A lot of people talk about these things as they relate to AI:

• Transparency

• Explainability

• Interpretability

But unfortunately very few define the terms or explain how to evaluate and facilitate them in a concrete way.

So I looked through:

• governance recommendations

• certification frameworks

• white papers

in circulation to see if I could surface a useful set of definitions. And most importantly, come up with actionable recommendations.

I used these six documents as the basis for my research:

1. National Institute of Standards and Technology (NIST) Artificial Intelligence (AI) Risk Management Framework (RMF)

2. ISO/IEC 42001:2023

3. European Union (EU)-United States (U.S.) Terminology and Taxonomy for Artificial Intelligence

4. The EU AI Act

5. Open Web Application Security Project (OWASP) Large Language Model (LLM) AI Cybersecurity & Governance Checklist

6. Generative AI framework for HM (United Kingdom) Government

A seventh framework I looked at, the HITRUST AI Security Certification, explicitly descopes transparency and explainability:

Responsible AI include[s] explainability, predictability, bias and fairness, safety, transparency, privacy, inclusiveness, accountability… and security. This assessment and certification aim to help organizations deploying AI nail the security pillar.

Organizations who achieve this certification will still need to navigate the additional risk areas in the Responsible AI landscape (such as AI privacy, ethics, and transparency).

The HITRUST AI Security Certification does not mention interpretability at all.

So below I look into the six remaining documents and how (if) they address the three terms as they relate to AI. I also give some concrete recommendations on how to operationalize them.

Transparency

What the frameworks say:

1. NIST AI RMF

According to the framework:

Transparency can answer the question of “what happened” in the system.

Additionally:

[t]ransparency reflects the extent to which information about an AI system and its outputs is available to individuals interacting with such a system – regardless of whether they are even aware that they are doing so.

It also says:

Transparency is often necessary for actionable redress related to AI system outputs that are incorrect or otherwise lead to negative impacts.

Not super helpful. So I turned to:

2. ISO 42001

Per Annex B.7.2:

Data management can include various topics such as…transparency and explainability aspects including data provenance and the ability to provide an explanation of how data are used for determining an AI system’s output if the system requires transparency and explainability.

According to Annex C.2.11

Transparency relates both to characteristics of an organization operating AI systems and to those systems themselves.

Still not much to go on, here. Moving on to the:

3. EU-U.S. Terminology and Taxonomy

This document only defines transparency in negative terms, under the entry for “opacity”:

When one or more features of an AI system, such as processes, the provenance of datasets, functions, output or behaviour are unavailable or incomprehensible to all stakeholders – usually an antonym for transparency.

Still not getting much help here.

4. EU AI Act

Recital 27 states:

Transparency means that AI systems are developed and used in a way that allows appropriate traceability and explainability, while making humans aware that they communicate or interact with an AI system, as well as duly informing deployers of the capabilities and limitations of that AI system and affected persons about their rights.

Article 13, “Transparency and provision of information to deployers,” requires that high-risk AI systems:

be accompanied by instructions for use in an appropriate digital format or otherwise that include concise, complete, correct and clear information that is relevant, accessible and comprehensible to deployers

This includes:

• Identity and contact information of provider and authorized representative

• System characteristics, capabilities and limitations, including:

  • Intended purpose.

  • Accuracy, including its metrics, robustness and cybersecurity against which the system has been tested and validated.

  • Any known or foreseeable circumstance which may lead to risks to health and safety or fundamental rights.

  • Technical capabilities to provide information that is relevant to explain its output.

  • Specific persons or groups of persons on which the system is intended to be used.

  • Specifications for input data, training, validation, and testing data sets.

  • Information to enable deployers to interpret the output and use it appropriately.

• Changes to system and its performance which have been pre-determined by the provider at the moment of the initial conformity assessment, if any.

• Human oversight measures.

• Computational and hardware resources needed.

• Expected lifetime.

• Necessary maintenance and care measures such software updates.

• Mechanisms allowing deployers to collect, store and interpret logs.

The full text uses the phrase “where appropriate” extensively. This makes it difficult to understand what is a hard requirement and what is at the discretion of the AI system provider or other party.

5. OWASP Checklist

The closest this document (which is specific to LLMs) gets to defining the term is by saying:

Model cards and risk cards are foundational elements for increasing the transparency, accountability, and ethical deployment of Large Language Models (LLMs). Model cards help users understand and trust AI systems by providing standardized documentation on their design, capabilities, and constraints, leading them to make educated and safe applications.

Unfortunately I still don’t have much to work with. The best answer I got was from the:

6. Generative AI framework for HM Government

Also limited to generative AI, but probably the most helpful attempt at a definition I’ve seen:

Transparency is the communication of appropriate information about an AI system to the right people.

