Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 26136:2023 — Artificial Intelligence — AI System Life Cycle Processes
ISO/IEC 26136:2023
ISO/IEC 26136:2023 defines a comprehensive set of life cycle processes for AI systems, providing a structured framework that spans from concept inception through retirement. In the same way that ISO/IEC 12207 defines software life cycle processes and ISO/IEC 15288 defines system life cycle processes, this standard adapts and extends those established frameworks to address the unique characteristics of AI systems — including data-centric development, model training and evaluation, continuous learning, and the particular challenges of AI system validation, deployment, and monitoring. The standard recognizes that AI systems have distinct life cycle phases not present in traditional software, such as data collection and preparation, model training, and model validation.
The AI life cycle is not linear but inherently iterative. Data preparation influences model design, which in turn reveals data quality issues requiring re-preparation. Plan your processes to accommodate multiple feedback loops between phases.
Unlike traditional software, AI systems can degrade in performance without any code changes — through data distribution shift. Your life cycle processes must include monitoring for this unique failure mode.
The standard identifies the ‘retirement’ phase as particularly important for AI systems because models continue to influence decisions even after deployment ceases. Proper retirement includes managing the downstream effects of model outputs on dependent systems.
Consider the AI life cycle in the context of MLOps practices. The standard’s process structure maps naturally to CI/CD/CT pipelines for ML, where ‘CT’ (continuous training) is a uniquely AI addition to traditional DevOps.
1. Life Cycle Process Categories
The standard organizes AI system life cycle processes into four categories: agreement processes (acquisition and supply), organizational project-enabling processes (life cycle model management, infrastructure management, portfolio management, human resource management, quality management, knowledge management), technical management processes (project planning, project assessment and control, decision management, risk management, configuration management, information management, quality assurance, measurement), and technical processes (stakeholder needs definition, requirements analysis, architecture definition, design definition, system analysis, implementation, integration, verification, transition, validation, operation, maintenance, disposal). Each process includes purpose, outcomes, and activities with explicit tailoring guidance for AI-specific aspects.
Pay special attention to the ‘stakeholder needs definition’ process for AI systems. Non-technical stakeholders often have unrealistic expectations about AI capabilities. The standard provides guidance on managing these expectations through iterative needs refinement.
The ‘verification’ process in AI differs from traditional software because model behavior cannot be fully specified in advance. The standard addresses this through data verification, model verification, and behavioral verification activities.
‘Configuration management’ for AI systems must track not only code but also data versions, model versions, hyperparameters, training configurations, and evaluation results. The standard recommends treating ML models as configuration items.
The ‘maintenance’ process includes model retraining and fine-tuning, which have no direct analog in traditional software maintenance. The standard prescribes specific activities for model performance monitoring and trigger-based retraining.
2. Key Technical Processes for AI Systems
Several technical processes in ISO/IEC 26136 are particularly relevant to AI system engineering. The implementation process encompasses data engineering (collection, preparation, labeling, augmentation), model engineering (algorithm selection, architecture design, hyperparameter optimization), and model training (training execution, checkpointing, convergence verification). The integration process addresses the unique challenge of integrating trained models into larger software systems, including model serving infrastructure, inference APIs, pre- and post-processing pipelines, and human-AI interaction interfaces. The validation process goes beyond traditional acceptance testing to include dataset validation, model performance validation against multiple metrics, bias and fairness assessment, robustness testing, and explainability verification.
| Technical Process | AI-Specific Activities | Traditional Analog | Key Difference |
|---|---|---|---|
| Implementation | Data engineering, model training, hyperparameter tuning | Software coding | Data-centric, non-deterministic outcomes |
| Integration | Model serving, inference API, preprocessing pipeline | Component integration | Model versioning, latency constraints |
| Validation | Dataset validation, bias audit, robustness testing | Acceptance testing | Statistical performance, multiple metrics |
| Operation | Model monitoring, drift detection, trigger-based retraining | System operation | Performance degradation without code change |
| Maintenance | Model retraining, fine-tuning, transfer learning | Software maintenance | Data-dependent, continuous learning |
| Disposal | Model retirement, data governance, downstream impact | System decommissioning | Model influence persistence, data lineage |
The standard also introduces processes that are unique to AI or have significantly different emphasis. The data management process covers data governance, data quality management, data versioning, data provenance, and data rights management — reflecting the central role of data in AI systems. The AI-specific risk management process integrates with ISO/IEC 26135 to address model-specific risks including adversarial vulnerability, data poisoning, and feedback loop effects. The standard explicitly addresses the human-AI interaction design process, covering topics such as appropriate levels of automation, human oversight mechanisms, user interface design for AI systems, and user training requirements.
