Module 3: Governance & Risk Management · BoK III.A
AI impact assessments and ISO 42005
The AI impact assessment (AIIA) is the severity lens → it gauges how bad mapped risks are, while a risk assessment flags which systems need extra governance. ISO/IEC 42005:2025 gives structured guidance for running one.
The AIIA is the severity lens. Impact assessments gauge how bad mapped risks are; risk assessments flag which systems need extra governance.
- Identify risks early in design and mitigate or eliminate them
- Protect fundamental human rights, particularly for vulnerable or underrepresented groups → privacy, fairness, equality
- Align with standards and laws → may be mandated for high-risk applications
- Build trust and accountability with customers, users, regulators
- Inform responsible development → may guide the go or no-go decision
- Privacy risks → how personal data is collected, processed, protected
- Bias and discrimination
- Transparency and explainability → decisions understandable to users and auditors
- Accountability for outcomes and errors
- Security risks that could cause harm or misuse
- Broad impacts → economic structures, cultural norms, political stability, environment
ISO/IEC 42005:2025
International standard giving structured guidance for conducting AI system impact assessments → supports transparency, accountability and trust by helping organisations identify, evaluate and document potential impacts across the AI life cycle. High-level understanding is enough for the exam.
Key terms - quick answers
What is “AI impact assessment (AIIA)”?
The severity lens, gauging how bad mapped risks are and potentially guiding the go/no-go decision.
What is “ISO/IEC 42005:2025”?
Standard giving structured guidance for conducting AI system impact assessments across the life cycle.