What is an AI impact assessment?

The ISO 42001 standard says it is a way to

determine the potential consequences an AI system’s deployment, intended use[,] and foreseeable misuse has on individuals or groups of individuals, or both, and societies. (Clause 6.1.4)

Compare this to an AI risk assessment, the way to

assess the potential consequences to the organization, individuals and societies that would result if the identified risks were to materialize. (Clause 6.1.2)

Combined with the fact that organizations “shall consider the results of the AI system impact assessment in the risk assessment,” (Clause 6.1.4) I found it quite difficult to separate the two concepts.

To deal with this challenge, StackAware assesses AI at three levels:

1. Organization - risk assessment only

2. Individual(s) - risk and impact assessments

3. Society(ies) - risk and impact assessments

ISO 23894, which gives additional guidance on AI risk management, mirrors this three-level structure (while using the term “communities” along with “societies”). And the StackAware AI risk assessment application program interface (API) breaks them out in this way too.

How should I do an AI impact assessment?

Thankfully Annex B of ISO 42001 gives some guidance, which I have consolidated into this checklist:

1. Determine if an impact assessment is appropriate based on the:

   1. criticality of the intended purpose and context in which the AI system is used

   2. complexity and level of automation of the AI system

   3. sensitivity of data processed by the AI system

2. If proceeding with the assessment, evaluate:

   1. the System’s:

      1. applicable jurisdictions

      2. technical and societal context where deployed

      3. intended use and foreseeable misuse

      4. predictable failures, their potential impacts, and measures taken to mitigate them

      5. complexity

      6. fairness

      7. accountability

      8. transparency and explainability

      9. security and privacy

      10. accessibility

      11. operating organization’s employment and staff skilling

   2. how the AI system affects individuals, specifically their:

      1. relevant demographic groups

      2. legal position

      3. life opportunities

      4. safety and physical well-being

      5. psychological safety and well-being

      6. health

      7. finances

      8. human rights

      9. specific protection needs such as for:

         1. children

         2. impaired persons

         3. elderly persons

         4. workers

   3. how the AI system affects communities, societies, and universal human rights, specifically as it relates to:

      1. environmental sustainability, including the impacts on:

         1. natural resources

         2. greenhouse gas emissions

      2. economics, including:

         1. access to financial services

         2. employment opportunities

         3. taxes

         4. trade

         5. commerce

      3. government, including:

         1. legislative processes

         2. misinformation for political gain

         3. national security and criminal justice systems

      4. health and safety, including:

         1. access to healthcare

         2. medical diagnosis and treatment

         3. potential physical and psychological harms

      5. norms, traditions, culture and values, including misinformation that leads to biases or harms to individuals or groups of individuals, or both, and societies.

Does that seem like an in-depth process, but still want to get ISO 42001 certified?

Through the AI Management System (AIMS) Accelerator, StackAware helps AI-powered companies in:

• Financial services

• Healthcare

• B2B SaaS

get ISO 42001-ready in 90 days.

Ready to get started?

Book a call