Register Owner: CTO (AIMS Owner)
Co-owners: CISO, General Counsel
Effective Date: June 13, 2026
Reviewed: At each ISMS Management Review and on any material change to an AI system or applicable law
Next Review: June 13, 2027
Status — initial draft for the ISO/IEC 42001:2023 certification track. This Statement of Applicability records, for every control in Annex A of ISO/IEC 42001:2023 (38 controls across nine objective areas A.2–A.10), whether the control is applicable to Neuroscale’s AI Management System (AIMS), the justification, and the implementing policy / procedure / register. It is the AIMS analogue of the ISO/IEC 27001:2022 Statement of Applicability and is anchored in the AI Acceptable Use Policy → AI Management System.
AIMS scope statement
The AIMS covers the development, provision, deployment, and operation of Neuroscale’s AI systems — the customer-facing AI features of the Arbi platform (recruiting/sourcing, screening, ranking, and assistive features), the Aurora synthetic-media feature, Neuroscale’s own-trained and self-hosted models, and Neuroscale’s use of third-party AI models and tools. It applies to Neuroscale’s roles as provider/developer and, for internal deployment, as deployer. The AIMS operates alongside the ISMS (ISO/IEC 27001:2022) and shares its governance, risk, and management-review cadence. AI-system boundaries and subservice AI providers are as described in the AI Model Registry and the SOC 2 System Description.
How to read this SoA
- Applicable — included in the AIMS; justification points to the implementing document.
- Not applicable — excluded, with basis. Exclusions are minimized and reviewed each cycle.
All 38 Annex A controls are applicable to Neuroscale, reflecting its role as an AI developer and provider whose products make consequential-decision-supporting recommendations in employment contexts.
| Control | Title | Applicable | Justification & implementation |
|---|
| A.2.2 | AI policy | Yes | The AI Acceptable Use Policy is Neuroscale’s management-approved (CEO / sole member), versioned AI policy. |
| A.2.3 | Alignment with other organizational policies | Yes | The AI policy cross-references and aligns with the Information Security, Risk Management, Data Management, and Secure Development policies. |
| A.2.4 | Review of the AI policy | Yes | Reviewed at least annually and on material legal/product change. AI Acceptable Use → Governance. |
A.3 — Internal organization
| Control | Title | Applicable | Justification & implementation |
|---|
| A.3.2 | AI roles and responsibilities | Yes | AIMS Owner (CTO) with CISO and General Counsel as co-owners; defined in Roles & Responsibilities → AI governance and the AIMS section. |
| A.3.3 | Reporting of concerns | Yes | AI concerns route through the Whistleblower Policy channel, security@, and the AI risk review group. Information Security → Security incident reporting. |
A.4 — Resources for AI systems
| Control | Title | Applicable | Justification & implementation |
|---|
| A.4.2 | Resource documentation | Yes | The AI Model Registry documents models, data, tooling, and compute resources per feature. |
| A.4.3 | Data resources | Yes | Dataset cards, sourcing provenance, and processing records. Sourcing Data Acquisition Policy; RoPA. |
| A.4.4 | Tooling resources | Yes | Approved AI tools and provider terms. AI Acceptable Use → Approved tools; AI Model Registry → Provider terms. |
| A.4.5 | System and computing resources | Yes | Compute/hosting documented (AWS, Vultr, Neuroscale-managed Vault); hardened baselines. Configuration Hardening. |
| A.4.6 | Human resources | Yes | AI roles, competence, and training. Roles & Responsibilities; Security Awareness Training. |
A.5 — Assessing impacts of AI systems
| Control | Title | Applicable | Justification & implementation |
|---|
| A.5.2 | AI system impact assessment process | Yes | DPIA + EU AI Act FRIA + bias-audit form the impact-assessment process. DPIA Procedure; Employment-AI Bias-Audit Procedure. |
| A.5.3 | Documentation of AI system impact assessments | Yes | Impact assessments documented in the DPIA Register and per-feature model cards. |
| A.5.4 | Assessing AI system impact on individuals or groups | Yes | Disparate-impact / subgroup-parity testing (4/5ths rule) and DPIA. Employment-AI Bias-Audit Procedure. |
| A.5.5 | Assessing societal impacts of AI systems | Yes | Societal/abuse impacts assessed by the AI risk review group; synthetic-media abuse and election-integrity controls. AI Acceptable Use → Synthetic media of persons. |
A.6 — AI system life cycle
| Control | Title | Applicable | Justification & implementation |
|---|
| A.6.1.2 | Objectives for responsible development of AI systems | Yes | AIMS objectives stated in the AIMS section. |
