What is ISO/IEC 23894?
Global AI regulation
ISO/IEC 23894 is an international guidance standard for AI risk management. Published in February 2023, it explains how organisations that develop, buy, deploy or use AI can adapt general risk management practice to AI specific issues such as human oversight, stakeholder effects, monitoring, documentation and repeated review. It is not a law and it is not the whole AI governance framework. It is best understood as the risk management layer within the wider ISO/IEC AI standards family.
What this means
ISO/IEC 23894 is the ISO and IEC guide for handling AI risk in a structured way. If your organisation already knows how to manage security, safety, legal or operational risk, this standard helps you carry that discipline into AI work, where models, data, automation and changing use can create extra uncertainty.
It sits between broad principles and daily operating practice. Rather than telling a board how to govern everything, or giving a regulator's legal checklist, it helps teams define context, assess risks, choose controls, record decisions and revisit the same system as conditions change.
That is why the standard is useful to founders, buyers, compliance leads, product teams and public bodies alike. It is designed for organisations that develop, produce, deploy or use AI enabled products, systems and services, and it can be tailored to different contexts.
Why it matters
AI governance often fails in the gap between principle and practice. Senior leaders may agree that systems should be safe, fair, documented and subject to human oversight, but teams still need a repeatable method for asking what can go wrong, who could be affected, what evidence must be kept and when the risk picture has changed enough to trigger another review.
ISO/IEC 23894 matters because it gives that method an internationally recognised shape. It can support internal governance, supplier due diligence, procurement, assurance work and conversations with regulators or customers. It also helps organisations avoid a common mistake in AI governance, which is treating risk as a one off check before launch rather than an ongoing process that must be integrated into design, deployment, monitoring and reporting.
For organisations working across borders, the standard also offers a common vocabulary and a common process. That does not remove the need to comply with sector rules or AI laws, but it can reduce friction between legal, technical and operational teams by giving them a shared risk discipline.
How it works
What the standard is
ISO/IEC 23894 is a published International Standard from ISO and IEC, first issued on 6 February 2023 as edition 1. It was developed within ISO/IEC JTC 1/SC 42, the joint technical subcommittee responsible for AI standardisation. Public ISO and IEC summaries describe it as guidance on how organisations that develop, produce, deploy or use AI can manage risk specifically related to AI, and as a document that helps integrate AI risk management into organisational activities and functions.
How it sits in the standards system
This is a voluntary consensus standard, not legislation. ISO states that its International Standards do not replace national law and that national law takes priority. ISO also explains that national standards bodies participate in the drafting and voting process, then sell and adopt ISO standards nationally. In practice, that means ISO/IEC 23894 reaches markets through national or regional adoption, contracts, procurement terms, assurance programmes and regulatory references, rather than by becoming automatically binding.
How the risk method works
ISO/IEC 23894 is best read as an AI specific layer built on top of the general ISO 31000 risk management model. OECD interoperability work notes that it uses the same top level framework as ISO 31000, then adds AI specific detail. That extra detail includes governance considerations around developing, purchasing and using AI, stakeholder engagement to improve human oversight, tracking and record keeping of risk information, monitoring over time and repeated re assessment as systems or context change.
In practical terms, that means an organisation should not only ask whether a model performs well at launch. It should define the use case and risk criteria, decide who is accountable, examine technical and non technical risks, choose treatment measures, document the reasoning, monitor the system in use and revisit the decision when the model, data, users, suppliers or regulatory context changes.
What evidence it tends to create
Used properly, ISO/IEC 23894 creates governance evidence rather than a single pass or fail score. The evidence usually takes the form of documented scope and risk criteria, named responsibilities, records of assessment and treatment decisions, monitoring notes, review records and reporting trails. That is valuable because buyers, auditors, investors and regulators often want proof that an organisation had a structured process, not just a claim that the system was handled carefully.
How it differs from broader governance frameworks
ISO/IEC 23894 is not the whole governance architecture. ISO/IEC 42001 is the broader AI management system standard. It sets requirements and guidance for establishing, implementing, maintaining and continually improving an AI management system across the organisation. ISO/IEC 23894, by contrast, is the risk management guidance that can feed into that wider system.
It is also different from ISO/IEC 42005, which is about AI system impact assessment. Impact assessment asks how a particular AI system and its foreseeable uses may affect individuals, groups or society. ISO/IEC 23894 is the wider organisational risk discipline that helps decide how to identify, assess, treat, monitor and report AI related risk over time. Many organisations will need both.
How it connects to law and regulation
Using ISO/IEC 23894 does not in itself prove legal compliance. The standard is voluntary, and laws still apply on their own terms. That said, it can be highly relevant to compliance work because regulators and public authorities increasingly rely on standards as a way to translate legal duties into practical methods.
The European Commission's AI Act standardisation guidance is a good example. The Commission says harmonised standards can provide legal certainty and, once referenced in the Official Journal of the European Union, can create a presumption of conformity for covered AI Act requirements. The same guidance also says European work should rely on international standards where possible, but new standards will be developed where existing ISO material does not align closely enough with the AI Act. So ISO/IEC 23894 can be a useful building block for AI Act readiness, but it is not itself an EU compliance safe harbour.
