AI System Impact Assessment Process
Organisations need a process to assess AI's impact on people and society throughout its lifecycle.
Plain language
AI can affect your customers and your business. Imagine your AI takes bad loan decisions, causing financial harm to your clients or even excluding people unfairly. It's crucial to continuously assess how your AI impacts people throughout its use to prevent these issues.
Framework
ISO/IEC 42001:2023
Control effect
Preventative
Classifications
N/A
Official last update
01 Dec 2023
Control Stack last updated
19 May 2026
Maturity levels
N/A
Official control statement
The organisation shall establish a process to assess the potential consequences for individuals or groups of individuals, or both, and societies that can result from the AI system throughout its life cycle.
Why it matters
If AI causes harm, like denying loans unfairly, it can ruin reputations and trust. Assessing impact avoids these issues.
Operational notes
Don't wait for yearly reviews. Check AI impacts whenever major updates or changes to training data occur.
Implementation tips
- The person responsible for AI (AI lead) should work with the IT team to map out each step where AI affects people. For example, make a simple chart showing where your chatbot talks to customers and what decisions it makes.
- The head of risk should identify scenarios where the AI could potentially harm people. They might brainstorm with the team to list out what could go wrong, such as biased hiring decisions, and plan how to avoid these.
- The product owner should regularly update the list of scenarios and impacts whenever there's a change in the AI's model or data. Record what version is being used and when changes are made, perhaps using a shared document.
- Ensure the data steward checks where the data originates and how it can affect people negatively. They could keep a note of data sources and the kinds of bias that could be present.
- Board members should meet quarterly to review AI impact assessments prepared by the AI lead. They should check for consistent improvements and necessary changes in the AI's operation.
Audit / evidence tips
- AskRequest the latest AI impact assessment report. GoodThe impact assessment report details potential effects on people at all stages of the AI's lifecycle.
- AskAsk to see a list of identified AI risks. GoodThe list clearly identifies potential risks and scenarios where the AI may negatively impact individuals.
- AskAsk the data steward about data provenance. GoodThe data steward explains how data origins are tracked and updated regularly.
- AskRequest records of meetings where AI impacts were discussed. GoodRegular meetings are documented with clear discussions of AI impacts on people.
- AskRequest evidence of changes made following impact assessments. GoodThere is a trackable record of adjustments made to AI systems, showing responsiveness to impact assessments.
Cross-framework mappings
How Annex A 5.2 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.34 | ISO/IEC 42001:2023 Annex A 5.2 requires assessing potential consequences of an AI system for individuals/groups and society throughout th... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| ISM-0009 | ISO/IEC 42001:2023 Annex A 5.2 requires the organisation to run an AI system impact assessment process to evaluate consequences for indiv... | |
| ISM-0041 | ISO/IEC 42001:2023 Annex A 5.2 requires an AI system impact assessment process across the AI system lifecycle | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
Want to implement this AI control?
Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.