exact.works provides conformity assessment infrastructure for ISO 42006-accredited certification bodies evaluating AI management systems under ISO 42001.
exact.works produces structured, tamper-evident audit evidence for use by certification bodies. We record conformity observations — we do not issue certificates.
ISO/IEC 42006:2025 specifies requirements for bodies providing audit and certification of AI management systems established under ISO/IEC 42001. exact.works occupies the third role in this three-party model: infrastructure that supports evidence collection and traceability. Consistent with ISO 17000:2020 Section 4.5, we distinguish between the conformity assessment activity and the body making the attestation.
Each requirement area mapped to exact.works platform capabilities, with gaps identified.
The certification body must demonstrate structural impartiality — freedom from commercial, financial, or other pressures that could compromise objectivity.
exact.works operates as a structurally neutral Platform Provider in a three-party contractual model (Buyer, AI Provider, Platform Provider). The SAISA explicitly establishes Platform Provider neutrality at Section 1.4(c). Revenue is transaction-based, not outcome-based. APEX-BG conformity observations are produced algorithmically against declared behavioral profiles.
The certification body must possess competence in AI management systems, including understanding of AI lifecycle processes and risk management.
APEX-BG encodes AI lifecycle knowledge structurally. The platform maps 38 ISO 42001 Annex A controls with platform-specific evidence paths. The AgentDeclaration schema requires AI Providers to declare behavioral profiles, external dependencies, and HITL configuration.
Auditor competence under ISO 42006 Section 7 refers to human auditors. exact.works encodes domain knowledge in gate logic but does not assess human auditor qualifications.
The certification body must apply a defined audit methodology covering planning, execution, and reporting of AI management system audits.
APEX-BG implements a three-gate exacting sequence: C-1 (pre-deployment conformity), C-2 (contract-time conformity), C-3 (post-execution conformity). Each gate produces conformity observations with an observationBasis[] documenting the evidence supporting each observation.
The certification body must make certification decisions based on sufficient, appropriate audit evidence with traceable records.
exact.works produces conformity observations — factual records that evidence whether transaction characteristics conform to declared parameters. The CONFORMITY_OBSERVATION_RECORDED entry creates a persistent, hash-chained record. The final attestation produces a summary conformity record for the complete transaction lifecycle.
The certification body must conduct surveillance activities to verify ongoing conformity at planned intervals.
exact.works implements continuous runtime surveillance rather than periodic surveillance. Runtime monitoring produces entries at approximately 30-second intervals during active execution, with deviation detection triggering escalation through a graduated status sequence (CLEAR, FLAGGED, SUSPENDED, ESCALATED, CLEARED).
The certification body must have a documented process for handling complaints and appeals related to certification activities.
exact.works implements dispute resolution through the Parler system, a tricameral in-camera review process using three independent AI evaluators. Dispute resolution is governed by SAISA Article 7.
Parler resolves contractual disputes between Buyers and AI Providers. Complaints against the Platform Provider itself are outside scope. Customer's certification body must maintain its own complaints and appeals process.
The certification body must maintain records with integrity, confidentiality, and retrievability.
The Trace system provides tamper-evident evidence management: SHA-256 hash chain links each entry to its predecessor, two-sided acknowledgment prevents unilateral modification, and structured entry types ensure evidence is categorized and retrievable by lifecycle phase.
The platform records conformity observations. Certification decisions rest with the customer's ISO 42006-accredited certification body.
APEX-BG produces structured audit evidence. It does not perform certification body functions defined in ISO/IEC 17021-1:2015.
Technical competence of human auditors is the obligation of the customer's certification body. We encode domain knowledge, not assess qualifications.
We observe and record conformity of individual AI agent transactions. We do not audit the broader AI management system that ISO 42001 requires.
exact.works occupies an analogous position in the AI agent transaction market to what ISDA infrastructure provides for derivatives markets. ISDA does not act as a counterparty or regulator; it provides the standardized contractual framework (the Master Agreement), documentation architecture, and definitional infrastructure that makes transparent, auditable transactions possible at scale. Similarly, exact.works provides the Standard AI Service Agreement (SAISA), the APEX-BG conformity observation engine, and the Trace evidence infrastructure that makes conformity assessment of AI agent transactions possible. A certification body uses exact.works Trace records and conformity observations as audit evidence in the same way a financial auditor uses ISDA-standardized documentation as evidence of transaction compliance.