Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 26135:2023 — Artificial Intelligence — Risk Management Framework
ISO/IEC 26135:2023
ISO/IEC 26135:2023 provides a comprehensive risk management framework specifically tailored for artificial intelligence systems. While general risk management standards such as ISO 31000 provide overarching principles, AI systems introduce unique risk characteristics — including algorithmic bias, opacity (the black-box problem), data dependency, emergent behaviors, and autonomous decision-making — that require specialized treatment. This standard addresses these unique challenges by defining a structured process for AI risk identification, analysis, evaluation, and treatment, while also considering the broader societal and ethical implications of AI deployment.
The AI risk landscape differs fundamentally from traditional IT risk. Model drift, data poisoning, adversarial examples, and feedback loop effects are AI-specific risks that conventional risk frameworks do not adequately address. ISO/IEC 26135 fills this gap.
Risk tolerance thresholds for AI systems should be established before risk assessment begins. The standard emphasizes that acceptable risk levels depend on the application domain — a medical diagnostic AI has vastly different risk tolerances than a content recommendation system.
Do not treat AI risk management as a one-time activity. The standard advocates for continuous risk monitoring throughout the AI lifecycle, with particular attention during model updates, data distribution shifts, and deployment environment changes.
Engage stakeholders from legal, compliance, engineering, operations, and domain expertise in the risk assessment process. AI risk is multi-dimensional and requires diverse perspectives for comprehensive identification.
1. AI Risk Identification and Categorization
The standard establishes a taxonomy of AI risks organized into several categories: technical risks (e.g., model failure, data quality issues, adversarial vulnerability), operational risks (e.g., integration failures, scalability limitations, maintenance challenges), ethical risks (e.g., bias, discrimination, privacy infringement, lack of transparency), regulatory and legal risks (e.g., non-compliance with AI regulations, liability allocation), and societal risks (e.g., job displacement, environmental impact, erosion of social trust). For each risk category, the standard provides guidance on identification techniques, including structured brainstorming, scenario analysis, checklist-based reviews, and historical incident analysis.
Adversarial examples are a uniquely AI-specific risk. An image classifier can be fooled by imperceptible pixel modifications. This standard recommends including adversarial robustness testing as part of the risk assessment for any AI system with security implications.
Data quality risk deserves special attention — garbage-in-garbage-out applies with amplified consequences in AI. The standard recommends systematic data quality assessment including completeness, consistency, accuracy, timeliness, and representativeness.
Feedback loop risks occur when AI system outputs influence future inputs, potentially causing runaway effects. Recommendation systems and algorithmic trading are classic examples. The standard requires specific analysis of closed-loop dynamics.
Ethical risk identification should not be an afterthought. The standard recommends conducting ethical risk assessment during the design phase, not post-deployment. This is particularly critical for high-risk AI applications.
2. Risk Analysis and Evaluation Methodology
ISO/IEC 26135 prescribes a semi-quantitative risk analysis methodology that considers both the likelihood and severity of potential harm from AI system failures. The standard introduces the concept of “risk source” — the element or combination of elements that, alone or in combination, has the potential to give rise to risk. For AI systems, risk sources include training data, model architecture, learning algorithm, deployment environment, and human-AI interaction design. The evaluation phase determines whether the residual risk (after existing controls) is acceptable based on predetermined risk criteria that should be aligned with organizational risk appetite and regulatory requirements.
| Risk Category | Risk Source Examples | Potential Harm | Typical Controls |
|---|---|---|---|
| Technical | Model architecture, training data, hyperparameters | Incorrect outputs, system failure | Validation testing, monitoring, fallback |
| Operational | Deployment environment, API dependencies, scaling | Service degradation, downtime | Redundancy, load testing, rollback plan |
| Ethical | Biased training data, unfair feature selection | Discrimination, reputational damage | Bias audit, fairness constraints, transparency |
| Regulatory | Non-compliant data processing, inadequate documentation | Fines, legal action, forced shutdown | Compliance review, audit trail, legal oversight |
| Societal | Automation of critical decisions, job impact | Public backlash, regulatory intervention | Stakeholder engagement, impact assessment |
The standard provides detailed guidance on risk estimation techniques appropriate for AI systems, including quantitative methods (e.g., probabilistic modeling, Monte Carlo simulation), qualitative methods (e.g., risk matrices, expert judgment), and emerging AI-specific techniques (e.g., model uncertainty quantification, distribution shift detection). The choice of method should be proportionate to the complexity of the AI system and the criticality of the application domain. For high-risk AI systems, the standard recommends using multiple complementary estimation techniques.
