How do I conduct an AI system impact assessment under ISO/IEC 42001 Clause 6.1.4?

Under ISO/IEC 42001, conducting an AI system impact assessment involves establishing a process to evaluate the effects of AI systems on individuals, groups, and society throughout their lifecycle. This process is a key part of the planning phase for an AI Management System (AIMS).

• Establish an AI Impact Assessment Process: The organization must have a defined process for conducting AI impact assessments. This process should identify potential positive and negative impacts of AI systems, aligning with NIST-MAP-5.1.
• Integrate into the AI System Lifecycle: The impact assessment should be applied across the entire lifecycle of AI systems, including design, development, deployment, operation, and retirement.
• Define Roles and Responsibilities: Clear roles, responsibilities, and reporting lines for AI governance, including those related to impact assessments, should be defined and resourced. This aligns with ISO/IEC 42001 A.3 Internal organization.
• Document Context and Scope: Before conducting the assessment, the organization needs to determine the internal and external context, identify interested parties, and define the scope of its AIMS. This helps in understanding the environment in which the AI system operates.
• Operationalize the Assessment: The AI impact assessment process must be implemented as part of operational planning and control, ensuring that AI systems are operated under defined controls.
• Continual Improvement: The AIMS, including the impact assessment process, should be subject to continual improvement and corrective actions to address nonconformities and enhance its effectiveness over time.