Maintaining an ISO 42001 AI use register in HubSpot

Close the unlogged AI, missing risk assessment, and no oversight gaps.

Three AI-governance problems HubSpot solves

Teams adopt AI tools faster than anyone logs them. ISO 42001 expects an inventory of AI systems, but the real list lives in browser tabs no register has seen.

An AI use case gets approved once, then runs unwatched. Without a linked risk assessment and review date, the approval ages into something nobody can defend.

Even the agent that watches your compliance is itself AI. If it is not in the register with a human review step, your AI governance has a hole an auditor will find.

Why does the real list of AI tools never reach the register?

Each AI use case becomes a record: its purpose, owner, the data it uses, and its lifecycle stage. So a tool is logged with the context 42001 expects, not just a name on a list. The register answers what the AI does and why, not only that it exists.
Logging is tied to approval rather than left until audit. A new AI use case is recorded when someone decides to run it. The inventory grows with adoption instead of lagging behind it by a year.
The register reflects 42001's resources requirement, where AI components, data, and people are accounted for. It describes the AI you actually run. The Statement of Applicability has something real to point at.

Why does the real list of AI tools never reach the register?

Data_Library_Illustrations_Color_LightBG

Why does an approved AI use case age into a liability?

Each use case links to its risk assessment and an impact assessment where one is needed. So approval is a record with reasoning attached, not a one-off yes. When the use changes, the assessment is right there to revisit.
A review date sits on the record and a workflow surfaces it. The register prompts re-assessment before the approval goes stale. Governance becomes a cycle the system drives, not a memory someone is meant to hold.
An aged approval stops being a quiet risk. The register shows which use cases are due for review and which assessments are missing. Oversight reads a current list rather than discovering gaps under audit.

Why does an approved AI use case age into a liability?

Driven_Results_Illustrations_Color_LightBG

Why must the agent watching your compliance sit in the register too?

An AI agent that monitors your management system is itself an AI use, so it belongs in the register with a purpose, an owner, and a risk assessment. We log our own corrective-action and asset sweeps there. The watcher is governed by the thing it watches.
Every agent finding routes to a human who decides. The register records that the sweep surfaces candidates and a person closes the loop. Oversight is written into the design, not assumed.
Closing this loop turns a weakness into the demonstration. A prospect or auditor asking where your AI governance sits gets shown the register, the agent's entry, and the review step. The system proves itself rather than asserting compliance.

Why must the agent watching your compliance sit in the register too?

Name Really Great Reading

Knowledgable, Skilled, and Responsive

"Elisa's patience and fast understanding of how our business was set up, paired with Darian's (super) speedy work, making the system fit perfectly for our needs."

Jessie Collins

Director of Technology Strategy

Ready to discuss your HubSpot project?

Let's take our relationship up a level.

Simply fill in the form below...

(I'll get back to you ASAP)

Prefer another way?

FAQs

How long does it take to build an AI use register in HubSpot?

Four to six weeks. Weeks one to two model the AI use case object with purpose, owner, data sources, and lifecycle stage, and link it to risk and impact assessments. Weeks three to four import your current AI tools and record their approvals. Weeks five to six add the review-date workflow and, if you run monitoring agents, log them with their oversight steps.

Can HubSpot model AI use cases, their risk assessments, and their owners?

Yes. An AI use case is a custom object carrying purpose, owner, data sources, and stage. It associates with risk assessment and impact assessment records, so the reasoning behind an approval persists. One use case can link to several assessments over its life. PYB builds these registers so the inventory 42001 asks for is a live object, not a document that ages between reviews.

Does this meet ISO 42001's requirement to inventory and assess AI systems?

It supports the relevant Annex A controls. A.4 expects you to account for AI resources, including systems, data, and people; the use case object holds that. A.5 expects impact assessment; the linked records hold it. The register and assessments are your evidence. Your AI governance function and your auditor still decide applicability and adequacy. The system inventories and surfaces; it does not certify the AI as safe.

What HubSpot products does an AI use register need?

Custom Objects, on an Enterprise tier, model the use cases and assessment records. Operations Hub connects any monitoring agents and keeps records clean. Sales Hub or Service Hub Professional gives owners the records, review tasks, and reminders. Because 42001 builds on the same management-system structure as 27001, the register can sit alongside your existing 27001 objects in one HubSpot.

Is HubSpot a credible home for AI governance records?

HubSpot holds SOC 2 Type II and ISO 27001 certification. PYB holds ISO 42001 itself, alongside ISO 27001, ISO 9001, and HubSpot's data migration and custom integrations accreditations. For AI governance, the partner's own 42001 certification matters: we run the register pattern we build, including logging our own agents in it.