Managing Customers

ISO/IEC 42001 Annex A.10.4 requires the organization to ensure that its responsible approach to the development and use of AI systems considers customer expectations and needs. This involves understanding what the customer expects from the product and ensuring those needs are met safely and transparently.

Organizations document customer expectations during the design and engineering phases, or in the form of contractual requirements and general usage agreements. This includes defining clear requirements for the product or service itself to ensure the AI system aligns with what is expected and agreed upon.

Customer-facing disclosures must clearly explain the intended use of the AI system, its limitations, and any potential risks. Organizations should provide appropriate information, such as the limits of the domain in which the AI system is valid, to prevent misuse or misplaced reliance on AI outputs.

Organizations align AI behavior with SLAs by establishing rigorous performance testing and monitoring against defined metrics before and after deployment. If an AI system operates within a customer environment, regular reporting on performance, error rates, and uptime ensures contractual transparency and adherence.

Auditors expect to see documented evidence of customer requirements, signed contractual clauses, terms of service agreements, and user guides. Additionally, logs demonstrating how customer feedback, complaints, and consent are systematically managed serve as key evidence for ISO 42001 customer management controls. Tools like WatchDog Security's Compliance Center can help map these artifacts to ISO/IEC 42001 controls and streamline evidence collection for audits.

Organizations should establish accessible feedback channels, such as a grievance redressal register or dedicated support workflows, specifically for AI outputs. Customer complaints regarding unexpected behavior, bias, or errors must be systematically reviewed, addressed through corrective actions, and used to continuously improve the AI system. Tools like WatchDog Security's Risk Register can be used to log customer-reported AI risks, assign treatment actions, and track closure with supporting evidence.

When communicating AI incidents or significant model changes, organizations should promptly issue notices detailing the impact, affected systems, and remediation steps. Standard operating procedures should dictate the timeline and method of notification to ensure customers can understand changes and adjust their use accordingly.

Governance controls include mandatory cross-functional reviews of all marketing and external communications regarding AI capabilities. By ensuring that system documentation and public statements accurately reflect the validated capabilities and limitations of the AI, organizations prevent overpromising and maintain trust.

Managing customer consent requires integrating granular opt-in and opt-out mechanisms directly into the user interface, particularly concerning data usage for model training. Organizations must maintain a consent management record to ensure that customer choices regarding AI features are respected and legally compliant.

Ongoing customer expectations are monitored through regular surveys, user behavior analytics, and review of support tickets. As the AI system's capabilities or use cases evolve, the organization must continually revisit its customer management strategies and update user documentation to reflect changing realities and user needs.

Managing customers often breaks down when disclosures, SLAs, and user guidance drift across versions and channels. Tools like WatchDog Security's Policy Management can help maintain controlled, versioned customer-facing statements, while WatchDog Security's Trust Center can help publish approved materials to customers with access controls and audit logs.

Customers often request consistent, up-to-date assurance artifacts (e.g., governance summaries, policies, and incident communications) and evidence of responsible AI practices. Tools like WatchDog Security's Trust Center can provide a customer-facing portal with evidence sync and granular access controls, and WatchDog Security's Compliance Center can help organize and map evidence to ISO/IEC 42001 controls for audit-ready sharing.