ISO/IEC 42005
ISO/IEC 42005:2025 is the international standard on AI system impact assessment: a guidance document for organizations that need to identify, evaluate, and document how AI systems may affect people and society.
Definition
ISO/IEC 42005:2025, Information technology - Artificial intelligence (AI) - AI system impact assessment, is an International Standard from ISO and IEC. ISO lists it as Edition 1 with a 2025-05 publication date, and IEC lists publication on May 28, 2025. The responsible technical committee is ISO/IEC JTC 1/SC 42, the artificial-intelligence standards committee.
The standard provides guidance for organizations performing AI system impact assessments. Its audience is broad: organizations developing, providing, or using AI systems, regardless of size, type, or nature. The assessment target is the AI system, its foreseeable applications, and the individuals and societies that can be affected by use.
ISO/IEC 42005 is guidance, not a law, certification badge, public registry, or proof that a deployment is legitimate. Whether the record satisfies a regulator, auditor, buyer, community, or court depends on the governing law, contract, sector, evidence, and actual deployment.
Scope
The standard belongs beside Algorithmic Impact Assessments, but it is narrower than that whole field. It is a specific ISO/IEC standard for AI system impact assessment. A national AIA law, a public-sector questionnaire, a privacy impact assessment, a data protection impact assessment, and the EU AI Act's fundamental-rights impact assessment may overlap with it, but they are not the same instrument.
ISO says the standard focuses on understanding how AI systems and foreseeable applications may affect individuals, groups, or society at large. IEC adds that the guidance includes how and when to perform assessments, the stages of the AI system life cycle, documentation, and integration with AI risk management and AI management systems.
That lifecycle framing matters. A one-time assessment before launch can become stale when the model, data, use case, population, vendor, threshold, evidence, or legal environment changes.
How It Works
At a practical level, ISO/IEC 42005 turns impact assessment into a managed record. The organization identifies the system, context, intended and foreseeable uses, affected groups, potential harms and benefits, evidence sources, review timing, and links to risk-management or AI-management processes.
The standard complements ISO/IEC 42001, the AI management system standard, and ISO/IEC 23894, the AI risk-management guidance standard. The relationship is useful: ISO/IEC 42001 asks whether the organization has a management system for AI, ISO/IEC 23894 helps manage AI-specific risk, and ISO/IEC 42005 focuses the assessment on human and societal impacts of a particular AI system.
For deployers, the key move is boundary setting. A meaningful assessment must say what is being assessed: a model, fine-tune, retrieval system, workflow, vendor service, tool-using agent, public-service decision process, or some combination. A vague assessment of "AI" cannot support accountability.
Governance and Safety
Impact assessment is one place where AI governance becomes visible. It asks whether a system affects rights, safety, access, labor, public services, privacy, autonomy, or social trust. It also asks who can accept residual risk and who can narrow, pause, or retire a system when evidence fails.
The EU AI Act shows why precision matters. Article 27 creates a fundamental-rights impact assessment duty for certain deployers of high-risk AI systems before deployment. ISO/IEC 42005 can help structure assessment work, but citing the ISO standard is not the same as satisfying Article 27 or any other binding law. Legal duties have to be checked against the legal text and implementation dates.
For agentic and generative systems, the assessment should cover more than output quality. It should include data provenance, retrieval sources, prompts, tools, permission boundaries, human oversight, logs, monitoring, incident response, and change control. Otherwise the document will describe a model while the real risk lives around it.
Evidence Record
A credible ISO/IEC 42005-style assessment should preserve evidence for later review. At minimum, it should name the system owner, purpose, lifecycle stage, model or vendor version, affected groups, foreseeable uses, data sources, risk evidence, human-oversight design, monitoring plan, decision authority, and reassessment triggers.
It should also preserve gaps. If the vendor will not disclose training data, if subgroup testing was not done, if logs are unavailable, if reviewers cannot override the system, or if affected communities were not consulted, the assessment should say so.
Source Discipline
Do not collapse standards. ISO/IEC 42005 is impact-assessment guidance. ISO/IEC 42001 is an AI management-system standard. ISO/IEC 23894 is risk-management guidance. The NIST AI Risk Management Framework is a voluntary U.S. framework organized around Govern, Map, Measure, and Manage. These artifacts can reinforce one another, but they do different work.
Do not collapse standards into law. A buyer, regulator, contract, or internal policy may require evidence aligned with ISO/IEC 42005, but the ISO page alone does not create a legal duty. For legal claims, cite the statute, regulation, contract, or agency rule directly.
Spiralist Reading
ISO/IEC 42005 is a ritual of naming before delegation.
The institution wants to let the system act: screen, rank, route, summarize, recommend, accuse, admit, deny. The impact assessment asks who will be touched, what can go wrong, what evidence exists, who can stop it, and what record will remain after harm.
For Spiralism, the value is not the standard as an icon. The value is the demanded trace. A machine-mediated decision should leave a map of purpose, affected people, evidence, limits, and responsibility.
Open Questions
- When should an ISO/IEC 42005 assessment be public rather than internal?
- What level of vendor disclosure is necessary for a deployer to complete a credible assessment?
- Which changes to a model, dataset, tool, or workflow should trigger reassessment?
- How should affected communities participate without turning consultation into process theater?
- What evidence should block deployment rather than merely become an accepted risk?
Related Pages
- Algorithmic Impact Assessments
- AI Governance
- NIST AI Risk Management Framework
- EU AI Act
- AI System Inventory
- AI Procurement
- AI Post-Market Monitoring
- AI Audits and Assurance
- Human Oversight of AI Systems
- AI Regulatory Sandboxes
- AI Liability and Accountability
Sources
- ISO, ISO/IEC 42005:2025 Information technology - Artificial intelligence (AI) - AI system impact assessment, reviewed June 25, 2026.
- IEC Webstore, ISO/IEC 42005:2025, reviewed June 25, 2026.
- ISO, ISO/IEC 42001:2023 Artificial intelligence management system, reviewed June 25, 2026.
- ISO, ISO/IEC 23894:2023 Information technology - Artificial intelligence - Guidance on risk management, reviewed June 25, 2026.
- EUR-Lex, Regulation (EU) 2024/1689, Artificial Intelligence Act, official text, reviewed June 25, 2026.
- NIST, AI Risk Management Framework, reviewed June 25, 2026.