Chapter Overview
This chapter provides a comprehensive guide to conducting AI System Impact Assessments as required by Clause 8.4. Impact assessment is unique to ISO 42001 and focuses on how AI affects individuals and society.
Clause 8.4 Requirement
"The organization shall conduct an AI system impact assessment for AI systems, taking into account the potential consequences of the AI system for individuals, groups of individuals, and societies."
Impact Assessment vs Risk Assessment
| Aspect | Risk Assessment (8.2) | Impact Assessment (8.4) |
|---|
| Focus | Risks to the organization | Impacts on people and society |
| Perspective | Organization-centric | Human-centric |
| Question | What could go wrong for us? | How does this affect people? |
| Scope | All risk types | Human and societal consequences |
| Controls | Annex A controls | Annex A.5 controls specifically |
Impact Assessment Process
Process Overview
| Phase | Activities | Output |
|---|
| 1. Preparation | Define scope, gather information, form team | Assessment plan |
| 2. System Analysis | Understand AI system functionality and context | System description |
| 3. Stakeholder Identification | Identify affected parties | Stakeholder map |
| 4. Individual Impact Assessment | Assess impacts on individuals | Individual impact analysis |
| 5. Societal Impact Assessment | Assess broader societal impacts | Societal impact analysis |
| 6. Mitigation Planning | Identify measures to address negative impacts | Mitigation plan |
| 7. Documentation | Document assessment and conclusions | Impact assessment report |
| 8. Review and Approval | Review and approve assessment | Approved assessment |
Phase 1: Preparation
Define Scope
- Which AI system is being assessed
- Which use cases are included
- Geographic and demographic scope
- Assessment boundaries
Gather Information
- AI system documentation
- Technical specifications
- Intended use documentation
- User information
- Data processing details
- Previous assessments (if any)
Form Assessment Team
| Role | Contribution |
|---|
| Assessment Lead | Coordinate assessment, ensure completeness |
| AI System Expert | Technical understanding of the system |
| Business Owner | Use case and context knowledge |
| Ethics/Compliance | Ethical and regulatory perspective |
| User Representative | User perspective and needs |
| External Stakeholder | Affected party perspective (optional) |
Phase 2: System Analysis
Document AI System
System Description Template
System Identity:
• System name and ID
• Version assessed
• Business owner
• Technical owner
Functionality:
• Purpose and objectives
• AI type (ML, NLP, computer vision, etc.)
• Key capabilities
• Decision types made
Data:
• Input data types
• Personal data processed
• Data sources
• Output data/decisions
Context:
• Deployment environment
• User groups
• Scale of use
• Integration with other systems
Autonomy Assessment
| Level | Description | Impact Consideration |
|---|
| Advisory | AI provides recommendations, humans decide | Lower direct impact |
| Supported | AI and human collaborate on decisions | Shared impact |
| Automated | AI makes decisions, human oversight | Higher direct impact |
| Autonomous | AI makes decisions independently | Highest direct impact |
Phase 3: Stakeholder Identification
Identify Affected Parties
| Category | Description | Examples |
|---|
| Direct Users | People who operate the AI system | Employees, operators |
| AI Subjects | People about whom AI makes decisions | Customers, applicants, patients |
| Indirect Affected | People indirectly impacted | Family members, communities |
| Vulnerable Groups | Groups requiring special consideration | Children, elderly, disabled, minorities |
Stakeholder Impact Map
For Each Stakeholder Group Document:
• Group description
• How they interact with/are affected by AI
• Potential positive impacts
• Potential negative impacts
• Vulnerability factors
• Scale (number of people affected)
Phase 4: Individual Impact Assessment
Impact Categories
| Category | Positive Impacts | Negative Impacts |
|---|
| Rights & Freedoms | Enhanced access, privacy protection | Privacy violation, discrimination, surveillance |
| Safety & Health | Improved safety, health monitoring | Physical harm, mental health impacts |
| Economic | Better services, opportunities | Job loss, unfair denial, financial harm |
| Autonomy | Empowered decisions, convenience | Manipulation, reduced agency, dependence |
| Dignity | Personalization, accessibility | Dehumanization, profiling, stigmatization |
Assessment Questions
Individual Impact Questions
Rights & Freedoms:
• Does the AI process personal data? How?