Examples
The UK government's AI assurance guide gives a simple example of an online education platform exploring AI personalisation for video content. The workflow starts with workshops and questionnaires to capture possible risks, followed by internal audit review and an internal report for decision makers. That is the sort of operating rhythm ISO/IEC 23894 is built to support: define context, identify risk, assess it, decide treatment and keep a record that can be reviewed later.
The same guide uses a recruitment screening scenario to explain bias audit. A third party auditor agrees the scope, gets access to company data and systems, and tests whether the sifting model shows unfair bias. The guide names ISO/IEC 23894 as a relevant process and governance standard for this kind of work. In other words, technical testing for bias is only part of the job. Organisations also need governance, escalation, mitigation and review disciplines around the test itself.
A third useful workflow is the impact assessment route. The UK guide describes a waste sorting company assessing a proposed AI system before deployment, using a questionnaire based toolkit to map environmental, fairness, transparency and inclusivity concerns, then publishing a report with mitigations and reflections. That example shows where ISO/IEC 42005 and ISO/IEC 23894 meet. The assessment examines the likely effects of one system; the risk management standard helps the organisation fold those findings into ongoing governance, review and treatment decisions.
Common misunderstandings
A common misunderstanding is that ISO/IEC 23894 is an AI law. It is not. It is a voluntary international standard that can support compliance work, but legal duties come from statutes, regulations, sector rules and contracts.
Another misunderstanding is that it only matters to model developers. The published scope is broader than that. It is meant for organisations that develop, produce, deploy or use AI, which includes buyers, deployers and operators.
People also confuse it with ISO/IEC 42001. They are related, but not interchangeable. ISO/IEC 42001 is the organisation wide management system standard. ISO/IEC 23894 is the AI risk management guidance that can sit inside that wider system.
It is also wrong to treat ISO/IEC 23894 as a one time pre launch checklist. The public summaries and related interoperability work emphasise monitoring, record keeping and repeated review, which means risk management continues after deployment.
Risks and boundaries
ISO/IEC 23894 is deliberately high level. That makes it adaptable, but it also means it will not answer every domain question for you. A bank, hospital, HR platform and transport operator may all use the same risk structure while still needing very different controls, technical tests and legal analysis.
It should not be misapplied as proof that a system is safe or lawful simply because a document exists. Weak documentation, shallow stakeholder engagement or narrow testing can still leave serious gaps. The standard is most useful when it is connected to actual product design, procurement checks, human oversight arrangements, incident handling, logging, data governance and sector specific assurance work.
There is also a regulatory boundary to keep in view. International standards can inform domestic or regional compliance, but they do not automatically become the benchmark that a regulator will accept. In the EU, for example, presumption of conformity comes from harmonised standards that have been formally referenced in the Official Journal. The Commission also says new European standards may be needed where existing international texts do not align sufficiently with AI Act requirements.
Finally, ISO/IEC 23894 is not the complete answer to board governance, nor is it the same thing as an AI impact assessment. If leaders need a formal AI management system standard, they should look at ISO/IEC 42001. If they need a structured way to assess how one system may affect people or society, they should also look at ISO/IEC 42005.
What to do next
Start by deciding what problem you are trying to solve. If the immediate need is a disciplined way to identify, assess, treat and review AI related risk across projects, ISO/IEC 23894 is a strong operating guide. If the need is an organisation wide management system with formal requirements, it should be paired with, or in some cases give way to, ISO/IEC 42001.
Then map your existing enterprise risk process against the AI lifecycle. Check whether you have clear risk owners, escalation routes, stakeholder engagement steps, review triggers after deployment and documented reporting lines. Most organisations already have some risk process, but AI often exposes missing links between product, legal, procurement, security, data and compliance teams.
Finally, use the standard as a joining mechanism, not a badge. Build it into procurement questions, model approval gates, change control, incident review and management reporting. Then test the method against the laws and sector rules that actually apply in your market. That is where ISO/IEC 23894 is most useful, as a durable structure for practical governance work rather than a substitute for judgement.
FAQs
Is ISO/IEC 23894 mandatory?
No. It is a voluntary international standard. It can still matter in practice because contracts, procurement rules, assurance programmes or regulators may expect a structured risk management method, but the standard itself is not legislation.
Who should use ISO/IEC 23894?
Organisations that develop, produce, deploy or use AI. That includes vendors, in house builders, buyers, public authorities and operators that rely on third party AI.
Is ISO/IEC 23894 the same as ISO/IEC 42001?
No. ISO/IEC 42001 is the broader AI management system standard. ISO/IEC 23894 is the companion guidance focused on AI risk management.
Does ISO/IEC 23894 replace an AI impact assessment?
No. Impact assessment and risk management are related but different. Impact assessment looks closely at how a specific AI system may affect people or society. ISO/IEC 23894 helps the organisation manage AI related risk more broadly and on an ongoing basis.
Can ISO/IEC 23894 help with AI Act readiness?
Yes, but indirectly. It can help structure your risk process and documentation. It does not by itself create compliance or presumption of conformity under the EU AI Act.
Does the standard apply only before deployment?
No. Public summaries and cross framework analysis both point to monitoring, recording, reporting and repeated review. The discipline continues after launch.
Is ISO/IEC 23894 mainly for technical teams?
No. Effective use usually needs product, data, security, legal, compliance, procurement and senior leadership involvement, because many important AI risks are organisational as well as technical.