Glossary · AI governance

What is AI Impact Assessment?

Also known as: AI system impact assessment, Algorithmic impact assessment

An AI impact assessment is a structured evaluation of how an AI system affects individuals, groups, and society, including risks to rights, fairness, safety, and wellbeing. It is a core requirement of ISO 42001 and supports conformity efforts under regulations such as the EU AI Act.

Key takeaways

  • An AI impact assessment evaluates an AI system's effects on people and society.
  • It examines risks to rights, fairness, safety, privacy, and wellbeing.
  • It is a required activity within ISO 42001 AI management systems.
  • It supports conformity and risk obligations under the EU AI Act.

What is an AI impact assessment for?

An AI impact assessment exists to surface and address the consequences of deploying an AI system before and during its use, particularly its effects on the people and communities it touches. Unlike a purely technical risk review focused on the organization's own losses, an impact assessment deliberately looks outward at potential harms to individuals, groups, and broader society.

It typically considers questions such as who could be affected, how the system could produce unfair or harmful outcomes, what is at stake for those affected, and what measures will reduce those risks. The goal is to make potential harms visible early so they can be mitigated or avoided rather than discovered after deployment.

How does it relate to ISO 42001 and the EU AI Act?

Impact assessment is woven directly into modern AI governance frameworks. ISO 42001, the international standard for AI management systems, requires organizations to assess the impacts of their AI systems on individuals and society as part of governing AI responsibly.

Assessing impact also supports obligations under the EU AI Act, which takes a risk-based approach and places stronger requirements on higher-risk AI systems. Documented impact analysis helps demonstrate that an organization understands and is managing the risks its systems pose, feeding into broader conformity efforts.

What does a good impact assessment include?

  • A clear description of the AI system, its purpose, and its context of use.
  • Identification of affected individuals, groups, and stakeholders.
  • Analysis of potential harms to rights, fairness, safety, and privacy.
  • Assessment of likelihood and severity of those impacts.
  • Mitigations, controls, and ongoing monitoring to manage the identified risks.

An impact assessment is most valuable when it is a living artifact, revisited as the system and its use evolve. It operationalizes responsible AI by turning principles into a documented, repeatable practice tied to your AI management system.

Frequently asked questions

How is an AI impact assessment different from a data protection impact assessment?
A data protection impact assessment focuses specifically on privacy and personal data risks. An AI impact assessment is broader, examining effects on rights, fairness, safety, and society as a whole, though the two can overlap and complement each other.
When should an AI impact assessment be performed?
Ideally before a system is deployed, so risks can be addressed early, and then revisited whenever the system, its data, or its context of use changes materially. Treating it as a living document keeps it relevant.
Is an AI impact assessment mandatory?
It is a required activity under ISO 42001 and supports obligations under regulations like the EU AI Act, particularly for higher-risk systems. Even where not strictly mandated, it is widely regarded as good governance practice.

Authoritative sources

← Back to the glossary