Human Resources
Organisations must assess AI systems' societal impacts at all stages of their life cycles.
Plain language
This control is about thinking ahead to how your AI might affect society, like if a chatbot misleads a customer or an AI tool discriminates unfairly. By considering these impacts upfront, you can make sure your AI helps people more than it harms them.
Framework
ISO/IEC 42001:2023
Control effect
Proactive
Classifications
N/A
Official last update
01 Dec 2023
Control Stack last updated
19 May 2026
Maturity levels
N/A
Official control statement
As part of resource identification, the organisation shall document information about the human resources and their competences utilised for the development, deployment, operation, change management, maintenance, transfer and decommissioning, as well as verification and integration of the AI system.
Why it matters
If you don't assess societal impacts, your AI could unknowingly harm people, like making biased decisions or breaching privacy, leading to public backlash or legal issues.
Operational notes
Whenever you upgrade your AI system or use new training data, re-evaluate its societal impacts to catch any new issues that may arise.
Implementation tips
- The AI lead should put together a small team to brainstorm all the ways the AI could affect society, good and bad. Start with obvious things, like privacy concerns or job displacement, and write them down.
- Product owners should create a simple checklist for evaluating societal impacts each time they plan a change to an AI system. This can be a one-page form asking questions like 'Could this change harm any group of people?'
- The head of risk should integrate societal impact as a topic in quarterly risk reviews. Use discussions to update your list of potential impacts as real-world experiences provide new insights.
- The data steward can help by providing data on past issues or complaints related to AI systems. Compile these into a report that highlights recurring concerns and hand it to the AI lead before they brainstorm impacts.
- Board members should be briefed annually on the societal impacts of the organisation's AI systems. Request a clear summary report highlighting any significant risks or issues that were identified.
Audit / evidence tips
- AskAsk for the report detailing identified societal impacts of the AI systems. GoodThe report lists both positive and negative impacts and shows a date of recent review.
- AskCheck the checklist used for evaluating AI system changes. GoodThe checklist includes comprehensive questions about potential societal impacts and is regularly updated.
- AskRequest records from the last risk review meeting. GoodSocietal impacts were discussed in the last risk review and are documented in the minutes.
- AskView the complaint logs related to AI systems. GoodComplaint logs have been analysed for recurring societal concerns, and findings are documented.
- AskAsk for evidence of board member briefings on AI societal impacts. GoodBoard minutes show annual discussions of AI societal impacts with clear action points for mitigation.
Cross-framework mappings
How Annex A 4.6 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.2 | Annex A 4.6 (ISO/IEC 42001:2023) requires documenting AI system human resources and their competencies across lifecycle activities such a... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-2020 | Annex A 4.6 (ISO/IEC 42001:2023) requires the organisation to document the human resources and competencies used across the AI system lif... | |
| ISM-2035 | Annex A 4.6 (ISO/IEC 42001:2023) requires documenting human resources and competencies used throughout the AI system lifecycle, including... | |
| ISM-2038 | Annex A 4.6 (ISO/IEC 42001:2023) requires the organisation to document AI-related human resources and their competencies across developme... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
Want to implement this AI control?
Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.