Standards Development

Scope

This document specifies requirements on risk management for AI systems. This document also provides clear and actionable guidance on how risk can be addressed and mitigated throughout the entire lifecycle of the AI system. It applies to risk management for a broad range of products and services which use AI technology, including explicit considerations for vulnerable people. Risks covered include both risks to health and safety and risks to fundamental rights which can arise from AI systems, with impact for individuals, organisations, market and society. This document also defines methods that can be used to determine if a package of risk management measures associated with an AI system will be able to ensure that certain risks arising from that product or system are identified, monitored, and managed, leading to an acceptable level of risk.

This document is intended for use by organizations and individuals providing, using, or being affected by products or services that use AI technology, no matter what their size, nature, or location is. The included requirements and guidance have however been specifically tailored to support organisations and individuals who operate inside of the European Union, as well as organisations and individuals outside of the Union who are active in the European Union market or who intend to enter that market. They have been tailored to support these organisations and individuals in meeting applicable regulatory requirements, with the flexibility to accommodate additional expectations from parties they may interact with.

Purpose

Risk management is a fundamental and practical process, ensuring clear governance for a balanced management, to identify and mitigate, and monitor potentially negative/adverse impacts of Artificial intelligence systems on individuals, groups, and society at large, while benefits provided by AI technologies are enabled.

This NWIP proposes to implement the ‘SR1’ part of the Standardisation Request for the expected future EU AI Act, via the writing of an EN titled ‘AI Risk Management’. The EN will include normative requirements on risk management which will mirror at least Article 9 (titled ‘Risk management system’) of the Act. The EN will support the expected presumption of conformity mechanism as envisaged by Article 40 of the Act. The proposed work will do a gap analysis between the requirements in existing and upcoming standards (e.g. ISO/IEC 42001 and ISO/IEC 23894) and the requirements of Article 9. The EN will fill the gaps identified, by providing the necessary text.

The EN aims to take into account the existing practices of specific vertical industries and AI application areas: it will complement or extend their existing risk management processes and standards. Beyond Article 9, and in coordination with other JTC21 activities, this Proposed Work might also work on additional Articles, or parts of Articles, of the Act.

To further implement the SR, the EN will include ‘check lists for AI risk management’ (CLAIRM) which will, together with referenced existing standards, provide a non-exhaustive overview of the state of the art in AI risk management, at the time when the EN was written. These lists are an informational resource catalogue of AI specific risk sources, harms, and countermeasures (risk management measures) relevant to AI risk management in the sense of Article 9.