Assess and Document AI Societal Impacts Across the Life Cycle
Your organisation must assess and write down how each artificial intelligence (AI) system could affect society at every stage of its life.
Plain language
This control asks your organisation to think about how your artificial intelligence (AI) systems could affect people and society more broadly, not just your own business. Before you build or buy an AI system, while you run it, and right through to when you retire it, you need to consider questions like: could this system treat some groups of people unfairly, mislead the public, affect jobs, raise safety concerns, or harm vulnerable communities? You then have to write down what you found and the decisions you made about it. The key word is "throughout their life cycle", meaning this is not a one-off check at the start. As an AI system changes, as it is used in new ways, or as its effects on the world become clearer, you revisit the assessment and keep your records up to date. The point is to spot potential harm to society early so you can prevent it, rather than discovering it after damage is done. Having this written down also shows regulators, customers and your board that you took the wider consequences of your AI seriously.
Framework
ISO/IEC 42001:2023
Control effect
Proactive
Classifications
N/A
Official last update
01 Dec 2023
Control Stack last updated
18 June 2026
Maturity levels
N/A
Official control statement
The organisation shall assess and document the potential societal impacts of their AI systems throughout their life cycle.
Why it matters
Skipping societal impact checks risks unfair or harmful AI outcomes that damage public trust, attract regulators and expose your organisation to legal claims.
Operational notes
Treat the assessment as living: revisit it whenever an AI system changes, is reused for a new purpose, or is retired, and keep the register current.
Implementation tips
- The AI management system (AIMS) owner should create a standard societal impact assessment template that asks set questions about effects on fairness, safety, employment, the environment, vulnerable groups and the wider public, so every AI system is reviewed consistently.
- Project leads should complete this assessment before an AI system is approved for build or purchase, recording who could be affected, what harm could occur and how likely and serious it is.
- The risk or compliance manager should schedule the assessment to be repeated at set points across the life cycle, for example when the system changes significantly, when it is used for a new purpose, and before it is retired.
- Business and product teams should consult affected or external groups where impacts could be serious, such as community representatives or domain experts, and record their input in the assessment.
- The AIMS owner should store every completed and updated assessment in a central register, link each one to the relevant AI system, and report significant findings to senior management for a documented decision.
Audit / evidence tips
- Askthe documented societal impact assessment for a sample of AI systems, and check that one exists for each system in use
- Look atwhether each assessment covers genuine societal effects, such as fairness, safety, jobs, the environment and impacts on vulnerable people, rather than only technical or commercial risks
- Askevidence that assessments are revisited across the life cycle, and look at dates and version history to confirm they were updated when systems changed or were retired
- Look atwhether serious potential impacts were escalated to senior management and whether a documented decision or mitigation followed
- Gooda complete, dated register of societal impact assessments tied to each AI system, refreshed at key life cycle stages, with clear evidence that findings influenced real decisions
Cross-framework mappings
How Annex A 5.5 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (3) expand_less | ||
| Annex A 5.5 | ISO/IEC 42001:2023 Annex A 5.5 requires the organisation to assess and document potential societal impacts of AI systems across the full ... | |
| Annex A 5.8 | ISO/IEC 42001:2023 Annex A 5.5 requires the organisation to assess and document AI societal impacts across design, development, deploymen... | |
| Annex A 5.31 | ISO/IEC 42001:2023 Annex A 5.5 requires documented assessment of AI societal impacts throughout the AI life cycle | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| ISM-1203 | ISO/IEC 42001:2023 Annex A 5.5 requires assessment and documentation of potential societal impacts of AI systems throughout their life cycle | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
Want to implement this AI control?
Mindset Cyber runs PECB-accredited ISO/IEC 42001 training that maps directly to the AI controls in this library.