The 30th November 2022 is recognized as a canon event in the world of digital technology. It’s the day when OpenAI’s ChatGPT was launched, a free chatbot that presented a conversational form of artificial intelligence to the general public.
The ability to easily interact with large language models has upended corporate strategies — introducing new business models and threatening existing ones — and has had a profound impact on jobs, entertainment, cybersecurity, and many other sectors of society.
The mix of opportunities and threats has expectedly triggered various reactions as people wonder whether generative AI will take over the world. The EU AI Act is one such reaction. Here, nations are seeking to regulate such technology in order to:
The world’s body of standards organizations has also not been left behind. In December 2023, the first AI management system standard was published: ISO 42001.
The ISO/IEC 42001:2023 international standard specifies requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS) within organizations.
The goal is to balance innovation with AI governance, by ensuring organizations that create or use AI-based products or services do so in a responsible manner, while addressing the unique challenges AI poses, such as:
In the following sections, we will first look at the standard itself — what’s included — and then we’ll explore the benefits it offers for organizations that adopt its guidance.
The ISO 42001 standard adopts the Annex SL structure that was introduced in 2015 to provide a high-level structure for management systems, facilitating alignment and easy integration of multiple standards without duplication.
There are ten clauses within this structure and the actual requirements are listed in clauses 4 to 10, with the Operation Clause 8 being the main differential area for AI.
ISO 42001 Standard Structure (Annex SL)
The key areas covered in the requirements are as follows:
The organization needs to identify:
The organization would also need to document the scope of the AIMS, then establish and maintain the AIMS.
The organization’s top management will need to:
The organization itself will:
Any changes to the AIMS would be carefully considered and implemented in a planned manner.
The organization will:
The organization will:
(Related reading: how to perform a business impact analysis.)
The organization will:
The organization will need to:
There are four annexures that follow the ISO 42001 standard’s clauses: Annexes A, B, C, and D.
This is a normative annex listing a set of reference control objectives and controls that organizations may use to manage AI system risks and achieve business objectives. Examples of these controls include:
This annex is relevant to clause 8.3 on AI risk treatment. Organizations can design their own controls apart from this list. Any control that is not applicable should have a justification for its exclusion documented.
This is a normative annex providing guidance for implementing the controls in Annex A. The organization may choose to:
Annex C is an informative annex that provides possible AI related objectives and risk sources that organizations can consider while conducting AI risk assessments. This annex is relevant to clauses 6.2 and 8.2 of the standard.
More detailed information on managing AI risks can be found in ISO/IEC 23894:2023 guidance on risk management.
(Related reading: AI risk management.)
This is an informative annex that provides guidance on integrating the AIMS with other management systems standards such as ISO 9001:2015 for quality management, and ISO/IEC 27001:2022 for information security management.
The fears associated with AI are not unfounded, according to Neuroscience News. Human beings thrive on having a sense of control, value, and privacy. We are rightfully scared when we see the rapid advances that generative AI — especially where job security and human relationships are concerned.
Enterprises, too, are worried about the erosion of their intellectual property such as information assets, as the owners of generative AI have used web scraping to train their models without permission.
Addressing these fears requires organizations to apply governance measures across all areas of their AI business model. By adopting ISO 42001, any enterprise can demonstrate to its stakeholders that they manage AI in a manner that addresses the risks that are attributed to the previously mentioned fears.
Some of the benefits that organizations can gain from complying with the requirements of the ISO/IEC 42001:2023 standard include:
Increasing trust in their AI products, confidence with stakeholders, and tackling associated risks such as bias are strategic imperatives that any enterprise involved in the development or use of AI systems should consider.
Simply put, think of ISO42001 as an umbrella that covers the key areas that organizations should address in their AI implementation journey.
See an error or have a suggestion? Please let us know by emailing ssg-blogs@splunk.com.
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.