AI Impact Assessment Overview

Introduction to AI Impact Assessment

An AI Impact Assessment (AIIA) is a systematic process for identifying, analyzing, and mitigating potential negative impacts of AI systems on individuals, society, and the environment. Under ISO 42001 and the EU AI Act, organizations deploying AI systems must conduct comprehensive impact assessments to ensure responsible and ethical AI deployment.

What is an AI Impact Assessment?

An AI Impact Assessment is a structured evaluation that examines:

Human Rights Impact: Effects on fundamental rights and freedoms
Societal Impact: Broader community and social consequences
Environmental Impact: Carbon footprint and resource consumption
Economic Impact: Employment, market dynamics, and competition
Legal & Compliance Impact: Regulatory obligations and liability risks
Ethical Impact: Fairness, transparency, and accountability concerns

Unlike traditional risk assessments that focus primarily on organizational risks, AIIAs take a broader stakeholder-centered approach that considers impacts on all affected parties.

When is an AIIA Required?

ISO 42001 Requirements (Clause 6.1.2)

Under ISO 42001, organizations must conduct an AI Impact Assessment when:

Deploying New AI Systems: Any new AI system that affects stakeholders
Significant Changes: Major modifications to existing AI systems
High-Risk Applications: Systems with potential for significant harm
Regulatory Requirements: When mandated by applicable laws
Stakeholder Request: When stakeholders express concerns
Periodic Review: Regular reassessment (typically annually)

EU AI Act FRIA Requirements

The EU AI Act mandates Fundamental Rights Impact Assessments (FRIA) for high-risk AI systems before deployment:

High-Risk Categories Requiring FRIA:

Category	Examples	Key Concerns
Biometric Identification	Facial recognition, emotion detection	Privacy, surveillance, discrimination
Critical Infrastructure	Energy grid AI, water management	Safety, service continuity
Education & Vocational Training	Automated grading, admission systems	Equal opportunity, fairness
Employment & HR	Resume screening, performance evaluation	Non-discrimination, worker rights
Essential Services	Credit scoring, benefit eligibility	Access to services, fairness
Law Enforcement	Predictive policing, evidence analysis	Due process, presumption of innocence
Migration & Border Control	Visa processing, asylum decisions	Human dignity, non-refoulement
Justice & Democracy	Case law analysis, voting systems	Fair trial, democratic participation

Risk-Based Approach

Organizations should adopt a risk-based approach to determine AIIA scope and depth:

Risk Level Assessment:

Low Risk (Minimal AIIA):
- Spam filters
- Inventory management
- Simple chatbots
- Recommendation systems (non-sensitive)

Medium Risk (Standard AIIA):
- Customer service automation
- Marketing personalization
- Fraud detection
- Content moderation

High Risk (Comprehensive AIIA):
- Healthcare diagnostics
- Credit decisions
- Employment screening
- Educational assessments

Critical Risk (Extended AIIA + External Review):
- Criminal justice decisions
- Life-critical medical systems
- Mass surveillance systems
- Democratic process systems

AIIA Methodology Overview

Phase 1: Scoping and Planning

Objectives:

Define AI system boundaries and scope
Identify stakeholders and affected parties
Establish assessment team and governance
Determine applicable legal and regulatory requirements

Key Activities:

System Description
- Technical architecture and capabilities
- Input data sources and processing methods
- Output types and decision-making role
- Integration with existing systems
Stakeholder Mapping
- Direct users of the AI system
- Individuals affected by AI decisions
- Communities and groups impacted
- Regulatory bodies and oversight entities
Legal and Regulatory Analysis
- Applicable laws and regulations
- Industry-specific requirements
- Contractual obligations
- International standards compliance

Deliverable: AIIA Project Charter

Phase 2: Impact Identification

Objectives:

Identify potential positive and negative impacts
Categorize impacts by type and severity
Map impacts to affected stakeholders
Document impact pathways and mechanisms

Impact Categories:

Impact Type	Assessment Areas	Key Questions
Individual Rights	Privacy, autonomy, dignity, non-discrimination	Does the AI system respect fundamental rights?
Societal	Social cohesion, employment, democratic processes	What are the broader community effects?
Environmental	Energy use, carbon emissions, e-waste	What is the environmental footprint?
Economic	Market competition, job displacement, wealth distribution	Who benefits and who bears costs?
Health & Safety	Physical safety, mental health, wellbeing	Are there health or safety risks?
Security	Cybersecurity, system resilience, malicious use	How might the system be compromised?

