Assessing AI System Impact on Individuals or Groups of Individuals
Organisations must define and document processes for responsible AI design and development.
Plain language
This control is about setting up clear steps for creating and developing AI systems responsibly. If done right, it means your AI won’t accidentally offend customers or make unlawful decisions, like wrongly denying a service. It helps avoid mistakes and makes sure your AI sticks to the rules.
Framework
ISO/IEC 42001:2023
Control effect
Preventative
Classifications
N/A
Official last update
01 Dec 2023
Control Stack last updated
19 May 2026
Maturity levels
N/A
Official control statement
The organisation shall assess and document the potential impacts of AI systems to individuals or groups of individuals throughout the system's life cycle.
Why it matters
Without clear design processes, AI could make biased or unlawful choices, like denying services to some groups unfairly.
Operational notes
Update design and development processes every time major AI requirements change, ensuring everyone is on the same page.
Implementation tips
- The AI lead should set up a simple workflow checklist for building AI systems responsibly. This could be a shared document outlining each stage of AI development with clear steps, such as checking data quality and testing the AI output for fairness.
- The data steward should make sure data used for training AI is well-documented in terms of where it came from and how it was collected. A straightforward log or spreadsheet noting details about the data source improves transparency and trust in AI decisions.
- The product owner must involve users and stakeholders in the AI design process to make sure the AI meets real-world needs. Simple surveys or feedback sessions every quarter can help refine AI features and functions effectively.
- Procurement should require that AI service or product suppliers clarify their AI development practices. Adding a paragraph in contracts that asks for a description of their AI development process helps ensure consistency in responsible AI practices.
- The head of risk needs to create a simple impact assessment form to use at the start of every AI project. This form could be a one-page document listing possible risks like privacy breaches or biased outcomes and how they will be mitigated.
Audit / evidence tips
- AskRequest the documented AI development process and date it was last updated. GoodThe document lists detailed steps for responsible AI design, with an update in the last year.
- AskAsk for a sample of the training data log. GoodLogs include comprehensive data source and attribute information.
- AskObtain feedback records from stakeholders involved in recent AI projects. GoodFeedback records show regular stakeholder engagement throughout development.
- AskRequest a copy of recent AI supplier contracts. GoodSupplier contracts include sections outlining responsible AI development details.
- AskCheck if there is an AI project risk assessment list. GoodRisk assessments itemise potential risks and corresponding mitigations.
Cross-framework mappings
How Annex A 5.4 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| ISM-0888 | Annex A 5.4 requires continuous life-cycle assessment and documentation of AI impacts on individuals or groups | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
Want to implement this AI control?
Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.