Overview & rationale

ISO 42001 requires “retained documented information” (§7.5), while NIST AI RMF emphasises measurement and manageability. This system unifies these into one governed repository — capturing evidence from DevOps, audits, incidents, and risk processes. Every file, record, and dashboard snapshot is versioned, indexed, and linked to the relevant AI control or standard.

System architecture

Input Sources → CI/CD pipelines, Risk Register, PMM, CAPA, Training Logs  
  ↳ Evidence Collector (API / Script)  
  ↳ Evidence Database (Firestore / SharePoint / Cloud Storage)  
  ↳ Index Engine (Searchable Metadata + Evidence ID)  
  ↳ Audit Portal (dashboards + reports)

• Every artefact stored with Evidence ID, file hash, owner, and framework tags.
• Metadata indexed for fast retrieval during audits.
• Evidence portal allows filtered search by system, control, or standard.

Folder & metadata structure

/Evidence
  /AI_SYSTEMS
    /LLM_ComplaintsBot
      /Training
      /Validation
      /Risk_Profile
      /Audit_Reports
      /PMM
  /Controls
    /ISO_42001
    /NIST_RMF
    /EU_AI_Act
  /Incidents
  /CAPA
  /Management_Review
  

Each artefact metadata includes:

• Evidence ID: EV-YYYY-NNNN (e.g., EV-2025-0423)
• Linked Control ID: ISO§8.2 / NIST-MEASURE / EU-AI-15
• Source System: GitHub / Vertex / AIMS / Desk
• Owner: role (e.g., AI Ops Lead)
• Last Verified: date + hash

Integration with CI/CD & PMM

• Pipeline scripts upload JSON summaries, plots, and bias reports automatically to /Evidence/CI_CD.
• Post-Market Monitoring (PMM) events generate Evidence IDs automatically when logged.
• CAPA resolution or audit close-out automatically attach supporting artefacts.
• APIs allow dashboards to reference live evidence from the repository.

Audit workflow (Plan → Execute → Report)

1. Plan: Define audit scope, controls, sampling plan, and evidence sources.
2. Execute: Collect artefacts, validate metadata, test controls, record findings.
3. Report: Generate summary with Evidence IDs + Non-Conformity Log.
4. Follow-up: CAPA assignments, revalidation, and closure sign-off.

Automation & versioning

• Evidence Collector scripts run nightly, checking for new artefacts.
• Version control (v1.0, v1.1, etc.) stored via naming conventions or Git commits.
• Audit logs maintained for evidence creation, edit, and deletion.
• Checksum (SHA256) validation ensures tamper resistance.

Retention & access control

• Retention: ≥ 5 years for high-risk AI systems (EU AI Act).
• Access Control: RBAC via IAM groups (Compliance, Oversight, Developer, Auditor).
• Confidentiality levels: Public / Internal / Restricted / Regulator-View.
• Backups weekly; full restore test quarterly.

Evidence record template

Evidence ID: EV-2025-0418
Title: Bias Evaluation Report – ComplaintBot v2.3
Framework Tags: ISO§9.1 / NIST-MEASURE / EU-AI-15
Source: GitHub Action Pipeline
Owner: AI Ops Lead
Created: 2025-11-02
Last Verified: 2025-11-09
Linked Risks: AI-RSK-2025-014
CAPA Reference: CAPA-2025-003
File Hash: 9f22aa7cfe7b...
Status: Verified ✅
  

Common pitfalls & improvements

• Unlinked evidence: Always tag each file with at least one control ID.
• Manual uploads: Automate via APIs to reduce human error.
• Disorganised folders: Enforce naming conventions and folder templates.
• Stale records: Run quarterly evidence verification drives.

Implementation checklist

• Evidence repository structure approved and deployed.
• Automation scripts live and connected to CI/CD & PMM.
• Evidence ID generation and metadata schema enforced.
• Quarterly verification and hash validation in place.
• Management Review includes evidence coverage report.

© Zen AI Governance UK Ltd • Regulatory Knowledge • v1 14 Nov 2025 • This page is general guidance, not legal advice.