Impact Identification Methods:

Literature Review: Research similar AI systems and documented impacts
Expert Consultation: Engage domain experts and ethicists
Stakeholder Interviews: Gather perspectives from affected parties
Scenario Analysis: Explore potential use cases and edge cases
Historical Analysis: Review past incidents and failures
Red Team Testing: Adversarial testing for vulnerabilities

Deliverable: Impact Register (comprehensive list of identified impacts)

Phase 3: Impact Analysis and Evaluation

Objectives:

Assess likelihood and severity of each impact
Evaluate cumulative and intersectional effects
Prioritize impacts for mitigation
Determine risk levels and acceptability

Impact Scoring Matrix:

Severity Levels:
1 - Negligible: Minimal inconvenience, easily reversible
2 - Minor: Some inconvenience, reversible with effort
3 - Moderate: Significant inconvenience or temporary harm
4 - Major: Substantial harm, difficult to reverse
5 - Severe: Fundamental rights violation, irreversible harm

Likelihood Levels:
1 - Rare: < 5% probability
2 - Unlikely: 5-25% probability
3 - Possible: 25-50% probability
4 - Likely: 50-75% probability
5 - Almost Certain: > 75% probability

Risk Score = Severity × Likelihood

Risk Classification:

Risk Score	Classification	Required Action
1-4	Low	Monitor, standard controls
5-9	Medium	Additional controls, regular review
10-15	High	Significant mitigation, management approval
16-20	Very High	Extensive mitigation, executive approval
21-25	Critical	Consider not deploying, board-level decision

Intersectional Analysis:

Consider how impacts may compound for vulnerable groups:

Multiple Protected Characteristics: Individuals with intersecting identities (e.g., elderly women from minority communities)
Cumulative Effects: Combined impact of multiple AI systems
Power Imbalances: Disproportionate effects on marginalized groups
Access Barriers: Digital divide and accessibility challenges

Deliverable: Impact Analysis Report with risk scores and prioritization

Phase 4: Mitigation and Controls

Objectives:

Design controls to prevent or reduce negative impacts
Implement safeguards and protective measures
Establish monitoring and evaluation mechanisms
Document residual risks and acceptance criteria

Mitigation Hierarchy:

Eliminate: Remove or redesign to prevent the impact
Reduce: Implement technical or procedural controls
Transfer: Share responsibility (insurance, partnerships)
Accept: Document and monitor residual risk

Mitigation Strategies by Impact Type:

Individual Rights Protection:

Privacy-preserving techniques (differential privacy, federated learning)
Fairness-enhancing interventions (bias testing, fairness constraints)
Transparency mechanisms (explainable AI, decision explanations)
Human oversight and appeal processes
Data minimization and purpose limitation

Societal Impact Mitigation:

Community engagement and consultation
Job transition programs and reskilling
Accessibility features and digital inclusion
Cultural sensitivity and localization
Public awareness and education programs

Environmental Impact Reduction:

Energy-efficient model architectures
Carbon-aware training schedules
Hardware lifecycle management
Renewable energy sourcing
Model optimization and compression

Deliverable: Mitigation Plan with specific controls and responsibilities

Phase 5: Documentation and Approval

Objectives:

Document all assessment findings and decisions
Obtain necessary approvals and sign-offs
Create audit trail for compliance
Communicate results to stakeholders

Required Documentation:

Executive Summary
- AI system overview
- Key findings and risk levels
- Mitigation approach
- Approval recommendation
Detailed Assessment Report
- Complete methodology description
- Stakeholder engagement summary
- Impact register and analysis
- Mitigation plans and controls
- Residual risk assessment
Technical Appendices
- System architecture documentation
- Data flow diagrams
- Algorithm specifications
- Testing and validation results
Approval Records
- Sign-off by risk committee
- Executive approval
- Legal review confirmation
- Stakeholder consultation records

