Why ISO Standards Are the Foundation of Responsible AI Governance

Are you planning, developing, or already deploying an AI system to make your processes more efficient? At whatever stage of the AI lifecycle your company is, aligning with the right ISO standards can significantly improve its responsibility, compliance, and robustness. In this article, I’ll suggest four key ISO standards for AI developers and deployers.

ISO 22989 – Artificial intelligence concepts and terminology

We quite often see confusion over basic AI terminology. Even high-level industry publications may use expressions such as “AI”, “AI System” or “Artificial General Intelligence” interchangeably. Not to mention the confusion over the difference between “AI Impact Assessment” (external effects on individuals and society) and “AI Risk Assessment” (internal organisational and operational risks) – two concepts clearly related, yet separate practices. Like a lighthouse in a mare magnum of misunderstood concepts and definitions, ISO 22989 sheds light on definitions and provides a shared vocabulary for AI concepts.

It is true that many principles charters, regulations or recommendations use their own definitions for the same concepts, which obviously does not help AI practitioners. ISO 22989 is a great reference point to clear doubts and incorporate into your AI policy. It can guide you in the drafting of your organisation’s policy by laying the terminological bedrock of your AI-related practices.

\

ISO 42001 – AI Management System

Once we’re clear on what AI is, it is time to build your AI system in a way that allows you to develop and deploy it safely and in a controlled way. ISO 42001 gives all the necessary tools to build an effective AI management system.

Key elements of this best-practice standard comprise:

• Understanding the context, including the internal context (your organisation, its stakeholders, staff, partners, customers, and relevant authorities) and the external one (applicable legal and regulatory requirements, competitive landscape, etc).
• Determining the scope and use cases of the AI system
• Winning the leadership’s buy-in
• Drafting an initial but robust AI policy, with a strong focus on setting clear roles and responsibilities

At the planning stage, you may want to conduct an AI Impact Assessment that scans all the potential, foreseeable negative impacts your AI system may cause before it is deployed. These comprise impacts on individuals (or groups of individuals) and society.

Periodically throughout the AI lifecycle, there is a strong expectation for organisations to conduct AI Risk Assessments, to make sure your AI system is

• robust (performs as expected)
• fair (avoids discrimination)
• transparent and explainable
• compliant with applicable laws and regulations
• secure against cyberattacks
• subject to appropriate human oversight

The AI Risk Assessment is contingent upon thorough Risk Assessment methodologies, a solid AI Risk Management program, and most importantly, continuous Risk Monitoring (inclusive of risk and performance metrics). This is why risk assessment should ideally be carried out on a regular basis (e.g., quarterly), to identify risks as soon as they arise, treat them, and limit any negative impact on individuals.

Additional areas of focus to make an AI management system truly effective are:

• early resource planning in case of changes (particularly when resources are limited)
• company-wide awareness and training programmes
• accurate documentation of any information or decision relating to your AI system

On the latter point, note that if your company demonstrates precise record-keeping, this will not only aid internal audits and regulatory inquiries, but also signal your commitment to play by the rules and, ultimately, to corporate and social responsibility. Many see this as a nice-to-have today, but it is already a strong differentiator across industries.

\

ISO 23894 – Guidance on Risk Management

More likely than not, at some point in your career you will have heard of the ISO 31000, regarded by many as the bible for risk management professionals. ISO 23894 adapts the principles and concepts of ISO 31000 to the AI environment.

Similarly to ISO 42001, this guidance emphasises the need for stakeholders’ expectations, achieving leadership’s buy-in, thorough resource planning, and setting clear roles and responsibilities. In addition, this standard proposes the famous ISO 31000’s risk management process, comprising:

1. establishing the scope – understanding the context, identifying use cases and setting the relevant risk criteria
2. risk assessment – made up of three progressive actions: risk identification, risk analysis, and risk evaluation
3. risk treatment – deciding on the subsequent action, which may entail avoiding the risk, removing the risk source, retaining the risk or increasing it to pursue an opportunity, or sharing it, through contracts or insurance agreement, where applicable.

\

ISO 24027 – Bias in AI Systems and AI Aided Decision Making

ISO 24027 can be considered an accessory to ISO 23894. This document provides practical guidance on how to assess the performance of an AI system, both in terms of robustness (does it match stakeholders’ expectations?) and fairness (does it unintentionally discriminate any demographic group?). I’ve previously discussed this standard on Hackernoon, describing the key takeaways as well as the strategies recommended by the ISO to evaluate AI systems’ performance.

\

\ Because they are globally recognised, ISO standards are a great tool and a safe first step when devising corporate processes. With appropriate tailoring to your organisation’s structure and needs, they will most likely lead you to implement best practices in your business area. ISOs focusing on AI are no exceptions, and there are plenty of them to help guide you and avoid the most negative societal impacts.

In a rapidly evolving regulatory environment, organisations that align early with recognised ISO standards will not only reduce legal and ethical risks but also build trust with customers, regulators, and society at large. Together, these standards form a practical and internationally recognised foundation for governing AI systems responsibly.