| A.6.1.3 | Processes for responsible design and development of AI systems | Yes | Secure SDLC plus AI review gates before launch. Secure Development Policy; AI Acceptable Use → AI risk review. |
| A.6.2.2 | AI system requirements and specification | Yes | Requirements and intended-use specification captured in model cards. AI Model Registry → Model-card schema. |
| A.6.2.3 | Documentation of AI system design and development | Yes | Design/development documented in model cards and dataset cards. AI Model Registry. |
| A.6.2.4 | AI system verification and validation | Yes | Bias/fairness evaluation, benchmarks, and pre-release testing. AI Acceptable Use → Bias, fairness, and explainability. |
| A.6.2.5 | AI system deployment | Yes | Change-managed deployment with AI-review approval and DPIA filing before launch. Change Management. |
| A.6.2.6 | AI system operation and monitoring | Yes | Post-market monitoring, abuse monitoring, and log review. AI Model Registry → AIMS fields; Log Review. |
| A.6.2.7 | AI system technical documentation | Yes | Technical documentation (EU AI Act Annex IV-aligned) in the model registry. AI Model Registry. |
| A.6.2.8 | AI system recording of event logs | Yes | Generation events, inputs/outputs, and abuse signals logged per feature. AI Model Registry; Logging & Monitoring. |
A.7 — Data for AI systems
| Control | Title | Applicable | Justification & implementation |
|---|
| A.7.2 | Data for development and enhancement of AI systems | Yes | Training-data governed by the Deidentification Standard and dataset cards. |
| A.7.3 | Acquisition of data | Yes | Source vetting and licensing. Sourcing Data Acquisition Policy. |
| A.7.4 | Quality of data for AI systems | Yes | Data quality, representativeness, and bias-examination (EU AI Act Art. 10-aligned). AI Acceptable Use → Training data. |
| A.7.5 | Data provenance | Yes | Provenance and licensing recorded in dataset cards; public summary. AI Training-Data Transparency Notice. |
| A.7.6 | Data preparation | Yes | Deidentification and preparation steps documented per the Deidentification Standard. AI Acceptable Use. |
| Control | Title | Applicable | Justification & implementation |
|---|
| A.8.2 | System documentation and information for users | Yes | Customer disclosures, instructions for use, and AI-interaction disclosure. AI Interaction Disclosure template. |
| A.8.3 | External reporting | Yes | Public training-data and bias-audit summaries; trust center. AI Training-Data Transparency Notice; Trust Center. |
| A.8.4 | Communication of incidents | Yes | AI incidents handled through IR and customer communications; serious-incident reporting (EU AI Act Art. 73-aligned). Incident Response Policy; Customer Communications. |
| A.8.5 | Information for interested parties | Yes | Candidate- and customer-facing notices. Privacy Notice; Art. 14 Notice; Subprocessor List. |
A.9 — Use of AI systems
| Control | Title | Applicable | Justification & implementation |
|---|
| A.9.2 | Processes for responsible use of AI systems | Yes | Employee-use rules, prohibited uses, and confidential-data-with-AI controls. AI Acceptable Use → Part A. |
| A.9.3 | Objectives for responsible use of AI systems | Yes | Responsible-use objectives stated in the AIMS and acceptable-use policy. AI Acceptable Use. |
| A.9.4 | Intended use of AI systems | Yes | Model cards state intended use and uses-to-avoid; high-risk/prohibited use cases enumerated. AI Acceptable Use → High-risk and prohibited use cases. |
A.10 — Third-party and customer relationships
| Control | Title | Applicable | Justification & implementation |
|---|
| A.10.2 | Allocating responsibilities | Yes | Provider/deployer responsibilities allocated in the DPA and ToS. DPA Template; Terms of Service. |
| A.10.3 | Suppliers | Yes | AI providers vetted; contractual no-training and data-use terms. Third-Party Management Policy; AI Model Registry → Provider terms. |
| A.10.4 | Customers | Yes | Customer toolkit, deployer-obligation support, and disclosures. Terms of Service; Trust Center. |
Excluded controls summary
No Annex A control is excluded. As an AI developer and provider whose products support consequential decisions in employment, every objective area applies. Where a control’s substance overlaps the ISMS (logging, incident handling, supplier management), the AIMS relies on the shared control and the ISO 27001:2022 SoA records the security dimension.
Cross-references
Version history
| Version | Date | Description | Author | Approved by |
|---|
| 1.0 | June 13, 2026 | Initial AIMS Statement of Applicability — all 38 Annex A controls mapped to Neuroscale policies/procedures/registers. | Cameron Wolfe | Ishan Jadhwani |