New standards are constantly emerging. Every year, a multitude of topics need to be defined and delimited. The International Organization for Standardization (ISO) catalog contains over 25,000 published international standards. After this technology experienced a huge surge in popularity in 2023, it was to be expected that there would soon be a standard for artificial intelligence (AI).
This year, the standard for managing AI systems was published in particular. ISO/IEC 42001:2023 has been developed to address the challenges of AI in the coming years. This standard aims to mitigate risks and ensure that companies using such services do so with guarantees.
This certification is a reference for companies developing or deploying AI systems to do so appropriately. Let us look at what ISO/IEC 42001:2023 is and what it is used for.
Why is ISO/IEC 42001:2023 important?
Before we get into the details, it's important to understand the purpose of this standard. Mark Leven, the lead researcher at the National Physical Laboratory in the UK, points to the uncertainties surrounding AI to explain the standard's importance.
Machine learning and deep learning, the two most advanced branches of AI today, have gaps in terms of transparency and explainability. Deep learning, in particular, works with a black box model due to the complexity of the neural network technology it involves. The input and output data are known, but not the mechanisms that generated the latter.
This differs from traditional programming, which has a predictable character. An AI system can change behavior while executing tasks and delivering unexpected results. In addition, certain AI-based systems will have a high degree of autonomy — for example, an autonomous car — which requires guarantees for proper functioning.
What is ISO/IEC 42001:2023?
Certification ensures that any AI system — once certified — will function appropriately in the marketplace. This is achieved by developing a framework with multiple facets: ethics, security, transparency, design, development, and technology implementation. Companies must fulfill several requirements in these areas. At the same time, the standard serves as a guide for their processes.
ISO/IEC 42001:2023 also facilitates the guaranteed integration of AI systems into business processes. It ensures compliance with regulations and certain ethical criteria.
To be certified, each company must develop, implement, and maintain its AI systems and guarantee continuous improvement. Accredited certification bodies, previously authorized by the competent bodies in each country, carry out the necessary audits and issue the certificates.
What does the certification require?
The requirements of ISO/IEC 42001:2023 consist of several phases: planning, implementation, review, and optimization. First, certified companies must define the scope of their AI system, the location where it is to be applied, and its scope. At this stage, a declaration of application is required, which also contains the necessary control formulas.
According to the consultancy firm KPMG, the certified company must develop its AI system during the execution phase, maintaining high standards of ethics, transparency, and security. It must also monitor and optimize the system's performance, which goes hand in hand with the third phase: applying improvements and corrective measures based on the observations made.
Seven essential elements of ISO/IEC 42001:2023
The standard is very comprehensive and aims to cover all the necessary aspects for the proper functioning of an AI system. However, we can summarize the essentials in seven points:
- Risk management: Companies or facilities must implement processes to identify, analyze, assess, and monitor risks throughout the AI system's lifecycle.
- Assessing the impact of AI: Another important aspect is defining a process to assess the potential impact on users of AI systems. Companies must consider how the technology could impact the social context in which it is used.
- Information governance: Clear guidelines are needed to manage the information that feeds the AI system. These texts must be consistent with the company's strategic objectives and communicated effectively. Companies must also define a governance structure that defines roles and responsibilities.
- Privacy and security: Compliance with privacy standards is critical when handling data, and organizations must also keep their systems free from potential threats.
- Lifecycle management: Institutions or organizations need to control the entire journey of the AI system, from planning to testing and possible improvements.
- Performance optimization: This requirement is related to the previous one but is highlighted due to its importance. Organizations need to continuously improve the effectiveness of their AI system, which is a constant and never-ending task.
- Supplier management: The standard requires companies to look beyond their internal processes. They must extend their control measures to the suppliers involved in developing their AI system.