lifecycle-related controls, monitor control effectiveness, retain enough documented information to show work was carried out as planned, control planned changes, review unintended changes, and control externally provided processes, products and services.
It also strongly supports Clause 6.3 Planning of changes, Clause 7.1 Resources, Clause 7.2 Competence, Clause 7.5 Documented information, Clause 8.2 AI risk assessment, Clause 8.3 AI risk treatment, Clause 8.4 AI system impact assessment, and Clause 9.1 Monitoring, measurement, analysis and evaluation.
Annex A and Annex B are also relevant because the standard points organizations to reference controls and implementation guidance for operational and lifecycle-related controls.
In short
The AI System Life Cycle Process Template is a foundational AIMS procedure for any organization that wants to demonstrate that its AI systems are developed, deployed, operated and changed in a controlled, traceable and responsible way throughout the full lifecycle.