The framework also operationalizes this definition, laying out:

What you are transparent about:

• Technical transparency: information about the technical operation of the AI system, such as the code used to create the algorithms, and the underlying datasets used to train the model.

• Process transparency: information about the design, development and deployment practices behind your generative AI solutions, and the mechanisms used to demonstrate that the solution is responsible and trustworthy. Putting in place robust reporting mechanisms, process-centred governance frameworks, and AI assurance techniques is essential for facilitating process-based transparency.

• Outcome-based transparency and explainability: the ability to clarify to any citizen using, or impacted by, a service that uses generative AI how the solution works and which factors influence its decision making and outputs, including individual-level explanations of decisions where this is requested.

How and to whom you are being transparent:

• Internal transparency: retention of up-to-date internal records on technology and processes and process-based transparency information, including records of prompts and outputs.

• Public transparency: where possible from a sensitivity and security perspective, you should be open and transparent about your department’s use of generative AI systems to the general public.

The UK government even provides an editable Google Sheets template you can use as a checklist for Algorithmic transparency, which is pretty sweet.

How I define transparency for AI

AI transparency is the disclosure of an AI system’s data sources, development processes, limitations, and operational use in a way that allows stakeholders to understand what the system does, who is responsible for it, and how it is governed—without necessarily explaining its internal logic.

How I advise clients to evaluate and implement transparency with AI:

Data disclosures

• Inventory all data sources used in model training, prompt engineering, or retrieval-augmented generation (RAG), including origin, collection methods, and licensing status.

• Provide dataset versioning and changelogs to track modifications over time.

• Clearly label synthetic / AI-generated data.

Development process documentation

• Maintain timestamped records of model iterations, including hyperparameters, architecture changes, and retraining / fine-tuning events.

• Publish a summary of key design choices explaining why specific algorithms, features, and optimizations were used.

• Disclose strategies used to mitigate undesired or unlawful biases.

Operational and governance transparency

• Maintain an AI asset inventory listing all deployed systems and their intended uses.

• Publish which single person is accountable for each system’s oversight, updates, and error handling.

• Disclose all third-party components or services integrated into the system, preferably via a software bill of materials (SBOM).

Stakeholder communication

• Create a plain-language AI system overview explaining its purpose, data sources, and governance approach.

• Provide user-accessible documentation on how AI-generated outputs are reviewed, corrected, or overridden when necessary.

• Document and communicate specific inputs which lead to unreliable outputs from the AI system (e.g., edge cases, known failure modes).

Logging, traceability, and feedback

• Maintain logs of all AI-generated outputs, including the inputs used, the confidence score assigned, and any post-processing applied.

• Ensure all logs are exportable and machine-readable for external audit and compliance purposes.

• Implement a mechanism for users to report errors, document transparency concerns, and request human review of AI outputs.

Explainability

What the frameworks say:

1. NIST AI RMF

Explainability refers to a representation of the mechanisms underlying AI systems’ operation

Explainability can answer the question of “how” a decision was made in the system.

Kind of disappointing here.

2. ISO 42001

In addition to Annex B.7.2 (above, which also address transparency), Annex C.2.11 of the standard notes:

Explainability relates to explanations of important factors influencing the AI system results that are provided to interested parties in a way understandable to humans.

3. EU-U.S. Terminology and Taxonomy

The only mention is under the definition for “Trustworthy AI,” which notes:

Characteristics of Trustworthy AI systems include: valid and reliable, safe, secure and resilient, accountable and transparent, explainable and interpretable, privacy-enhanced, and fair with harmful bias managed

4. EU AI Act

Not defined, except that the law equates it with transparency in Recital 27.

5. OWASP Checklist

Not mentioned at all.

6. Generative AI framework for HM Government

There is substantially less content dedicated to explainability than to transparency, but the document notes:

Explainability is how much it is possible for the relevant people to access, interpret and understand the decision-making processes of an AI system.

How I define explainability for AI

AI explainability is the ability to provide human-understandable reasoning for an AI system’s outputs, describing how specific inputs influence decisions using methods like feature attribution (which quantifies the impact of each input on the final outcome), rule-based logic, or example-based reasoning.

How I advise clients to evaluate and implement explainability with AI:

Feature attribution and decision logic

• Quantify how each input feature influences AI system outputs using SHapley Additive exPlanations (SHAP), Local Interpretable Model-agnostic Explanations (LIME), or similar attribution methods.

• Document and publish feature importance rankings for all system outputs.

• Include confidence scores and reasoning traces (structured record of how an AI system arrived at a specific output) where possible.

