Standards Development

Scope

This document provides guidance on how organizations that develop, produce, deploy or use products, systems and services that utilize artificial intelligence (AI) can manage risk specifically related to AI. The guidance also aims to assist organizations to integrate risk management into their AI-related activities and functions. It moreover describes processes for the effective implementation and integration of AI risk management.

The application of these guidance can be customized to any organization and its context.

Purpose

One of the major issues of the adoption of Artificial Intelligence Systems is the lack of trust in such systems. Objections include the effects of data or algorithmic bias, new security threats such as adversarial inputs, threats to privacy due to leakage of personal data, but also the lack of transparency and accountability. The recently published draft for a Regulation on Artificial Intelligence by the European Commission explicitly requires companies providing AI systems (products or services) to perform an effective management or risks for high-risk applications.

Risk management is a concept that has been widely addressed in ISO publications, ranging from the specific domain or application to a sector to generic guidelines. A structured, repeatable risk management process for AI systems directly addresses

a) engineering pitfalls and assess typical associated threats and risks to AI systems with their mitigation techniques and methods by allowing for identification, classification and treatment of risks to (and from the use of) AI systems.

b) Establishment of trust in AI systems through transparency, verifiability, explainability, controllability, etc., by using a well understood and documented risk management process addresses

c) AI systems’ robustness, resiliency, reliability, accuracy, safety, security, privacy, etc, by providing transparency to the treatment of risks to the identified stakeholders.

The proposal aims on the (unmodified) adoption of the ISO/IEL JTC 1/SC 42 document ISO/IEC 23894 – Information technology – Artificial intelligence – Guidance on risk management, to make it available to the work programme of CN-CNL/JTC 21. ISO/IEC 23894 is currently under FDIS ballot and can be expected to be published early 2023.