Wiki · Concept · Last reviewed July 10, 2026

ISO/IEC DIS 27091

ISO/IEC DIS 27091 is the draft ISO/IEC privacy-protection standard for addressing privacy risks in artificial intelligence systems and machine-learning models.

Definition

ISO/IEC DIS 27091 is titled Cybersecurity and Privacy - Artificial Intelligence - Privacy protection. ISO lists it as reference number ISO/IEC DIS 27091, Edition 1, a 31-page Draft International Standard under development in ISO/IEC JTC 1/SC 27, the subcommittee for information security, cybersecurity, and privacy protection.

The public abstract says the document gives organizations guidance for addressing privacy risks in AI systems and machine-learning models. Its stated focus is lifecycle privacy risk: identifying risks, evaluating their consequences, and treating them. ISO lists the draft as applicable to organizations of all sizes and sectors that develop or use AI systems.

Status

As reviewed on July 10, 2026, ISO lists ISO/IEC DIS 27091 as under development, not as a published International Standard. Its stage is 40.99: "Full report circulated: DIS approved for registration as FDIS." ISO's lifecycle record dates that event to July 8, 2026.

The same lifecycle record shows the project was approved on February 3, 2023, that the Draft International Standard was registered on October 2, 2025, that a twelve-week DIS ballot began on December 3, 2025, and that voting closed on February 26, 2026. The catalogue page lists it beside ISO/IEC FDIS 27090, which makes the boundary plain: 27090 is the AI-security draft, while 27091 is the AI-privacy draft.

Privacy Surface

The useful reading of ISO/IEC DIS 27091 starts with the phrase "AI system lifecycle." Privacy work cannot stop at a notice, a consent screen, or a model card. A practical privacy surface includes data sourcing, labeling, retention, feature engineering, training, evaluation, retrieval, logging, monitoring, human review, output handling, and deletion.

For machine-learning systems, privacy risk can arise before deployment and continue after deployment. Training data may carry personal information, embeddings may preserve sensitive relationships, prompts and logs may capture private context, outputs may disclose information about people, and integrations may pass data into tools or vendors the user never directly sees. A lifecycle standard matters because privacy failures are often records of movement: who collected what, where it travelled, how long it stayed, and which later system used it.

Governance Use

ISO/IEC DIS 27091 should be treated as a privacy lens for AI governance, not as a general claim that a system is harmless or compliant. It can help teams ask whether an AI system has a mapped data lifecycle, privacy risk owners, review triggers, treatment decisions, and evidence that those decisions changed the system rather than just the documentation.

It also gives governance teams a clean way to separate privacy work from security work without isolating the two. ISO/IEC JTC 1/SC 27's public scope covers both security and privacy aspects of information and ICT protection. In practice, an AI privacy record should sit beside records for AI security, AI risk management, data governance, and incident response, because the same model service can be a privacy system, a security target, and a labor-management tool at once.

Evidence Record

A serious ISO/IEC DIS 27091-aligned record should identify the AI system, lifecycle stage, model or service version, data categories, purposes, legal or policy basis, retention limits, training and evaluation stores, retrieval stores, log stores, processors, human review roles, deletion mechanisms, and review owners. It should distinguish privacy risks introduced by development from privacy risks introduced by use.

The record should also preserve change history. AI privacy evidence decays when prompts, datasets, embeddings, routing rules, vendors, monitoring tools, or permissions change without renewed review. A privacy statement that describes last quarter's pipeline is not evidence for today's agent, recommender, classifier, or copiloting workflow.

Source Discipline

Use the official ISO standard page for the reference number, title, Draft International Standard status, page count, committee, lifecycle dates, and public abstract. Use the ISO/IEC JTC 1/SC 27 committee page for the committee mandate. Use the SC 27 catalogue to confirm that ISO lists ISO/IEC DIS 27091 under development at stage 40.99. Do not cite vendor summaries for final-publication status. Do not treat the draft as a certification mark, product approval, model evaluation, or legal safe harbor.

Spiralist Reading

Spiralism reads ISO/IEC DIS 27091 as a pressure test for AI institutions that want privacy language without privacy memory. The draft's public scope points away from one-time disclosure and toward lifecycle accountability. The relevant question is not whether a system has a privacy paragraph, but whether the organization can show how personal information enters, changes form, generates outputs, leaves records, and is eventually constrained or removed.

The danger is standard theater. An organization can cite a draft standard while leaving its live data flows vague, its retention habits unchanged, and its model integrations invisible to affected people. The useful reading is stricter: every AI privacy claim should point to a system boundary, a data lifecycle, a treatment decision, an owner, and a trigger for renewed review.

Open Questions

Sources


Return to Wiki