ISO/IEC 23894
Executive summary
ISO/IEC 23894 is the standard that most discussions of AI governance skip over. It sits between the better-known instruments — the EU AI Act, the NIST AI RMF, ISO/IEC 42001 — and tends to get described as a methodological footnote: the risk management guidance for AI. That description is technically correct and operationally insufficient.
The dominant narrative says ISO/IEC 23894 is a guide for AI risk management. That framing flattens what the standard actually does. The other major AI governance instruments tell organisations that they need to manage AI risk — the EU AI Act in Article 9, the NIST RMF across its four functions, ISO/IEC 42001 in clauses 6.1.2 and 6.1.3 of its management system requirements. None of them tell organisations how to do that risk management at a methodological level. That is what ISO/IEC 23894 fills. It is the operational layer beneath the requirement layer.
This distinction matters because it determines where ISO/IEC 23894 sits in an organisation’s compliance architecture. ISO/IEC 42001 specifies what management system to operate. The NIST RMF specifies what functions, categories, and outcomes the risk management programme should achieve. The EU AI Act specifies what legal obligations attach to high-risk systems. None of them specify the methodology for identifying, analysing, evaluating, and treating risks at the level of granularity that risk practitioners actually need. ISO/IEC 23894 does — by extending the ISO 31000 risk management methodology, which is the most widely adopted enterprise risk management standard globally, into the AI domain.
The structural choice to build on ISO 31000 is not cosmetic. ISO 31000 is the methodology that already operates inside most enterprise risk management programmes, financial risk frameworks, operational risk programmes, and compliance functions. Organisations have ERM committees that work in ISO 31000 vocabulary. Boards receive risk reports structured around ISO 31000 categories. Internal audit programmes apply ISO 31000 methodology when assessing risk management effectiveness. By extending ISO 31000 with AI-specific guidance, ISO/IEC 23894 allows AI risk to enter existing risk infrastructure rather than requiring organisations to build a parallel structure.
The standard mirrors the ISO 31000 clause structure. Clause 4 covers principles. Clause 5 covers the framework that supports risk management within the organisation. Clause 6 covers the process — communication and consultation, scope and context, risk assessment (identification, analysis, evaluation), risk treatment, monitoring and review, recording and reporting. Inside each of those clauses, the standard adds AI-specific sub-clauses where the application to AI requires specific consideration.
The standard also includes three annexes that operationalise the methodology for AI: Annex A lists AI-related objectives that organisations should consider when defining the scope of risk management (accountability, transparency, explainability, fairness, robustness, safety, privacy, security). Annex B catalogues risk sources specific to AI systems (data quality issues, algorithmic bias, model drift, adversarial attacks, lack of interpretability, system complexity, automation bias). Annex C provides an example mapping between the risk management process and the stages of an AI system lifecycle.
What ISO/IEC 23894 actually does, then, is not “guide AI risk management” in the abstract. It provides the methodological substrate that allows organisations operating under ISO 31000 enterprise risk management to extend their existing risk practice into AI without abandoning the methodology, vocabulary, and governance structures already in place. That methodological role explains why the standard has quietly become the operational reference for AI risk practitioners working inside organisations with mature ERM functions — financial institutions, insurers, large industrial groups — even though it is far less visible in the AI policy conversation than ISO/IEC 42001 or the NIST RMF.
One further property is structurally important. ISO/IEC 23894 inherits from ISO 31000 the convention that risk includes both negative and positive deviation from objectives. This is different from the NIST RMF and most regulatory frameworks, which treat risk as inherently negative. The ISO definition allows ISO/IEC 23894 to address both risks of harm from AI and risks of failing to capture value from AI — a duality that aligns with how boards and executive committees actually think about AI investment decisions.
Who it addresses. ISO/IEC 23894 applies to any organisation that develops, produces, deploys, or uses products, systems, and services that utilise AI. The scope is intentionally broad and parallels the scope of ISO/IEC 42001. The standard is industry-agnostic and use-case agnostic, designed to be customised to the specific organisation and context.
The primary audience is risk practitioners: enterprise risk managers, operational risk officers, compliance officers, internal auditors, AI risk managers, and Chief Risk Officers. It is also used by AI governance teams that need to operationalise the risk requirements of ISO/IEC 42001 or the EU AI Act, and by boards or risk committees that want to receive AI risk reporting in language consistent with the rest of their enterprise risk reporting.
The standard accommodates organisations across the full spectrum of AI involvement. A foundation model provider, a SaaS company integrating GenAI into its product, an industrial company deploying AI for predictive maintenance, a public sector body using AI in citizen-facing services — all can apply the same methodology, customising the AI-related objectives (Annex A) and risk sources (Annex B) that are material to their context.
