Combined Developer + Deployer Obligations

Organizations that both develop AI internally and deploy those systems for consequential decisions must comply with both sides of the developer/deployer split that runs through most US AI laws.

Framework controls

documentationISO/IEC 42001Clause 8 + Annex A.6
Maintain documentation throughout the AI system lifecycle including data management, system development, verification and validation, and deployment per Annex A.6 controls.
risk assessmentISO/IEC 42001Clause 6 + Annex A.5
Conduct AI system impact assessments and risk assessments addressing intended uses, deployment context, affected stakeholders, and mitigation of identified risks per Annex A.5 controls.
governanceISO/IEC 42001Clauses 4-5
Establish, implement, maintain, and continually improve an AI management system (AIMS) covering policies, leadership commitment, roles, and integration with other management systems.
governanceNIST AI RMFMANAGE 1-4
MANAGE function: prioritize and treat identified risks, allocate resources, and implement risk response strategies including mitigation, transfer, acceptance, or avoidance.
risk assessmentNIST AI RMFMEASURE 1-4
MEASURE function: assess, analyze, and monitor AI risks using both quantitative and qualitative methods, including bias evaluation, robustness testing, and explainability assessments.
risk assessmentNIST AI RMFMAP 1-5
MAP function: identify the context, intended uses, stakeholders, and risks of each AI system, including categorization of impacts on individuals, communities, and the organization.
governanceNIST AI RMFGOVERN 1-6
GOVERN function: establish policies, processes, structures, and accountability for AI risk management across the organization, including senior leadership oversight and a risk-based culture.

We may receive referral commissions from recommended compliance tools. Recommendations are based on product fit and not on commission size. Links marked “partner link” include a tracked redirect.