• Could the AI discriminate against protected groups?
• Does the AI affect freedom of expression or movement?
• Are individuals informed about AI use?
Safety & Health:
• Could AI errors cause physical harm?
• Could the AI cause psychological distress?
• Are there safety-critical decisions?
Economic:
• Does the AI affect access to services or opportunities?
• Could the AI cause financial harm?
• Does the AI affect employment?
Autonomy:
• Can individuals understand AI decisions affecting them?
• Can individuals contest or appeal AI decisions?
• Does the AI manipulate or nudge behavior?
Dignity:
• Does the AI treat people as individuals?
• Could the AI be perceived as dehumanizing?
• Are vulnerable groups specially protected?
Phase 5: Societal Impact Assessment
Societal Impact Categories
| Category | Positive Impacts | Negative Impacts |
|---|
| Social | Connectivity, accessibility | Polarization, inequality, isolation |
| Economic | Productivity, new opportunities | Job displacement, wealth concentration |
| Democratic | Participation, transparency | Manipulation, misinformation |
| Environmental | Efficiency, optimization | Energy consumption, e-waste |
| Cultural | Preservation, access | Homogenization, bias amplification |
Scale Assessment
| Scale Factor | Questions |
|---|
| Reach | How many people could be affected? |
| Frequency | How often are decisions made? |
| Cumulative | What is the cumulative effect over time? |
| Systemic | Could this affect entire systems or markets? |
Phase 6: Mitigation Planning
Mitigation Strategies
| Strategy | Description | Examples |
|---|
| Eliminate | Remove the source of negative impact | Don't use AI for this decision |
| Substitute | Replace with less impactful approach | Use advisory instead of automated |
| Control | Implement safeguards | Human oversight, bias testing |
| Inform | Ensure transparency | Clear disclosure, explanations |
| Empower | Give affected parties recourse | Appeals process, opt-out |
Phase 7: Documentation
Impact Assessment Report Template
Complete Impact Assessment Template
1. EXECUTIVE SUMMARY
• AI system name and purpose
• Assessment date and team
• Key findings summary
• Overall impact rating
• Key recommendations
2. AI SYSTEM DESCRIPTION
• System overview and functionality
• Autonomy level
• Data processed
• Scale and context
3. AFFECTED PARTIES
• Stakeholder map
• Vulnerable groups identified
• Scale of affected population
4. INDIVIDUAL IMPACT ASSESSMENT
For each impact category:
• Potential positive impacts
• Potential negative impacts
• Affected groups
• Likelihood (1-5)
• Severity (1-5)
• Impact score
• Existing mitigations
5. SOCIETAL IMPACT ASSESSMENT
For each societal category:
• Potential positive impacts
• Potential negative impacts
• Scale of impact
• Severity assessment
6. MITIGATION MEASURES
• Recommended mitigations
• Responsible parties
• Implementation timeline
7. CONCLUSIONS
• Overall impact assessment
• Recommendation (proceed/proceed with conditions/do not proceed)
• Conditions for proceeding
• Monitoring requirements
8. APPROVAL
• Assessed by: [Name, Date]
• Reviewed by: [Name, Date]
• Approved by: [Name, Date]
Impact Rating Scale
| Rating | Description | Action |
|---|
| Minimal | Negligible negative impacts, clear benefits | Proceed with standard monitoring |
| Low | Minor negative impacts, manageable | Proceed with identified mitigations |
| Moderate | Notable impacts requiring attention | Proceed with enhanced controls |
| High | Significant negative impacts | Proceed only with robust mitigations |
| Severe | Serious harm potential | Do not proceed without fundamental changes |
Key Takeaways - Impact Assessment
1. Impact assessment is mandatory (Clause 8.4)
2. Focus is on people and society, not organizational risk
3. Assess both positive AND negative impacts
4. Consider individuals AND society
5. Pay special attention to vulnerable groups
6. Document methodology, findings, and mitigations
7. Obtain appropriate approval before deployment