ai-compliance ai-governance ai-safety context-management crp ISO/IEC 42001:2023 Build an AI management system that auditors can follow. CRP's event-sourced architecture, risk classification, and audit exports map directly to ISO 42001 clauses and Annex A controls, so compliance evidence is produced as a side effect of normal operations.
Availability
The CRP SDK and CRP Comply are available for self-hosting today. The managed SaaS console is on the waitlist at comply.crprotocol.io .
Business value Single source of truth - risk, audit, and quality evidence live in one system. Faster certification prep - export clause-by-clause evidence with client.compliance.report(). Continuous compliance - controls are exercised on every client.complete() and client.ask() call. Cross-standard reuse - the same evidence supports ISO 42001, EU AI Act, GDPR, and NIST AI RMF. What is ISO 42001? ISO 42001 follows the Annex SL high-level structure (same as ISO 27001, ISO 9001) with AI-specific requirements. It covers:
Establishing an AI management system AI risk assessment and treatment AI system lifecycle management Responsible AI development and deployment CRP Alignment Clause 4 - Context of the Organization Requirement CRP Implementation Understanding AI-specific context 10 design axioms define protocol boundaries Interested parties and requirements Provider-agnostic design, zero lock-in Scope of the AIMS Protocol specification §1–§9
Clause 5 - Leadership Requirement CRP Implementation AI policy Elastic License 2.0 + governance framework Roles and responsibilities RBAC with OBSERVER / OPERATOR / ADMIN roles Organizational roles Security specification defines trust zones
Clause 6 - Planning Requirement CRP Implementation AI risk assessment client.compliance.classify(...) AI risk treatment Automatic mitigations per risk level AI objectives Quality tiers (S/A/B/C/D) with measurable targets
Clause 7 - Support Requirement CRP Implementation Competence Certification pathway (Education & Certification pillar) Awareness Comprehensive documentation, demo app Communication Quality reports, session status, envelope preview Documented information Event-sourced fact model, audit trails
Clause 8 - Operation Requirement CRP Implementation AI system lifecycle Session lifecycle (create → ingest → dispatch → close) AI system impact assessment Compliance classification + quality tier assessment Data management 4-tier memory hierarchy with encryption at rest AI system development 6-stage extraction, quality gates, 3-tier validation
Requirement CRP Implementation Monitoring and measurement Real-time quality scoring per window Internal audit HMAC-SHA256 audit trail with chain verification Management review client.compliance.report()
Clause 10 - Improvement Requirement CRP Implementation Nonconformity and corrective action Re-grounding on degradation, echo detection Continual improvement CKF cross-session learning, meta-learning (ORC/ICML/RTL)
Annex A - AI Controls ISO 42001 Annex A defines 39 controls across 4 domains. CRP provides technical implementation for:
Domain Controls CRP Coverage A.2 - Policies for AI 4 controls Protocol axioms, security spec A.3 - Internal organization 3 controls RBAC, trust zones A.4 - Resources for AI 4 controls Hardware-adaptive config A.5 - Assessing impacts 4 controls Compliance classification, quality tiers A.6 - AI system lifecycle 10 controls Full lifecycle management A.7 - Data for AI 5 controls Extraction pipeline, fact validation A.8 - Information for AI 4 controls Transparency declarations A.9 - Use of AI 3 controls Human oversight, session controls A.10 - Third parties 2 controls Provider-agnostic adapters
Annex B - AI Objectives ISO 42001 Annex B requires measurable AI objectives. CRP provides these through its quality system:
Objective Metric CRP Measurement Accuracy Quality tier S / A / B / C / D with degradation % Reliability Window success Quality score per window Transparency Audit completeness Chain verification (valid/broken) Fairness Bias indicators Multi-aspect decomposition balance Security Vulnerability count 8-layer security, OWASP coverage
SDK Evidence Example import crp
client = crp . SDKClient ()
client . configure ( safety_profile = "strict" )
# Map the AI system to ISO 42001 controls
classification = client . compliance . classify ( framework = "iso-42001" )
print ( classification . controls )
# Produce management-review evidence
report = client . compliance . report ( framework = "iso-42001" )
print ( report . mapped_controls )
# Verify audit integrity for internal audit
summary = client . audit . summary ()
print ( f "Chain valid: { summary . chain_valid } " )
print ( f "Entries: { summary . entry_count } " )
Integration with Other Standards ISO 42001 is designed to integrate with:
ISO 27001 (Information Security) - CRP's security layers align ISO 9001 (Quality Management) - CRP's quality tiers provide measurement ISO 31000 (Risk Management) - CRP's compliance classification follows this structure CRP's event-sourced, auditable architecture makes cross-standard compliance evidence straightforward to produce.