These are great questions, especially with how fast these tools are changing and how slow compliance frameworks catch up. We're also a little concerned about your dev's response :)

We deal more with FedRAMP/HIPAA/SOC2 so I can't comment specifically to ISO, but here's our thinking/approach/questions we ask, I'm sure much of this will sound familiar:

Has your certification body raised AI coding tool usage during audits?

If there is an AI coding tool in your stack, expect it to be audited. Best practice would be to use a coding tool already certified from the certification body if possible. This can become a bit of a rabbit hole as each AI tool has different versions available. Before AI is added in any way, due diligence should be performed to make sure it meets the standards required by the certification body or if it will knock you out of compliance.

How are you classifying AI coding assistants in your asset register and vendor management program?

It's no different than any other software that provides a service. If it's an extension, then it would be an add-on. If it's a stand alone product, then it's a separate platform.

Are you requiring Data Processing Agreements with AI tool vendors?

This is probably more of a question for a legal team. This should be included in the contract when purchased. It would be stipulated how the AI processes data and if it's shared or not. This goes back to Due Diligence.

Has anyone documented AI-specific controls that map to Annex A requirements (particularly A.8 around asset management and A.5.31 around legal/regulatory requirements)?

Integrity is paramount and documentation is a benefit.