exact.works
RegistryBrief BankLog inSign up
Trust Center

ISO 42006 Certification Body Positioning

exact.works provides conformity assessment infrastructure for ISO 42006-accredited certification bodies evaluating AI management systems under ISO 42001.

Positioning

Infrastructure, not certification body.

exact.works produces structured, tamper-evident audit evidence for use by certification bodies. We record conformity observations — we do not issue certificates.

ISO 42006ISO 42001ISO 17021-1

ISO/IEC 42006:2025 specifies requirements for bodies providing audit and certification of AI management systems established under ISO/IEC 42001. exact.works occupies the third role in this three-party model: infrastructure that supports evidence collection and traceability. Consistent with ISO 17000:2020 Section 4.5, we distinguish between the conformity assessment activity and the body making the attestation.


Requirement Mapping

Seven ISO 42006 requirements mapped.

Each requirement area mapped to exact.works platform capabilities, with gaps identified.

Requirement 1

Impartiality

ALIGNED
ISO 42006 Requirement

The certification body must demonstrate structural impartiality — freedom from commercial, financial, or other pressures that could compromise objectivity.

exact.works Mechanism

exact.works operates as a structurally neutral Platform Provider in a three-party contractual model (Buyer, AI Provider, Platform Provider). The SAISA explicitly establishes Platform Provider neutrality at Section 1.4(c). Revenue is transaction-based, not outcome-based. APEX-BG conformity observations are produced algorithmically against declared behavioral profiles.

Requirement 2

Technical Competence

ALIGNED
ISO 42006 Requirement

The certification body must possess competence in AI management systems, including understanding of AI lifecycle processes and risk management.

exact.works Mechanism

APEX-BG encodes AI lifecycle knowledge structurally. The platform maps 38 ISO 42001 Annex A controls with platform-specific evidence paths. The AgentDeclaration schema requires AI Providers to declare behavioral profiles, external dependencies, and HITL configuration.

Gap

Auditor competence under ISO 42006 Section 7 refers to human auditors. exact.works encodes domain knowledge in gate logic but does not assess human auditor qualifications.

Requirement 3

Audit Methodology

ALIGNED
ISO 42006 Requirement

The certification body must apply a defined audit methodology covering planning, execution, and reporting of AI management system audits.

exact.works Mechanism

APEX-BG implements a three-gate exacting sequence: C-1 (pre-deployment conformity), C-2 (contract-time conformity), C-3 (post-execution conformity). Each gate produces conformity observations with an observationBasis[] documenting the evidence supporting each observation.

Requirement 4

Conformity Evidence

ALIGNED
ISO 42006 Requirement

The certification body must make certification decisions based on sufficient, appropriate audit evidence with traceable records.

exact.works Mechanism

exact.works produces conformity observations — factual records that evidence whether transaction characteristics conform to declared parameters. The CONFORMITY_OBSERVATION_RECORDED entry creates a persistent, hash-chained record. The final attestation produces a summary conformity record for the complete transaction lifecycle.

Requirement 5

Surveillance

ALIGNED
ISO 42006 Requirement

The certification body must conduct surveillance activities to verify ongoing conformity at planned intervals.

exact.works Mechanism

exact.works implements continuous runtime surveillance rather than periodic surveillance. Runtime monitoring produces entries at approximately 30-second intervals during active execution, with deviation detection triggering escalation through a graduated status sequence (CLEAR, FLAGGED, SUSPENDED, ESCALATED, CLEARED).

Requirement 6

Complaints and Appeals

PARTIAL
ISO 42006 Requirement

The certification body must have a documented process for handling complaints and appeals related to certification activities.

exact.works Mechanism

exact.works implements dispute resolution through the Parler system, a tricameral in-camera review process using three independent AI evaluators. Dispute resolution is governed by SAISA Article 7.

Gap

Parler resolves contractual disputes between Buyers and AI Providers. Complaints against the Platform Provider itself are outside scope. Customer's certification body must maintain its own complaints and appeals process.

Requirement 7

Evidence Management

ALIGNED
ISO 42006 Requirement

The certification body must maintain records with integrity, confidentiality, and retrievability.

exact.works Mechanism

The Trace system provides tamper-evident evidence management: SHA-256 hash chain links each entry to its predecessor, two-sided acknowledgment prevents unilateral modification, and structured entry types ensure evidence is categorized and retrievable by lifecycle phase.


Limitations

What exact.works does NOT do.

Issue ISO 42001 certificates

The platform records conformity observations. Certification decisions rest with the customer's ISO 42006-accredited certification body.

Replace an accredited certification body

APEX-BG produces structured audit evidence. It does not perform certification body functions defined in ISO/IEC 17021-1:2015.

Assess auditor competence

Technical competence of human auditors is the obligation of the customer's certification body. We encode domain knowledge, not assess qualifications.

Perform management system audits

We observe and record conformity of individual AI agent transactions. We do not audit the broader AI management system that ISO 42001 requires.


Analogy

ISDA for AI agent transactions.

exact.works occupies an analogous position in the AI agent transaction market to what ISDA infrastructure provides for derivatives markets. ISDA does not act as a counterparty or regulator; it provides the standardized contractual framework (the Master Agreement), documentation architecture, and definitional infrastructure that makes transparent, auditable transactions possible at scale. Similarly, exact.works provides the Standard AI Service Agreement (SAISA), the APEX-BG conformity observation engine, and the Trace evidence infrastructure that makes conformity assessment of AI agent transactions possible. A certification body uses exact.works Trace records and conformity observations as audit evidence in the same way a financial auditor uses ISDA-standardized documentation as evidence of transaction compliance.

Back to Trust CenterAPEX-BG Scoring
exact.works

Platform

  • SAISA
  • Paper
  • Oath
  • Trace
  • APEX-BG
  • Parler

Capabilities

  • Ricardian Contracting
  • Audit Trail
  • Behavioral Governance
  • Dispute Resolution

Offerings

  • Government
  • Financial
  • Legal
  • Healthcare
  • Enterprise
  • Infrastructure

Registry & Tools

  • Registry
  • Brief Bank
  • Repositories
  • API
  • Documentation

Company

  • About
  • Newsroom
  • Trust
  • Governance
  • Careers
  • Contact

Every AI agent needs a service agreement.

© 2026 exact.works, Inc. Delaware C-Corp.
PrivacyTerms