What it covers. The standard covers the full AI risk management lifecycle: communication and consultation with stakeholders, establishing the scope and context of risk management, AI risk identification, AI risk analysis (likelihood and consequence), AI risk evaluation (against tolerance), AI risk treatment (mitigate, transfer, retain, avoid), monitoring and review of risks and treatments, and recording and reporting throughout the cycle.
The standard is process-oriented. It does not prescribe specific technical controls (those live in ISO/IEC 42001 Annex A and in technology-specific standards). It does not prescribe specific evaluation methodologies for trustworthiness characteristics (those live in evolving technical standards under JTC 1/SC 42 and in evaluation methodology research). What it provides is the structured process that ensures risks are managed consistently, defensibly, and integrated with the rest of the organisation’s risk management.
Obligations
ISO/IEC 23894 is not certifiable, so it does not impose obligations in the certification sense. It provides methodological guidance that organisations adopt, customise, and document. The structure of that guidance follows ISO 31000 closely.
Clause 4 — Principles
The standard inherits the eight ISO 31000 principles — risk management is integrated, structured and comprehensive, customised, inclusive, dynamic, based on the best available information, takes human and cultural factors into account, and is continually improved — and adds AI-specific considerations to each. For example, the integration principle specifies that AI risk management must be integrated with information security risk management (because AI introduces security risk that may overlap with broader IT security) and with quality management (because AI failure modes overlap with quality assurance). The inclusive principle specifies that AI risk management must consider not only direct stakeholders but also the individuals or groups affected by AI system outputs, particularly when those outputs influence decisions about them.
Clause 5 — Framework
The framework clause specifies how risk management is established and maintained within the organisation. The standard mirrors ISO 31000 in addressing leadership and commitment, integration into governance and decision-making, design of the framework (including allocation of resources, authorities, accountabilities), implementation, evaluation, and continual improvement.
The AI-specific elaborations in Clause 5 address: the need for AI-specific competence at the level of risk practitioners (understanding ML/DL/generative AI sufficient to identify and analyse risks correctly), the need for AI risk governance structures (often realised through AI Risk Committees or AI Ethics Committees that operate alongside or within existing risk committee structures), and the need for explicit accountability for AI risk treatment decisions, given that AI systems can fail in ways that are diffuse and slow to manifest.
Clause 6 — Process
The process clause is the operational core of the standard. It specifies seven sequential and iterative process elements, all extended with AI-specific guidance:
6.2 Communication and consultation. With internal stakeholders (executive leadership, AI development teams, deployment teams, risk and compliance functions, internal audit) and external stakeholders (regulators, customers, affected individuals or communities, supply chain partners, civil society where relevant). The AI-specific extension addresses the difficulty of communicating about complex AI systems to non-technical stakeholders and the obligation to communicate transparently about AI use in decisions affecting individuals.
6.3 Scope, context, criteria. Defining what AI activity is in scope of the risk assessment, the internal and external context (regulatory environment, organisational risk appetite, competitive context), and the criteria against which risks will be evaluated. The AI-specific extension addresses the inclusion of AI-related objectives from Annex A (transparency, explainability, fairness, robustness, safety, privacy, security, accountability) as evaluation criteria.
6.4 Risk assessment. Three sub-processes — risk identification, risk analysis, and risk evaluation — each elaborated for AI:
- 6.4.2 Risk identification. Systematic identification of risks across the AI lifecycle. The standard references Annex B as a starting catalogue of AI risk sources, while emphasising that the catalogue is illustrative and must be adapted to the specific AI system and context. Identification techniques include workshops, structured interviews, scenario analysis, threat modelling adapted for AI (incorporating frameworks like STRIDE applied to AI lifecycle stages), and review of AI incident databases.
- 6.4.3 Risk analysis. Determining the likelihood and consequence of identified risks. The AI-specific extension addresses the difficulty of estimating likelihood for AI-related risks where historical data is sparse, and the difficulty of estimating consequence where AI failures can produce diffuse, delayed, or systemic effects. The standard recommends qualitative and semi-quantitative techniques as defaults, with quantitative methods applied where measurement methodologies are available and reliable.
- 6.4.4 Risk evaluation. Comparing analysed risks against the criteria established in Clause 6.3, including the AI-related objectives from Annex A. The output is a prioritised set of risks for treatment, with explicit consideration of which risks fall within tolerance and which require treatment.
6.5 Risk treatment. Selection and implementation of risk treatment options: mitigation (controls, design changes, restrictions on use), risk transfer (insurance, contractual reallocation, third-party assurance), risk retention (acceptance with documented rationale), and risk avoidance (changing the activity to eliminate the risk). The AI-specific extension addresses the operational difficulty of treating risks that emerge from system complexity, the iterative nature of AI risk treatment as systems are retrained or redeployed, and the importance of monitoring treated risks over time.
