ISO/IEC 42001:2023 — AI Management Systems.
Issuer: International Organization for Standardization · Year: 2023 · Source: official text →
Scope: Any organisation that provides, develops, or uses AI systems — irrespective of sector. The first formal AI-MS (Artificial Intelligence Management System) standard, structured similarly to ISO 27001 with Annex A controls.
What KYE Protocol™ supplies
ISO/IEC 42001 sets an organisation-level governance framework for AI: policies, roles, risk + impact assessments, design + development, third-party data + AI, and continual improvement. KYE Protocol™ supplies the runtime artefacts that prove every Annex A control is operationally enforced, not just policy-declared.
Per-clause control mapping
| ISO/IEC 42001:2023 clause | KYE Protocol™ binding |
|---|---|
| A.2 — AI policy | Operating Model — signed canonical artefact declaring purpose, scope, principal, agent classes. |
| A.3 — Internal organisation | Authority Engine — Delegation, Grant, Graph, Gate, Revocation as named sub-engines. |
| A.4 — Resources for AI systems | Entity Registry — every model, capability, dataset is an identified entity with a KYEID. |
| A.5 — Assessing impacts of AI | KYE Risk Engine™ — deterministic risk scoring with framework-aware precedence. The scoring construction and precedence rule are part of the patent track and are not disclosed in this repository. |
| A.6 — AI system life cycle | KYE State Engine™ — multi-dimension state vector + signed transitions; full lifecycle as signed events. |
| A.7 — Data for AI systems | KYE Data Classification Engine™ + data-flow graph. The classification rule and graph construction are part of the patent track and are not disclosed in this repository. |
| A.8 — Information for interested parties | Replay Proof™ — anyone with the publisher's JWKS can re-derive any decision offline. The construction is part of the patent track and is not disclosed in this repository. |
| A.9 — Use of AI systems | Purpose Permission™ — every action cites a granted purpose. The admissibility check is part of the patent track and is not disclosed in this repository. |
| A.10 — Third-party + customer relationships | Sub-processor manifest + delegation chain across trust domains. |
Every binding above resolves to a canonical KYE Protocol™ artefact (engine, schema, audit event, or patent claim). The full per-control register is published in the conformance repo at github.com/KYE-Protocol/app/tree/main/internal.
What an auditor / regulator gets
- Replay Proof™ — re-derive any decision offline using only the publisher’s published JWKS. No back-channel to KYE™ project.
- Evidence Pack™ — sealed, signed, replayable container of decisions + bound rules + audit-chain anchors.
- Conformance Pack — 133-fixture black-box test suite; signed
kye.conformance_report.v1envelope. - Audit Chain — per-tenant WORM-anchored audit chain; the specific multi-tier immutability construction is part of the patent track and is not disclosed here.
- Compliance Attestation — per-framework signed
kye.compliance.attestation.v1envelopes (90-day cadence).
Adjacent paths
- All frameworks — the framework catalogue (this is a deep-dive).
- For regulators — what supervisors see.
- For auditors · Onboard your firm
- Whitepaper — the technical foundation.
- Apply for a regulated-pilot — banking-grade scoped engagement.