Overview & objectives

ISO/IEC 42001 requires organisations to determine and provide the competencies needed for roles that affect AI risk, safety, and compliance. This framework defines roles, learning objectives, curricula, assessments, and evidence records so auditors can verify that people are competent to perform assigned duties within the AIMS.

Roles & competency matrix

• Authorising Officer (AO): sets appetite, signs waivers, chairs governance. Competencies: legal/regulatory awareness, risk trade-offs, accountability.
• AIMS Manager: runs audits, risk register, evidence, training programme. Competencies: ISO management systems, audit, metrics, CAPA.
• AI Product Owner: business outcomes, release approvals. Competencies: lifecycle controls, evaluation gates, oversight patterns.
• ML Engineer / Data Scientist: design/build/evaluate. Competencies: data governance, eval design, robustness, fairness, security basics.
• Data Steward: lineage, minimisation, DSR responses. Competencies: GDPR/UK GDPR, retention, provenance.
• Human-Oversight Operator (HOTL/HITL): intervene/rollback. Competencies: thresholds, UI playbooks, escalation, recordkeeping.
• Security Engineer: threat modelling, red teaming, secrets, egress controls. Competencies: prompt-injection, data exfiltration, attack sims.
• Privacy/Legal: lawful basis, DPIA, transparency, contracts. Competencies: sector overlays, cross-border, AI clauses.
• Exec/Board: accountability, performance review. Competencies: KPIs, appetite, regulatory strategy.

Curricula (role-based)

• AIMS Fundamentals (all staff): AI risks, acceptable use, transparency, incident reporting, data handling basics. 1–2 hrs, annual refresh.
• ML/DS Core: data minimisation, licensing/provenance, eval design (safety/fairness/robustness), drift detection, model cards, reproducibility. 6–8 hrs + lab.
• Human Oversight: thresholds, override/rollback drills, audit logging, fatigue management, bias awareness. 3–4 hrs + scenarios.
• Security for AI: threat modelling, prompt injection, output filtering, egress allowlists, secrets, dependency risk. 4 hrs + tabletop.
• Privacy & Legal: GDPR/UK GDPR, DPIA, rights management, cross-border, sector overlays, AI clauses. 4 hrs.
• Governance for POs & AO: appetite, waivers, Release Board, KPI reading, management review. 2–3 hrs.

Onboarding pathways

• Day 0–7: AIMS Fundamentals + privacy/security basics; sign acceptable use + role charter.
• Day 8–30: role curriculum (labs/drills) + shadowing + supervised changes only.
• Day 31–60: assessed task; evaluator signs competence; add to shift/on-call (where applicable).

Delivery & assessment

• Methods: e-learning, live workshops, labs, tabletop exercises, red-team days, drills.
• Assessments: short quizzes (pass ≥80%), practical labs with acceptance criteria, scenario-based evaluations for oversight operators.
• Sign-off: assessor records outcome → AIMS Manager verifies → competence status updated.

Records, evidence & retention

• Training & Competence Register: person, role(s), modules completed, score, assessor, date, renewal.
• Evidence: completion certificates, quiz exports, lab artefacts (screenshots, notebooks), drill reports.
• Access linkage: competence gates tool access (e.g., production deploy rights require “ML/DS Core” + “Security for AI”).
• Retention: 3 years or per policy; immutable snapshots per audit cycle.

Effectiveness & KPIs

• Coverage: % staff in role with current certification.
• Outcome metrics: incident rate per K sessions, time-to-rollback, evaluation pass rates, fairness drift reductions.
• Audit outcomes: training-related NCs, repeat findings, CAPA closure time.
• Skill depth: scenario performance for oversight drills (target ≥90% correct escalations).

Refreshers, drills & certification

• Annual refreshers: fundamentals for all; role modules every 12–24 months based on risk.
• Quarterly drills: oversight rollback, incident tabletop, prompt-injection red-team.
• Revocation: failed assessment or lapsed renewal → suspend high-risk privileges until re-certified.

Templates & examples

Role: Human-Oversight Operator (HOTL/HITL)
Objectives:
  - Recognise risk thresholds; perform rollbacks; document rationale.
Curriculum:
  - Oversight patterns (2h), UI drills (2h), escalation playbook (1h)
Assessment:
  - Scenario exam ≥80%; live rollback drill within 60s; complete audit log
Renewal: 12 months  |  Approver: Oversight Lead
  

Common pitfalls & fixes

• One-time training only: add refreshers + drills tied to incidents and model releases.
• Generic e-learning: add hands-on labs and role scenarios; connect to access privileges.
• Evidence gaps: store immutable proof (exports, screenshots) and link to audits.
• Unclear ownership: assign AIMS Manager to maintain register; each role has an approver.

Implementation checklist

• Roles defined with competency objectives and renewal cycles.
• Curricula published; labs/drills prepared; assessors assigned.
• Training & Competence Register live; linked to access control.
• Assessment criteria documented; pass thresholds set.
• KPIs tracked and reviewed in management review.
• Immutable evidence stored and retained per policy.

Glossary (quick ref)

• HITL/HOTL: Human-in/over-the-loop oversight patterns enabling intervention or rollback.
• CAPA: Corrective and Preventive Actions to remediate root causes and prevent recurrence.
• AIMS: AI Management System (ISO/IEC 42001).

© Zen AI Governance UK Ltd • Regulatory Knowledge • v1 07 Nov 2025 • This page is general guidance, not legal advice.