System and Computing Resources

ISO/IEC 42001 Annex A.4.5 requires organizations to formally document information about the system and computing resources utilized for the AI system as part of the overall resource identification process.

Documentation should capture the resource requirements, hardware locations such as cloud or edge environments, specific processing resources like network and storage, and the environmental impact of the hardware.

Yes, implementation guidance explicitly includes where systems are located, such as cloud computing environments, and covers processing resources which inherently include GPUs, storage networks, and managed AI platforms.

Documentation should be detailed enough to map AI workloads to their respective hardware, identify any constrained resource limits, establish the geographic or logical location of the data processing, and document associated environmental costs.

For ephemeral and autoscaling environments, organizations should document the architectural blueprints, container registries, scaling policies, and the types of resources provisioned rather than attempting to track transient instance IDs. For governance, tools like WatchDog Security's Asset Inventory can help discover and tag underlying cloud resources and relate them to AI workloads, even when instances are short-lived. WatchDog Security's Posture Management can also flag misconfigurations in the environments those policies create.

Records should be updated whenever there is a material change to the AI system's architecture, such as a shift in cloud providers or the adoption of new hardware, and formally reviewed during routine IT asset audits.

Auditors typically expect to review an updated asset inventory, infrastructure architecture diagrams, cloud environment configurations, and documented assessments regarding hardware requirements and environmental impact. Tools like WatchDog Security's Compliance Center can centralize these artifacts, request periodic refreshes, and link them directly to the ISO/IEC 42001 control for audit trails. Where supported, WatchDog Security's Asset Inventory can feed the underlying compute inventory data.

This control extends ISO 27001 asset management practices by ensuring that specific infrastructure powering AI workloads is identified and categorized, allowing organizations to leverage existing CMDBs to fulfill ISO 42001 requirements. If you do not have a mature CMDB, tools like WatchDog Security's Asset Inventory can act as a practical starting point for multi-cloud discovery and identity mapping.

Yes, the standard specifies that resources can be provided by the organization itself, its customers, or third parties, meaning that all outsourced cloud compute and third-party vendor environments must be fully documented. Tools like WatchDog Security's Vendor Risk Management can help maintain a vendor catalog, assessments, and risk-tiering for outsourced compute providers alongside the resource documentation.

Common gaps include failing to track shadow IT resources spun up by data science teams, neglecting to document edge devices running AI models, and overlooking the requirement to assess the environmental impact of computing resources.

At scale, teams struggle with incomplete inventories, inconsistent tagging, and drifting ownership across cloud and on-prem environments. Tools like WatchDog Security's Asset Inventory can automate multi-cloud discovery and identity mapping to keep a current compute register, while WatchDog Security's Compliance Center can map the resulting evidence to ISO/IEC 42001 controls and track review workflows.

Audits typically require repeatable evidence showing the inventory is current and changes are controlled over time, not a one-time snapshot. Tools like WatchDog Security's Compliance Center can centralize artifacts (inventories, diagrams, change records), schedule attestations, and maintain an audit trail that ties updates back to Annex A.4.5 requirements.