Approval Workflow:

Step 1: AIIA Team Completion → Internal Review
Step 2: Legal & Compliance Review → Recommendations
Step 3: Risk Committee Review → Risk Acceptance
Step 4: Executive Approval → Deployment Authorization
Step 5: Stakeholder Communication → Public Disclosure (if required)

Deliverable: Complete AIIA Documentation Package

Phase 6: Monitoring and Review

Objectives:

Implement ongoing monitoring of AI system impacts
Track effectiveness of mitigation measures
Identify emerging impacts or risks
Conduct periodic reassessment

Monitoring Framework:

Metric Type	Examples	Frequency
Performance Metrics	Accuracy, precision, recall by demographic group	Continuous
Fairness Metrics	Demographic parity, equalized odds, calibration	Weekly
Impact Indicators	User complaints, appeal rates, adverse outcomes	Daily
Environmental Metrics	Energy consumption, carbon emissions	Monthly
Compliance Metrics	Regulatory violations, audit findings	Quarterly

Review Triggers:

Conduct a full AIIA review when:

Scheduled Review: Annual or as defined in AIIA
Significant Change: Major system updates or new use cases
Incident Occurrence: Adverse impacts or failures
Regulatory Change: New laws or requirements
Stakeholder Request: Concerns from affected parties
Performance Degradation: Declining fairness or accuracy metrics

Deliverable: Monitoring Dashboard and Review Schedule

ISO 42001 Specific Requirements

Clause 6.1.2: AI Impact Assessment

ISO 42001 requires organizations to:

a) Identify AI-related impacts:

Establish criteria for determining when AIIA is required
Consider impacts on all stakeholders (not just the organization)
Include both beneficial and adverse impacts
Address short-term and long-term consequences

b) Determine stakeholders affected by impacts:

Map all stakeholder groups
Prioritize vulnerable and marginalized groups
Consider indirect and cumulative effects
Document stakeholder characteristics and sensitivities

c) Assess the significance of impacts:

Use consistent evaluation criteria
Consider severity, likelihood, and reversibility
Apply risk-based approach
Document assessment methodology

d) Determine actions to address impacts:

Prioritize elimination of high-severity impacts
Implement appropriate controls and safeguards
Establish monitoring and review processes
Document residual risks and acceptance

e) Document and retain information:

Maintain AIIA records for audit purposes
Update documentation when circumstances change
Ensure accessibility for authorized parties
Protect confidential information appropriately

Integration with Other ISO 42001 Clauses

The AIIA process integrates with:

Clause 4.1 (Context): Understanding organizational context informs AIIA scope
Clause 4.2 (Stakeholders): Stakeholder needs feed into impact assessment
Clause 6.1.1 (Risk Assessment): AIIA complements organizational risk assessment
Clause 6.2 (Objectives): Impact mitigation objectives guide system design
Clause 8.2 (AI System Development): AIIA findings inform development decisions
Clause 9.1 (Monitoring): Impact monitoring supports performance evaluation
Clause 10.2 (Nonconformity): Impact incidents trigger corrective action

EU AI Act FRIA Requirements

Article 27: Fundamental Rights Impact Assessment

High-risk AI system providers must conduct FRIA before deployment:

Required Assessment Elements:

Description of deployment process
- Intended purpose and use cases
- Geographic and temporal scope
- Target users and affected populations
- Integration with existing systems
Description of relevant fundamental rights
- Rights potentially affected (privacy, non-discrimination, etc.)
- Legal basis and protection frameworks
- Special considerations for vulnerable groups
Detailed description of risks to fundamental rights
- Nature and likelihood of potential harms
- Severity and scope of impacts
- Affected groups and vulnerabilities
- Mitigation measures and residual risks
Assessment of risks identified
- Risk evaluation methodology
- Quantitative and qualitative analysis
- Cumulative and intersectional effects
- Comparison with alternative approaches
Description of mitigation measures
- Technical safeguards implemented
- Organizational controls and governance
- Human oversight arrangements
- Monitoring and review processes

FRIA Update Requirements:

