Register Owner: CTO (AIMS Owner)
Co-owners: CISO, General Counsel
Effective Date: June 13, 2026
Reviewed: At each ISMS Management Review and on any material change to an AI system or applicable law
Next Review: June 13, 2027
Status — initial draft for the ISO/IEC 42001:2023 certification track. This Statement of Applicability records, for every control in Annex A of ISO/IEC 42001:2023 (38 controls across nine objective areas A.2–A.10), whether the control is applicable to Neuroscale’s AI Management System (AIMS), the justification, and the implementing policy / procedure / register. It is the AIMS analogue of the ISO/IEC 27001:2022 Statement of Applicability and is anchored in the AI Acceptable Use Policy → AI Management System.

AIMS scope statement

The AIMS covers the development, provision, deployment, and operation of Neuroscale’s AI systems — the customer-facing AI features of the Arbi platform (recruiting/sourcing, screening, ranking, and assistive features), the Aurora synthetic-media feature, Neuroscale’s own-trained and self-hosted models, and Neuroscale’s use of third-party AI models and tools. It applies to Neuroscale’s roles as provider/developer and, for internal deployment, as deployer. The AIMS operates alongside the ISMS (ISO/IEC 27001:2022) and shares its governance, risk, and management-review cadence. AI-system boundaries and subservice AI providers are as described in the AI Model Registry and the SOC 2 System Description.

How to read this SoA

  • Applicable — included in the AIMS; justification points to the implementing document.
  • Not applicable — excluded, with basis. Exclusions are minimized and reviewed each cycle.
All 38 Annex A controls are applicable to Neuroscale, reflecting its role as an AI developer and provider whose products make consequential-decision-supporting recommendations in employment contexts.
ControlTitleApplicableJustification & implementation
A.2.2AI policyYesThe AI Acceptable Use Policy is Neuroscale’s management-approved (CEO / sole member), versioned AI policy.
A.2.3Alignment with other organizational policiesYesThe AI policy cross-references and aligns with the Information Security, Risk Management, Data Management, and Secure Development policies.
A.2.4Review of the AI policyYesReviewed at least annually and on material legal/product change. AI Acceptable Use → Governance.

A.3 — Internal organization

ControlTitleApplicableJustification & implementation
A.3.2AI roles and responsibilitiesYesAIMS Owner (CTO) with CISO and General Counsel as co-owners; defined in Roles & Responsibilities → AI governance and the AIMS section.
A.3.3Reporting of concernsYesAI concerns route through the Whistleblower Policy channel, security@, and the AI risk review group. Information Security → Security incident reporting.

A.4 — Resources for AI systems

ControlTitleApplicableJustification & implementation
A.4.2Resource documentationYesThe AI Model Registry documents models, data, tooling, and compute resources per feature.
A.4.3Data resourcesYesDataset cards, sourcing provenance, and processing records. Sourcing Data Acquisition Policy; RoPA.
A.4.4Tooling resourcesYesApproved AI tools and provider terms. AI Acceptable Use → Approved tools; AI Model Registry → Provider terms.
A.4.5System and computing resourcesYesCompute/hosting documented (AWS, Vultr, Neuroscale-managed Vault); hardened baselines. Configuration Hardening.
A.4.6Human resourcesYesAI roles, competence, and training. Roles & Responsibilities; Security Awareness Training.

A.5 — Assessing impacts of AI systems

ControlTitleApplicableJustification & implementation
A.5.2AI system impact assessment processYesDPIA + EU AI Act FRIA + bias-audit form the impact-assessment process. DPIA Procedure; Employment-AI Bias-Audit Procedure.
A.5.3Documentation of AI system impact assessmentsYesImpact assessments documented in the DPIA Register and per-feature model cards.
A.5.4Assessing AI system impact on individuals or groupsYesDisparate-impact / subgroup-parity testing (4/5ths rule) and DPIA. Employment-AI Bias-Audit Procedure.
A.5.5Assessing societal impacts of AI systemsYesSocietal/abuse impacts assessed by the AI risk review group; synthetic-media abuse and election-integrity controls. AI Acceptable Use → Synthetic media of persons.

