aims-audit

# /cs:aims-audit — AIMS ISO 42001 Forcing Questions **Command:** `/cs:aims-audit <scope>` The ISO 42001 AIMS specialist pressure-tests any AI Management System work. Six questions before any certification commitment, internal audit cycle, or new-system onboarding. ## When to Run - Before stage 1 ISO 42001 certification audit - Before annual internal audit cycle (Clause 9.2) - When onboarding a new AI system into existing AIMS scope - When AI risk register hasn't been refreshed in > 6 months - After material model change (re-evaluate risks per Clause 6.1.2) - When audit findings hint at AIMS / ISMS / QMS duplication ## The Six AIMS Questions ### 1. Does the AIMS scope statement name every AI system? **Scope omission = certification finding.** - Including: embedded models, third-party AI services, "experimental" production systems - Run `aims_gap_analyzer.py` to verify Clause 4.3 evidence - "AI features added by SaaS vendors we use" = in scope if they affect the company's services ### 2. Does the AI policy commit to lawful use AND beneficial purpose AND human oversight AND continual improvement? **Missing any of the four = critical nonconformity at stage 1.** - AI policy is NOT info-sec policy — it has separate substantive content - Reference ISO 42001 Annex A.2.2 + Clause 5.2 - Marketing-copy "AI ethics" doesn't pass ### 3. What's the risk register coverage, and which Annex A controls treat each risk? **Risk identification without control mapping = Clause 6.1.3 fails.*...