At least annually
When substantial modification occurs
When new risks are identified
When requested by market surveillance authority

Alignment with Data Protection Impact Assessment (DPIA)

When AI systems process personal data, FRIA should be integrated with GDPR DPIA:

Aspect	DPIA (GDPR)	FRIA (AI Act)	Integrated Approach
Trigger	High risk to rights/freedoms	High-risk AI system	Conduct both when applicable
Focus	Data processing risks	Broader fundamental rights	Holistic rights assessment
Scope	Personal data protection	All AI system impacts	Combined assessment
Consultation	DPO, data subjects	Affected stakeholders	Unified stakeholder engagement
Documentation	DPIA report	FRIA report	Single comprehensive report

Stakeholder Involvement

Why Stakeholder Engagement Matters

Effective stakeholder involvement in AIIA:

Identifies Blind Spots: Uncover impacts that internal teams might miss
Builds Trust: Demonstrates commitment to responsible AI
Improves Outcomes: Diverse perspectives lead to better solutions
Ensures Legitimacy: Participatory approach enhances social license
Meets Requirements: Fulfills regulatory consultation obligations

Stakeholder Identification

Primary Stakeholders (Directly Affected):

End users of the AI system
Individuals subject to AI decisions
Employees working with AI
Customers and service recipients

Secondary Stakeholders (Indirectly Affected):

Communities where AI is deployed
Competitors and market participants
Civil society organizations
Advocacy groups and NGOs

Regulatory Stakeholders:

Data protection authorities
Sector-specific regulators
Standards bodies
Law enforcement agencies

Vulnerable Groups Requiring Special Attention:

Children and minors
Elderly individuals
People with disabilities
Minority and marginalized communities
Refugees and migrants
Low-income populations

Engagement Methods

Early Stage Engagement:

Method	Purpose	Participants	Format
Public Consultation	Gather broad input	General public	Online survey, town halls
Focus Groups	Deep dive on specific issues	Representative sample	Facilitated discussion
Expert Panels	Technical and ethical review	Subject matter experts	Structured dialogue
Community Workshops	Co-design and feedback	Affected communities	Interactive sessions

Ongoing Engagement:

User feedback mechanisms
Regular stakeholder forums
Advisory committees
Grievance and redress channels
Public reporting and transparency

Documentation of Engagement

Record all stakeholder engagement activities:

Participants and their affiliations
Engagement methods and materials
Key concerns and suggestions raised
How feedback influenced AIIA
Responses to unaddressed concerns

AIIA Governance and Accountability

AIIA Team Composition

An effective AIIA requires diverse expertise:

Core Team Members:

AIIA Lead: Overall coordination and methodology
AI/ML Engineer: Technical system understanding
Legal Counsel: Regulatory compliance and liability
Ethicist: Ethical principles and values alignment
Domain Expert: Sector-specific knowledge
Human Rights Specialist: Rights-based impact analysis

Extended Team:

Data protection officer
Security specialist
Environmental sustainability expert
Communications/stakeholder engagement lead
External auditor or independent reviewer

Approval Authority

Define clear approval authority based on risk level:

Risk Level	Approval Authority	Additional Requirements
Low	Product Manager	Documented self-assessment
Medium	Risk Committee	Standard AIIA review
High	Executive Leadership	External expert review
Critical	Board of Directors	Public consultation, regulatory pre-clearance

Quality Assurance

Ensure AIIA quality through:

Peer Review: Internal review by independent experts
External Audit: Third-party validation for high-risk systems
Stakeholder Validation: Confirmation that concerns are addressed
Regulatory Review: Pre-submission to relevant authorities
Continuous Improvement: Lessons learned from previous AIIAs

Common Challenges and Solutions

Challenge 1: Identifying All Impacts

Problem: Complex AI systems have numerous direct and indirect impacts that are difficult to anticipate.

Solutions:

Use structured frameworks and checklists
Engage diverse stakeholders with different perspectives
Review case studies and incident reports from similar systems
Conduct scenario planning and red team exercises
Allow sufficient time for thorough analysis

Challenge 2: Quantifying Intangible Impacts

Problem: Some impacts (dignity, autonomy, social cohesion) are difficult to measure.