A.6 — AI system life cycle

ControlTitleApplicableJustification & implementation
A.6.1.2Objectives for responsible development of AI systemsYesAIMS objectives stated in the AIMS section.
A.6.1.3Processes for responsible design and development of AI systemsYesSecure SDLC plus AI review gates before launch. Secure Development Policy; AI Acceptable Use → AI risk review.
A.6.2.2AI system requirements and specificationYesRequirements and intended-use specification captured in model cards. AI Model Registry → Model-card schema.
A.6.2.3Documentation of AI system design and developmentYesDesign/development documented in model cards and dataset cards. AI Model Registry.
A.6.2.4AI system verification and validationYesBias/fairness evaluation, benchmarks, and pre-release testing. AI Acceptable Use → Bias, fairness, and explainability.
A.6.2.5AI system deploymentYesChange-managed deployment with AI-review approval and DPIA filing before launch. Change Management.
A.6.2.6AI system operation and monitoringYesPost-market monitoring, abuse monitoring, and log review. AI Model Registry → AIMS fields; Log Review.
A.6.2.7AI system technical documentationYesTechnical documentation (EU AI Act Annex IV-aligned) in the model registry. AI Model Registry.
A.6.2.8AI system recording of event logsYesGeneration events, inputs/outputs, and abuse signals logged per feature. AI Model Registry; Logging & Monitoring.

A.7 — Data for AI systems

ControlTitleApplicableJustification & implementation
A.7.2Data for development and enhancement of AI systemsYesTraining-data governed by the Deidentification Standard and dataset cards.
A.7.3Acquisition of dataYesSource vetting and licensing. Sourcing Data Acquisition Policy.
A.7.4Quality of data for AI systemsYesData quality, representativeness, and bias-examination (EU AI Act Art. 10-aligned). AI Acceptable Use → Training data.
A.7.5Data provenanceYesProvenance and licensing recorded in dataset cards; public summary. AI Training-Data Transparency Notice.
A.7.6Data preparationYesDeidentification and preparation steps documented per the Deidentification Standard. AI Acceptable Use.

A.8 — Information for interested parties of AI systems

ControlTitleApplicableJustification & implementation
A.8.2System documentation and information for usersYesCustomer disclosures, instructions for use, and AI-interaction disclosure. AI Interaction Disclosure template.
A.8.3External reportingYesPublic training-data and bias-audit summaries; trust center. AI Training-Data Transparency Notice; Trust Center.
A.8.4Communication of incidentsYesAI incidents handled through IR and customer communications; serious-incident reporting (EU AI Act Art. 73-aligned). Incident Response Policy; Customer Communications.
A.8.5Information for interested partiesYesCandidate- and customer-facing notices. Privacy Notice; Art. 14 Notice; Subprocessor List.

A.9 — Use of AI systems

ControlTitleApplicableJustification & implementation
A.9.2Processes for responsible use of AI systemsYesEmployee-use rules, prohibited uses, and confidential-data-with-AI controls. AI Acceptable Use → Part A.
A.9.3Objectives for responsible use of AI systemsYesResponsible-use objectives stated in the AIMS and acceptable-use policy. AI Acceptable Use.
A.9.4Intended use of AI systemsYesModel cards state intended use and uses-to-avoid; high-risk/prohibited use cases enumerated. AI Acceptable Use → High-risk and prohibited use cases.

A.10 — Third-party and customer relationships

ControlTitleApplicableJustification & implementation
A.10.2Allocating responsibilitiesYesProvider/deployer responsibilities allocated in the DPA and ToS. DPA Template; Terms of Service.
A.10.3SuppliersYesAI providers vetted; contractual no-training and data-use terms. Third-Party Management Policy; AI Model Registry → Provider terms.
A.10.4CustomersYesCustomer toolkit, deployer-obligation support, and disclosures. Terms of Service; Trust Center.

Excluded controls summary

No Annex A control is excluded. As an AI developer and provider whose products support consequential decisions in employment, every objective area applies. Where a control’s substance overlaps the ISMS (logging, incident handling, supplier management), the AIMS relies on the shared control and the ISO 27001:2022 SoA records the security dimension.

Cross-references

Version history

VersionDateDescriptionAuthorApproved by
1.0June 13, 2026Initial AIMS Statement of Applicability — all 38 Annex A controls mapped to Neuroscale policies/procedures/registers.Cameron WolfeIshan Jadhwani