Success: Organizations that implement ISO/IEC 26136 report significant improvements in AI system quality, predictability of development timelines, and stakeholder satisfaction. The structured life cycle approach reduces rework by catching data and model issues early, provides clear governance checkpoints, and facilitates communication between technical and non-technical stakeholders through defined process milestones.
3. Implementation Guidance and Tailoring
The standard recognizes that one size does not fit all AI systems and provides extensive tailoring guidance. For low-risk AI systems (e.g., internal analytics tools), a minimal set of processes may be sufficient, focusing on implementation, basic validation, and operation. For high-risk AI systems (e.g., medical devices, autonomous vehicles), the full set of processes with rigorous verification and validation activities is required. The tailoring guidance considers factors such as system criticality, organizational maturity, project scale, regulatory requirements, and technology maturity. The standard also provides mapping guidance to other relevant standards including ISO/IEC 12207 (software life cycle), ISO/IEC 15288 (system life cycle), ISO/IEC 33001 (process assessment), and ISO/IEC 26135 (AI risk management).
Start with a minimum viable process set and expand as needed. Trying to implement all processes at once is overwhelming and counterproductive. The standard’s tailoring guidance provides a pragmatic starting point based on your AI system’s risk classification.
Process measurement is essential for improvement. Define process metrics (e.g., cycle time per iteration, model validation pass rate, data quality scores) and use them to drive continuous process improvement.
Invest in tooling infrastructure early. Data version control, experiment tracking, model registry, and monitoring platforms are not optional luxuries — they are essential infrastructure for implementing the processes defined in this standard.
Train your teams on the AI life cycle processes. Engineers accustomed to traditional software development need to understand the unique aspects of AI development, particularly the experimental and data-centric nature of AI work.
Frequently Asked Questions
Q: How does ISO/IEC 26136 relate to ISO/IEC 12207 (software life cycle processes)?
A: ISO/IEC 26136 extends and adapts ISO/IEC 12207 for AI systems. Organizations already using 12207 will find a familiar process structure with additional AI-specific activities and outcomes. The two standards are designed to be used together, with 26136 providing the AI-specific supplements to the generic software life cycle framework.
A: ISO/IEC 26136 extends and adapts ISO/IEC 12207 for AI systems. Organizations already using 12207 will find a familiar process structure with additional AI-specific activities and outcomes. The two standards are designed to be used together, with 26136 providing the AI-specific supplements to the generic software life cycle framework.
Q: What is the difference between ISO/IEC 26136 and ISO/IEC 26137 (validation)?
A: ISO/IEC 26136 defines the overall life cycle framework including all processes from concept to retirement. ISO/IEC 26137 focuses specifically on the validation process — its methods, metrics, and acceptance criteria. 26136 references 26137 for detailed validation requirements within the broader life cycle context.
A: ISO/IEC 26136 defines the overall life cycle framework including all processes from concept to retirement. ISO/IEC 26137 focuses specifically on the validation process — its methods, metrics, and acceptance criteria. 26136 references 26137 for detailed validation requirements within the broader life cycle context.
Q: Does this standard apply to AI components within larger non-AI systems?
A: Yes. The standard provides guidance on applying its processes to AI components within mixed systems. The tailoring guidance includes considerations for the interface between AI-specific processes and the host system’s life cycle processes.
A: Yes. The standard provides guidance on applying its processes to AI components within mixed systems. The tailoring guidance includes considerations for the interface between AI-specific processes and the host system’s life cycle processes.
Q: How does the standard address continuous learning systems?
A: The standard explicitly addresses systems that learn continuously after deployment. It defines additional monitoring, data management, and model update processes required for these systems, including safeguards against catastrophic forgetting and distribution shift.
A: The standard explicitly addresses systems that learn continuously after deployment. It defines additional monitoring, data management, and model update processes required for these systems, including safeguards against catastrophic forgetting and distribution shift.
Q: What process maturity model applies to this standard?
A: The standard aligns with ISO/IEC 33001 (process assessment) framework. Organizations can use the process outcomes defined in 26136 as the basis for process capability assessment and improvement using the ISO/IEC 330xx series standards.
A: The standard aligns with ISO/IEC 33001 (process assessment) framework. Organizations can use the process outcomes defined in 26136 as the basis for process capability assessment and improvement using the ISO/IEC 330xx series standards.
Q: Is the standard applicable to organizations using AutoML or AI platform services?
A: Yes. The tailoring guidance includes provisions for reduced process sets when using automated ML platforms, but emphasizes that oversight and validation responsibilities cannot be fully delegated to automation tools.
A: Yes. The tailoring guidance includes provisions for reduced process sets when using automated ML platforms, but emphasizes that oversight and validation responsibilities cannot be fully delegated to automation tools.
