What is ISO 42005?

ISO 42005 is a part of the International Organization for Standardization (ISO) framework designed to provide standards for AI systems and their implementation within various industries. While the specifics of ISO 42005 are still under development, it is expected to serve as a global benchmark for organizations striving to establish trustworthy, safe, and legally compliant AI systems.

This standard, once fully released, will provide essential guidelines that include AI system impact assessment practices, the scope of the AI system impact assessment, AI system information, data information and quality, algorithms and model information, deployment environment, relevant interested parties, actual and potential impacts, and measures to address harms and benefits. ISO 42005 will likely complement existing regulatory efforts such as the EU Artificial Intelligence Act (the EU Act) and be harmonized with other ISO standards, including ISO 42001, which focuses on AI risk management.

Why ISO 42005 matters

ISO 42005 will help bridge the gap between fast-paced AI innovation and the regulatory measures required to ensure responsible AI use. By establishing a universal framework, businesses can standardize their approach to AI impact assessment across different markets, ensuring compliance while remaining competitive. The importance of ISO 42005 can be broken down into the following two key areas:

1. Implementing an AI system impact assessment process: Organizations should have a structured, consistent approach to performing and documenting AI system impact assessments. The process can vary depending on the context, including an organization's business, strategy, culture, legal requirements, and risk appetite.

2. Documenting the AI system impact assessment: Guidance must be included in AI system impact assessments. In this sense, an organization must determine its needs based on its context, and not all of the guidance is applicable to every organization.

ISO 42005 and ISO 42001: Complementary standards

ISO 42005 should be viewed alongside ISO 42001, which focuses on AI management systems. ISO 42001 provides a broader organizational framework, detailing how businesses can manage AI operations within their existing corporate structures. ISO 42005, on the other hand, provides guidance for an organization on how to both implement a process for completing assessments on how AI systems have the potential to significantly impact (both positively and negatively) individuals, groups of individuals, and society as a whole, as well as promote a common understanding of the components necessary to produce an effective assessment.

Together, these standards will offer businesses a comprehensive framework for AI governance, helping them not only manage AI systems effectively but also ensure their compliance with regulatory requirements and alignment with ethical standards.

How ISO 42005 aligns with the EU AI Act

One of the most significant pieces of legislation affecting AI deployment in Europe is the EU AI Act. ISO 42005 is expected to align closely with this regulation, helping businesses understand the requirements imposed by the EU and other jurisdictions. The EU AI Act classifies AI systems into four risk categories - minimal, limited, high-risk, and prohibited - and ISO 42005 will likely provide businesses with tools to ensure they meet the necessary compliance requirements for their specific AI applications.

For example, high-risk AI systems under the EU AI Act, such as biometric identification systems, will require robust oversight and accountability measures, which ISO 42005 will address. This alignment will help businesses operating within the EU, or with ties to the EU market, mitigate risks and ensure compliance with both the EU AI Act and ISO 42005.

Practical steps for businesses to implement ISO 42005

As businesses prepare for the full release of ISO 42005, there are several steps they can take to start aligning their AI strategies with the upcoming standard:

• Conduct an AI system impact assessment: Businesses should start by identifying potential impacts caused by their AI systems. This includes considerations for how and when to perform such assessments and at what stages of the AI system life cycle, as well as guidance for AI system impact assessment documentation. Conducting a comprehensive AI impact assessment will allow businesses to undertake a formal, documented process to evidence how the impacts on individuals, groups of individuals, and societies are considered.

• Establish an AI governance structure: Organizations should create a governance framework that oversees the development and deployment of AI systems. This structure should include clear roles and responsibilities for different stakeholders, including AI developers, legal teams, and risk managers.
• Train employees on AI system impacts: To ensure that AI systems are developed and deployed ethically, businesses must train employees on the potential benefits and harms that a relevant party can expect as a direct or indirect result of interacting with the AI system. This includes understanding the potential harms and benefits arising from various objectives, such as accountability, transparency, fairness and discrimination, privacy, reliability, safety, explainability, and environmental impact.
• Align with existing regulations: Businesses operating in regulated industries, such as healthcare or finance, should start aligning their AI systems with existing regulations, such as the General Data Protection Regulation (GDPR) or the EU AI Act. By doing so, they will be better prepared to adopt ISO 42005 when it is fully released.
• Prepare for certification: Once ISO 42005 is finalized, businesses will be able to pursue certification, demonstrating their compliance with the standard. Preparing for certification involves aligning existing processes with the framework provided by ISO 42005 and ensuring that AI systems are audited regularly for compliance.

The competitive advantage of ISO 42005 compliance

Adopting ISO 42005 offers businesses more than just compliance with regulations - it can also serve as a competitive differentiator. Companies that can demonstrate adherence to global AI standards can gain a reputation for trustworthiness, transparency, and ethical practices. As consumers and businesses become more conscious of the ethical implications of AI, organizations that comply with ISO 42005 will stand out in a crowded marketplace.

Moreover, compliance with ISO 42005 can help businesses secure partnerships and contracts with governments, multinational corporations, and other entities that prioritize ethical AI governance. This can open up new business opportunities and help organizations grow their market share in an increasingly AI-driven world.

Conclusion

ISO 42005 is set to become a critical standard for businesses leveraging AI technologies. By focusing on impact assessment, and the measures to address harms and benefits, ISO 42005 will provide a comprehensive framework for organizations to build trustworthy AI systems. While the final version of the standard is still under development, businesses can take proactive steps now to prepare for its release by conducting AI system impact assessments, establishing AI governance structures, and training employees on AI systems.

By staying ahead of ISO 42005 and integrating it into their operations, businesses can mitigate risks, enhance operational efficiency, and gain a competitive advantage in the global market.

Sean Musch CEO
[email protected]
AI & Partners, Amsterdam

Charles Kerrigan Partner
[email protected]
CMS Cameron McKenna Nabarro Olswang LLP, London