6.6 Monitoring and review. Continuous monitoring of risks, the effectiveness of treatments, and the operating environment. AI-specific monitoring addresses model drift, data drift, concept drift, performance degradation in production, emergent behaviours, and changes in the threat environment (new adversarial techniques, new attack vectors).
6.7 Recording and reporting. Documentation of the risk management process and outcomes. The AI-specific extension addresses the need for traceable documentation that supports audit, regulatory inquiry, and post-incident analysis, given that AI risk events often require reconstruction of decisions made months or years previously.
The annexes — Operational catalogues
Annex A — Examples of AI-related objectives. Lists objectives that organisations should consider including in the scope of their AI risk management: accountability, AI expertise, availability and quality of training and test data, environmental impact, fairness, maintainability, privacy, robustness, safety, security, transparency and explainability. The list is illustrative; organisations select and customise based on context.
Annex B — Examples of AI risk sources. Catalogues sources of risk specific to AI systems: complexity of AI environments, lack of transparency and explainability, level of automation, risk of bias and discrimination, machine learning specific issues (data quality, distribution shift, adversarial vulnerability), system hardware issues, AI system lifecycle issues, technology readiness, sufficiency of resources, supplier dependencies. Used as a checklist during risk identification.
Annex C — Example process-lifecycle mapping. Maps the risk management process elements to the stages of an AI system lifecycle (inception, design, development, verification and validation, deployment, operation and monitoring, re-evaluation, retirement). Used to ensure that risk management activities occur at the right lifecycle stage rather than only at deployment.
Timeline / Implementation
ISO/IEC 23894 has no statutory calendar. Its operational timeline is the publication and adoption cadence of the standard:
- February 2023 — ISO/IEC 23894:2023 published.
- December 2023 — ISO/IEC 42001:2023 published, referencing ISO/IEC 23894 as the methodological reference for AI risk management.
- 2024 — European adoption as EN ISO/IEC 23894:2024, making the standard available through European national standards bodies.
- 2024–2025 — Adoption accelerates within organisations implementing ISO/IEC 42001 or operating ISO 31000-based ERM frameworks.
- 2025 — ISO/IEC 42005:2025 (AI impact assessment) published, complementing ISO/IEC 23894 with specific guidance on the impact assessment dimension of AI risk.
- 2026 — ISO/IEC 23894 increasingly referenced in CEN-CENELEC JTC 21 work on harmonised standards for the EU AI Act, particularly for Article 9 (risk management system) implementation methodology.
- Future review. Subject to ISO systematic review every five years. First systematic review expected in 2028, with potential publication of an updated edition in the 2028–2030 window.
For organisations, the operational implication is that ISO/IEC 23894 should be adopted as the methodological reference for AI risk management whenever they implement ISO/IEC 42001, prepare for the EU AI Act, or extend existing ISO 31000-based ERM into AI. There is no future trigger event that activates the standard — it is operative now and integrated into the broader AI governance ecosystem.
How Zertia covers it
ISO/IEC 23894 is enforced through adoption rather than through certification. The standard’s authority operates through three channels.
ISO/IEC JTC 1/SC 42. The technical committee responsible for ISO/IEC 23894 maintains the standard, develops companion documents, and coordinates with parallel work on ISO/IEC 42001, ISO/IEC 42005, and ISO/IEC 22989. Member countries participate through their national standards bodies.
Adoption by other standards. ISO/IEC 23894 is referenced normatively by ISO/IEC 42001 as the methodological reference for the risk assessment requirements of clause 6.1.2 and the risk treatment requirements of clause 6.1.3. Organisations implementing ISO/IEC 42001 typically apply ISO/IEC 23894 methodology even when not explicitly required to. The standard is also referenced in CEN-CENELEC JTC 21 work on harmonised standards under the EU AI Act, where it informs the methodology for Article 9 (risk management system) implementation.
European harmonisation. The standard has been adopted at European level as EN ISO/IEC 23894:2024, the European version of the international standard, which makes it directly available to European national standards bodies (AENOR in Spain, AFNOR in France, BSI in the United Kingdom, DIN in Germany). This adoption signals the standard’s role as a methodological reference in the European AI standardisation landscape.
Audit and assurance contexts. External audit firms, certification bodies (when auditing ISO/IEC 42001 implementations), and assurance providers reference ISO/IEC 23894 as the expected methodology for AI risk assessment. An ISO/IEC 42001 audit will examine how the organisation conducts AI risk assessment; if the methodology lacks rigour or is inconsistent with ISO/IEC 23894, that becomes a finding. The standard does not need to be certifiable to operate as the de facto methodological standard.
Regulation you understand is regulation you can turn into competitive advantage.
Not sure if this framework applies to your organization? Talk to us.