Solutions:

Combine quantitative and qualitative assessment methods
Use proxy indicators where direct measurement is impossible
Employ expert judgment and stakeholder input
Document assessment limitations transparently
Focus on relative comparison rather than absolute scores

Challenge 3: Balancing Competing Interests

Problem: Different stakeholders may have conflicting priorities and values.

Solutions:

Make trade-offs explicit and transparent
Apply ethical frameworks consistently
Prioritize fundamental rights and vulnerable groups
Document rationale for difficult decisions
Provide channels for dissenting views

Challenge 4: Keeping Assessment Current

Problem: AI systems evolve rapidly, and impacts change over time.

Solutions:

Implement continuous monitoring systems
Define clear triggers for reassessment
Maintain living documentation that can be updated
Build reassessment into development lifecycle
Allocate resources for ongoing AIIA maintenance

Challenge 5: Resource Constraints

Problem: Comprehensive AIIA requires significant time and expertise.

Solutions:

Apply risk-based approach to scale effort appropriately
Leverage templates and standardized methodologies
Build internal AIIA capability over time
Use automated tools for data collection and analysis
Collaborate with industry peers on common challenges

AIIA Best Practices

1. Start Early

Begin AIIA during AI system design phase
Integrate impact assessment into development lifecycle
Address issues before they become embedded in system

2. Be Comprehensive

Consider all types of impacts (not just most obvious)
Include positive and negative impacts
Address direct and indirect effects
Evaluate short-term and long-term consequences

3. Engage Meaningfully

Involve stakeholders at all stages
Create accessible engagement opportunities
Respond substantively to feedback
Demonstrate how input influenced decisions

4. Document Thoroughly

Maintain clear audit trail
Record assumptions and limitations
Explain assessment methodology
Document decisions and rationale

5. Focus on Action

Translate findings into concrete mitigation measures
Assign clear responsibilities and timelines
Implement monitoring to verify effectiveness
Close the loop with stakeholders on outcomes

6. Ensure Independence

Include external perspectives in assessment
Separate assessment from development team
Use independent review for high-risk systems
Avoid conflicts of interest

7. Iterate and Improve

Treat AIIA as living document
Update based on monitoring findings
Learn from incidents and near-misses
Refine methodology based on experience

8. Integrate with Existing Processes

Align with organizational risk management
Coordinate with DPIA for data protection
Connect to product development lifecycle
Link to audit and compliance programs

Key Takeaways

AIIA is Essential: Mandatory for high-risk AI systems under ISO 42001 and EU AI Act
Stakeholder-Centered: Focus on impacts to people and society, not just organizational risks
Systematic Approach: Follow structured methodology across six phases
Risk-Based: Scale assessment effort to risk level and system criticality
Actionable: Must result in concrete mitigation measures and controls
Living Process: Requires ongoing monitoring and periodic reassessment
Multidisciplinary: Needs diverse expertise and perspectives
Transparent: Document decisions and engage stakeholders openly

Next Steps

In the following lessons, we will dive deeper into specific aspects of AI impact assessment:

Lesson 4.2: Societal Impact Analysis
Lesson 4.3: Individual Rights Impact
Lesson 4.4: Environmental Considerations
Lesson 4.5: AI Impact Assessment Template
Lesson 4.6: Stakeholder Engagement

Each lesson will provide practical tools and templates to support your AIIA implementation.

References and Resources

Standards and Regulations:

ISO/IEC 42001:2023 - AI Management System
EU Artificial Intelligence Act (2024)
ISO/IEC 23894:2023 - AI Risk Management
OECD AI Principles

Guidance Documents:

European Commission FRIA Guidelines
UK ICO AI Auditing Framework
Canadian Algorithmic Impact Assessment
IEEE 7000 Series on AI Ethics

Tools and Templates:

Algorithm Impact Assessment Tool (Government of Canada)
Microsoft AI Fairness Checklist
Google PAIR (People + AI Research) Guidebook
AI Now Institute Resources

This lesson provides the foundation for conducting comprehensive AI impact assessments. Master these concepts before proceeding to specialized impact analysis topics.