ISO/IEC 23894
ISO/IEC 23894:2023 is an international guidance standard for managing risks specifically related to artificial intelligence across organizations that develop, produce, deploy, or use AI systems.
Definition
ISO/IEC 23894:2023, Information technology - Artificial intelligence - Guidance on risk management, is an International Standard from ISO and IEC. ISO lists it as Edition 1, published in February 2023, with ISO/IEC JTC 1/SC 42 as the responsible technical committee. The ISO page identifies the document as 26 pages and marks its status as published.
The standard provides guidance on how organizations that develop, produce, deploy, or use products, systems, and services using artificial intelligence can manage risks specifically related to AI. ISO's abstract also says the guidance is meant to help organizations integrate risk management into AI-related activities and functions and describes processes for implementation and integration.
Scope
ISO/IEC 23894 is guidance rather than a certification badge or standalone legal duty. ISO states that its application can be customized to any organization and context. That makes it useful for policy design, vendor review, internal controls, product governance, and audit preparation, but it does not by itself prove that a particular AI system is safe, lawful, fair, or fit for purpose.
The standard's governance value is the AI-specific risk lens. General enterprise risk management can miss where AI systems behave differently from ordinary software: probabilistic outputs, model drift, data dependency, distribution shift, opaque training history, automation bias, benchmark fragility, downstream reuse, emergent tool access, and failures that appear only after deployment in a real social setting.
Relationship to Other Standards
ISO/IEC 23894 sits near, but does not replace, ISO/IEC 42001 and ISO/IEC 42005. ISO/IEC 42001 is an AI management-system standard: it asks whether the organization has policies, processes, objectives, roles, audits, and continual improvement for AI. ISO/IEC 42005 is impact-assessment guidance for AI systems and foreseeable applications. ISO/IEC 23894 focuses on the risk-management process around AI-specific risk.
It also sits near the NIST AI Risk Management Framework. NIST AI RMF is a voluntary U.S. framework organized around Govern, Map, Measure, and Manage. ISO/IEC 23894 is an international ISO/IEC guidance standard. They can be aligned in a governance program, but claims about one should not be treated as claims about the other.
Governance and Safety
For an AI program, ISO/IEC 23894 is most useful when it changes decisions. A risk register that never delays launch, narrows access, changes a model, requires monitoring, triggers reassessment, or creates evidence for affected people is mostly documentation theater. A serious risk-management practice connects risk identification to treatment, ownership, residual-risk acceptance, review dates, and stop conditions.
The standard should be read as a way to discipline ordinary organizational questions: What are we building or buying? What could fail? Who is affected? What evidence supports the risk estimate? What controls exist? Who owns the residual risk? What changes force reassessment? What would make us withdraw the system?
For agentic and generative systems, the risk boundary should include prompts, retrieval sources, tools, identity, authorization, logs, model updates, third-party services, human review, user interface design, and incident response. Otherwise the organization may manage the model while leaving the actual deployment pathway unmanaged.
Evidence Record
A credible ISO/IEC 23894-aligned record should name the system, owner, context, intended use, foreseeable misuse, affected groups, data dependencies, model or vendor version, risk sources, evaluation evidence, controls, monitoring signals, residual-risk decision, reassessment triggers, and incident-handling path. For high-impact systems, it should also preserve dissent, uncertainty, and gaps in vendor disclosure.
Risk management is not only a spreadsheet. It is a decision record. If the system later causes harm, reviewers should be able to reconstruct what the organization knew, what it assumed, what it ignored, and who had authority to continue.
Source Discipline
Use the official ISO page for the title, publication date, committee, status, page count, and abstract-level scope. Use ISO/IEC 42001 and ISO/IEC 42005 pages for claims about those related standards. Use NIST sources for NIST AI RMF structure. Use legal texts and regulator guidance for legal duties; an ISO standard can support a compliance program, but it is not a substitute for the law itself.
Spiralist Reading
ISO/IEC 23894 is a ritual for slowing the machine before it becomes normal. It asks an institution to treat AI risk as a managed condition rather than a surprise produced by users, data, or society after launch.
Spiralism reads the standard as a memory device. The risk record does not make the system moral. It creates a trail: who named the risk, who accepted it, what evidence was thin, which controls were promised, and when the next turn of the spiral was supposed to occur.
Open Questions
- When should an ISO/IEC 23894 risk record be disclosed to buyers, regulators, workers, or affected communities?
- How should organizations prevent risk registers from becoming launch paperwork?
- What vendor evidence is necessary before a deployer can make a credible AI risk decision?
- Which AI changes should automatically trigger reassessment?
- How should ISO/IEC 23894 be mapped to NIST AI RMF, ISO/IEC 42001, ISO/IEC 42005, and binding sector law?
Related Pages
- AI Governance
- NIST AI Risk Management Framework
- ISO/IEC 42001
- ISO/IEC 42005
- AI Audits and Assurance
- Algorithmic Impact Assessments
- AI Safety Cases
- AI Post-Market Monitoring
- AI System Inventory
- AI Procurement
Sources
- ISO, ISO/IEC 23894:2023 Information technology - Artificial intelligence - Guidance on risk management, reviewed June 25, 2026.
- ISO, ISO/IEC 42001:2023 Artificial intelligence management system, reviewed June 25, 2026.
- ISO, ISO/IEC 42005:2025 Information technology - Artificial intelligence (AI) - AI system impact assessment, reviewed June 25, 2026.
- NIST, AI Risk Management Framework, reviewed June 25, 2026.