Rule-based and example-driven explanations

• Provide human-readable rules or heuristics to approximate AI decision-making

• Publish real-world examples demonstrating how the AI processes inputs.

• Maintain a test set of counterfactual examples (only changing one key variable) to evaluate consistency in AI-generated explanations.

User-accessible explanation interfaces

• Embed interactive explanation tools allowing users to inspect why specific outputs were generated.

• Ensure explanations are presented at multiple levels (high-level summary, technical breakdown, raw attribution data).

• Provide explanations in both plain language for non-technical stakeholders and detailed metrics for AI practitioners.

Consistency and reliability validation

• Conduct adversarial testing to identify inputs that lead to inconsistent or misleading explanations.

• Benchmark AI-generated explanations against human expert justifications for similar decisions.

• Log instances where explanations fail to align with intended decision logic and iterate on improvement strategies.

Compliance and auditability

• Maintain versioned records of all model explanations and updates to ensure reproducibility.

• Provide an exportable report format for third-party inspection, including example explanations and rationale breakdowns.

Interpretability

What the frameworks say:

1. NIST AI RMF

Interpretability can answer the question of “why” a decision was made by the system and its meaning or context to the user.

[I]nterpretability refers to the meaning of AI systems’ output in the context of their designed functional purposes.

It’s difficult to disentangle this definition from explainable, unfortunately.

2. ISO 42001

The only relevant reference is in Annex B.6.2.4, which states:

The organization should define and document evaluation criteria such as…the methods, guidance or metrics to be used to evaluate whether relevant interested parties who make decisions or are subject to decisions based on the AI system outputs can adequately interpret the AI system outputs.

No definition to be found.

3. EU-U.S. Terminology and Taxonomy

Same as with explainable - it’s only mentioned under “Trustworthy AI” but not defined.

4. EU AI Act

Recital 20 states:

AI literacy should equip providers, deployers and affected persons with the necessary notions to make informed decisions regarding AI systems. Those notions…can include understanding…the suitable ways in which to interpret the AI system’s output.

Interestingly, this describes interpretation as something primarily focused on changing how humans operate (e.g. education), rather than machines.

Recital 72 states:

High-risk AI systems should be accompanied by appropriate information in the form of instructions…cover[ing] relevant human oversight measures, including the measures to facilitate the interpretation of the outputs of the AI system by the deployers.

This takes a different approach than Recital 20, describing interpretability as a characteristic of AI systems.

Otherwise, the EU AI Act - mainly in Article 13 - equates interpretability with transparency.

5. OWASP Checklist

Not mentioned at all.

6. Generative AI framework for HM Government

Without explaining what interpretability is, the UK government does provide a questionnaire to “ensure…interpretability and explainability of the results” of AI systems.

Unfortunately this document doesn’t go deep on how to evaluate interpretability and is relatively surface-level.

How I define interpretability for AI

AI interpretability is the degree to which a human can predict, trust, and understand why an AI system produces a given output based on its internal logic, mathematical relationships, or learned patterns. This means the AI system’s outputs are understandable directly from the model itself, rather than requiring additional tools, analysis, or external justifications.

For example:

• A linear regression model is inherently interpretable because its coefficients explicitly show how each input affects the output.

• A decision tree can be understood just by examining its structure. Each decision path is explicitly defined.

• A deep neural network, however, is not inherently interpretable because its decision-making process is distributed across many layers and requires external techniques to approximate why it made a particular decision.

How I advise clients to evaluate and implement interpretability with AI:

• Publish a description of the model type, including whether it is inherently interpretable (e.g., decision trees, linear regression) or requires external interpretability tools (e.g., deep learning models).

• Summarize key architectural choices, including the number of layers, nodes, and activation functions for neural networks, or the number of splits for tree-based models.

• Give stakeholders a simplified, human-readable representation of the model’s decision logic when feasible.

• Ensure feature importance rankings remain stable across subsets of data unless a justifiable - and explicitly declared - reason for change exists.

• Log and make available intermediate decision points for complex models that use multi-step reasoning (e.g., AI agents using retrieval-augmented generation).

Conclusion

AI transparency, explainability, and interpretability get a lot of surface-level discussion. Unfortunately I have seen little concrete guidance on implementing them.

So I made up my own.

This is especially critical for those seeking ISO 42001 certification because auditors are going to ask how you achieve the requirements of the standard. Even if the document doesn’t give you good answers on how to do so!

And if you need help getting ISO 42001-ready, StackAware helps AI-powered companies do just that through our 90-day AI Management System (AIMS) Accelerator offering.

Ready to learn more?

Book a call