Danger: Never deploy an AI system that makes autonomous decisions affecting human welfare without a documented risk assessment per ISO/IEC 26135. The absence of a formal risk management process creates significant legal liability exposure under emerging AI regulations worldwide. Organizations that bypass this step face not only regulatory penalties but also reputational damage that can be difficult to recover from.
3. Risk Treatment and Continuous Monitoring
The standard identifies four primary risk treatment options: risk avoidance (discontinuing the AI system or feature), risk reduction (implementing additional controls such as human oversight, model constraints, or validation gates), risk transfer (shifting risk through insurance or contractual arrangements), and risk retention (accepting residual risk after informed decision-making). For AI systems, risk reduction through human-in-the-loop (HITL) or human-on-the-loop (HOTL) oversight is a particularly important treatment strategy. The standard requires that risk treatment plans be documented, implemented, and periodically reviewed for effectiveness. Continuous monitoring is mandated, with triggers for reassessment including significant model updates, data distribution shifts, new regulatory requirements, and incident occurrence.
Human oversight is a critical risk treatment for AI systems but it is not a silver bullet. Humans monitoring AI outputs can experience vigilance decrement, automation bias, and fatigue. Design oversight mechanisms that account for these human factors.
Consider a layered risk treatment strategy: preventive controls (e.g., input validation, model constraints), detective controls (e.g., monitoring, alerting), and corrective controls (e.g., rollback, override). No single layer is sufficient.
The standard recommends documenting risk decisions with sufficient detail to enable audit and regulatory review. This includes who made the decision, what information was considered, what alternatives were evaluated, and the rationale for the chosen treatment.
Post-deployment monitoring is not optional. The standard requires systematic monitoring for risk indicators including performance degradation, data distribution shift, drift in explainability metrics, and emergence of novel failure modes.
Frequently Asked Questions
Q: How does ISO/IEC 26135 relate to the EU AI Act risk classification?
A: The EU AI Act classifies AI systems into unacceptable risk, high-risk, limited risk, and minimal risk categories. ISO/IEC 26135 provides the operational risk management process that can be used to demonstrate compliance with the Act’s requirements for high-risk systems. The two frameworks are complementary.
A: The EU AI Act classifies AI systems into unacceptable risk, high-risk, limited risk, and minimal risk categories. ISO/IEC 26135 provides the operational risk management process that can be used to demonstrate compliance with the Act’s requirements for high-risk systems. The two frameworks are complementary.
Q: Is ISO/IEC 26135 aligned with ISO 31000?
A: Yes. ISO/IEC 26135 follows the principles and framework of ISO 31000 while adding AI-specific risk considerations. Organizations already using ISO 31000 will find the processual structure familiar, with additional AI-specific risk identification and analysis techniques.
A: Yes. ISO/IEC 26135 follows the principles and framework of ISO 31000 while adding AI-specific risk considerations. Organizations already using ISO 31000 will find the processual structure familiar, with additional AI-specific risk identification and analysis techniques.
Q: What is the difference between ISO/IEC 26135 and NIST AI Risk Management Framework?
A: Both aim to manage AI risks but have different structures. ISO/IEC 26135 follows the traditional ISO risk management process (identification, analysis, evaluation, treatment) while NIST AI RMF is organized around four functions: Govern, Map, Measure, Manage. Organizations may choose to implement one or both depending on their regulatory exposure and operational context.
A: Both aim to manage AI risks but have different structures. ISO/IEC 26135 follows the traditional ISO risk management process (identification, analysis, evaluation, treatment) while NIST AI RMF is organized around four functions: Govern, Map, Measure, Manage. Organizations may choose to implement one or both depending on their regulatory exposure and operational context.
Q: Can this standard be applied to generative AI systems?
A: Yes, although the standard was published in 2023, its risk management framework is broad enough to encompass generative AI risks including hallucination, harmful content generation, and intellectual property concerns. However, organizations working with generative AI may need to supplement the standard with additional guidance specific to large language models.
A: Yes, although the standard was published in 2023, its risk management framework is broad enough to encompass generative AI risks including hallucination, harmful content generation, and intellectual property concerns. However, organizations working with generative AI may need to supplement the standard with additional guidance specific to large language models.
Q: Does the standard require third-party risk assessment?
A: For high-risk AI applications, the standard strongly recommends independent validation and verification by qualified third parties. Internal assessments are acceptable for lower-risk applications but should still follow the prescribed methodology and be subject to internal audit.
A: For high-risk AI applications, the standard strongly recommends independent validation and verification by qualified third parties. Internal assessments are acceptable for lower-risk applications but should still follow the prescribed methodology and be subject to internal audit.
