ACR-5.02v1.1

The system operator SHALL maintain a documented AI output data policy specifying ownership of genera

Domain

05 — Domain 5: Data Privacy and Information Protection

Eval Method

EIEvidence Inspection

Risk Weight

4 / 10

Applicability

L1L2L3

Description#

The system operator SHALL maintain a documented AI output data policy specifying ownership of generated outputs, usage rights, downstream restrictions, and deletion procedures.

Evaluation Method#

EIEvidence Inspection

Compliance is evaluated through inspection of documentary evidence including architecture documents, configuration artifacts, and operational records.

v1.1 Details#

Profile Applicability

F,S,A,C

Evaluation Frequency

Annual

Platform Cert Eligible

Framework Crosswalk Refs

NIST AI RMF Map 1.5; EU AI Act Art. 13; ISO 42001 A.7.4

This is a conditional control. Non-compliance with this ACR may result in conditional certification with a mandated remediation period. The Authorized Verification Body will specify the remediation timeline and required evidence for the condition to be cleared. If remediation is not completed within the specified period, the conditional certification will be revoked.

← PreviousACR-5.01: The system operator SHALL maintain a documented AI input data policy specifying how customer, user, Next →ACR-5.03: The system SHALL classify all data it processes according to a documented sensitivity taxonomy (e.g.

The system operator SHALL maintain a documented AI output data policy specifying ownership of genera

Description#

Evaluation Method#

v1.1 Details#

Classification#