Annex A Controls: Resources for AI Systems (A.4)
Detailed guidance on implementing Annex A controls for AI resources (A.4), covering data, tools, and computing resources with 4 controls.
Chapter Overview
This chapter covers the Resources for AI Systems domain (A.4), which ensures organizations identify and provide necessary resources throughout the AI system lifecycle. This domain contains 4 controls.
A.4 Resources for AI Systems
This domain ensures adequate resources are identified, documented, and provided for AI systems.
A.4.2 Resource Needs
| Attribute | Details |
|---|---|
| Control | Resources needed for each stage of the AI system life cycle shall be identified and addressed. |
| Purpose | Ensure adequate resources throughout AI lifecycle |
| Related Clause | 7.1 (Resources) |
Implementation Guidance
- Map resource needs to lifecycle stages
- Include human, technical, financial, and time resources
- Plan resources before project initiation
- Review resource adequacy at stage gates
- Document resource requirements and allocations
- Monitor resource utilization
Resource Types by Lifecycle Stage
| Lifecycle Stage | Resource Needs |
|---|---|
| Design | AI architects, requirements analysts, domain experts |
| Data Collection | Data engineers, storage, data acquisition budget |
| Development | ML engineers, development tools, training compute |
| Testing | QA engineers, test environments, test data |
| Deployment | DevOps engineers, production infrastructure |
| Operation | Support staff, monitoring tools, incident response |
| Monitoring | Analytics tools, dashboard developers |
| Retirement | Archive storage, transition support |
• How do you identify resource needs for AI systems?
• Show me resource planning for [specific AI project]
• How do you ensure resources are adequate at each lifecycle stage?
• What happens if resource needs exceed availability?
A.4.3 Data Resources
| Attribute | Details |
|---|---|
| Control | Data needs shall be identified, documented, and addressed for the AI system life cycle. |
| Purpose | Ensure appropriate data availability and quality |
| Related Clause | 8.1 (Operational planning and control) |
Implementation Guidance
- Identify data requirements for each AI system
- Document data sources and acquisition methods
- Assess data availability and accessibility
- Plan for data storage and management
- Address data licensing and rights
- Consider data retention and disposal
Data Resource Considerations
| Aspect | Considerations |
|---|---|
| Training Data | Volume, variety, quality, representativeness, labeling |
| Validation Data | Holdout sets, cross-validation requirements |
| Test Data | Real-world representativeness, edge cases |
| Production Data | Input data pipelines, real-time requirements |
| Reference Data | Ground truth, benchmark datasets |
| Synthetic Data | Generation methods, privacy considerations |
For each AI system, document:
• Data types required (structured, unstructured, images, text)
• Data volume requirements
• Data quality requirements
• Data sources (internal, external, third-party)
• Data acquisition method
• Data storage requirements
• Data refresh/update frequency
• Data retention period
• Legal/licensing requirements
• How do you identify data needs for AI systems?
• Show me data requirements documentation
• How do you ensure data availability?
• How do you address data licensing and rights?
• What is your data retention approach?
A.4.4 Tooling Resources
| Attribute | Details |
|---|---|
| Control | Tools needed for the AI system life cycle shall be identified, documented, and addressed. |
| Purpose | Ensure appropriate tools support AI activities |
| Related Clause | 7.1 (Resources) |
Implementation Guidance
- Inventory required tools for each lifecycle stage
- Evaluate and select appropriate tools
- Document tool selection rationale
- Ensure tool licenses and support
- Train personnel on tool usage
- Maintain tool versions and updates
AI Tooling Categories
| Category | Examples |
|---|---|
| Development | IDEs, Jupyter notebooks, version control (Git) |
| ML Frameworks | TensorFlow, PyTorch, scikit-learn |
| Data Processing | Apache Spark, pandas, data pipelines |
| MLOps | MLflow, Kubeflow, model registries |
| Testing | Unit testing, model validation tools |
| Monitoring | Model monitoring, drift detection tools |
| Explainability | SHAP, LIME, interpretation tools |
| Governance | Model cards, documentation tools |
• What tools do you use for AI development?
• How do you select and approve AI tools?
• Show me your tool inventory
• How do you ensure tool licenses are valid?
• How are tools kept up to date?
A.4.5 System and Computing Resources
| Attribute | Details |
|---|---|
| Control | System and computing resources for AI systems shall be identified, documented, and addressed. |
| Purpose | Ensure adequate infrastructure for AI systems |
| Related Clause | 7.1 (Resources) |
Implementation Guidance
- Assess computing requirements (CPU, GPU, memory, storage)
- Plan infrastructure capacity
- Consider cloud vs. on-premise options
- Document infrastructure architecture
- Plan for scalability
- Address security and compliance requirements
Computing Resource Considerations
| Resource Type | Considerations |
|---|---|
| Training Compute | GPU/TPU requirements, training time, cost |
| Inference Compute | Latency requirements, throughput, scaling |
| Storage | Data storage, model storage, backup |
| Networking | Bandwidth, latency, data transfer costs |
| Development | Development environments, notebooks, sandboxes |
| Security | Encryption, access control, isolation |
For each AI system, document:
• Compute requirements (training and inference)
• Storage requirements (data and models)
• Network requirements
• Environment requirements (dev, test, prod)
• Scaling requirements
• Availability requirements
• Security requirements
• Cost estimates
• Cloud/on-premise decision rationale
• How do you determine computing requirements for AI systems?
• Show me infrastructure documentation
• How do you handle scaling requirements?
• What is your cloud strategy for AI?
• How do you manage infrastructure costs?
Control Implementation Summary
| Control | Key Evidence | Common Gaps |
|---|---|---|
| A.4.2 Resource Needs | Resource plans, allocation records | No lifecycle-based planning |
| A.4.3 Data Resources | Data requirements docs, source inventory | Data needs not documented |
| A.4.4 Tooling | Tool inventory, selection records, licenses | No tool governance |
| A.4.5 Computing | Infrastructure docs, capacity plans | Ad-hoc infrastructure decisions |
1. Resource planning must cover the entire AI lifecycle
2. Data resources require specific documentation of needs and sources
3. Tools should be inventoried, selected with rationale, and maintained
4. Computing resources need capacity planning and architecture documentation
5. All resource types should be addressed: human, data, tools, and infrastructure