What is ISO/IEC 23894 and how does it guide AI risk management?

ISO/IEC 23894 is not mentioned in the provided sources. The sources discuss ISO/IEC 42001, which guides AI risk management by establishing requirements for an AI Management System (AIMS).

ISO/IEC 42001 provides a structured approach to managing AI risks through its Plan-Do-Check-Act framework, encompassing clauses 4-10, and includes AI-specific controls in Annex A. Key aspects of this guidance include:

• Context and Leadership: Organizations must determine the internal and external context of their AIMS, identify interested parties, and define the scope. Top management is responsible for demonstrating leadership by establishing an AI policy, a documented AIMS, and assigning roles, responsibilities, and authorities for AI governance. (ISO/IEC 42001 Cl.4 Context, Cl.5 Leadership)
• Planning and Support: The standard requires addressing risks and opportunities, establishing processes for AI risk assessment and AI impact assessment, and setting AI objectives. Adequate resources, competence, awareness, communication, and control of documented information are necessary to operate the AIMS. (ISO/IEC 42001 Cl.6 Planning, Cl.7 Support)
• Operation: Operational planning and control involve implementing AI risk and impact assessments and operating AI systems under defined controls. (ISO/IEC 42001 Cl.8 Operation)
• Performance Evaluation and Improvement: The AIMS must be subject to monitoring, measurement, analysis, and evaluation, including internal audits and management reviews. Continual improvement and corrective actions are required to address nonconformities and enhance the AIMS over time. (ISO/IEC 42001 Cl.9 Performance evaluation, Cl.10 Improvement)