EveryAILaw.com

ISO/IEC 23894 AI Risk Management

Jurisdiction:
OECD
 voluntary
Effective:
Feb 6, 2023
Authority:
International Organization for Standardization
 Official text Verified Mar 26, 2026

Obligations Covered

Risk Assessment

Regulatory Crosswalk

Binding regulations that require the same obligations this standard addresses. Implementing this standard can help satisfy these regulatory requirements.

RegulationJurisdictionShared Obligations
Work Health and Safety Amendment (Digital Work Systems) Act 2026 New South Wales 1
Privacy Act 1988 — Automated Decision-Making Reforms Australia 1
Brazil AI Bill (PL 2338/2023) Brazil 1
California CCPA ADMT Regulations California 1
Provisions on the Management of Algorithmic Recommendations China 1
Interim Measures for Generative AI Services China 1
Framework Convention on AI, Human Rights, Democracy and Rule of Law (CETS 225) Council of Europe 1
Colorado Privacy Act Rules (4 CCR 904-3) Colorado 1
Colorado Protecting Consumers from Unfair Discrimination in Insurance Practices Colorado 1
EU AI Act European Union 1
Digital Operational Resilience Act (DORA) European Union 1
AI Promotion Act Japan 1
AI Basic Act South Korea 1
Law on Artificial Intelligence Kazakhstan 1
Artificial Intelligence Regulations 2025 Malta 1
New York RAISE Act New York 1
QCB Artificial Intelligence Guideline Qatar 1
Law for the Promotion of Artificial Intelligence and Technologies El Salvador 1
Artificial Intelligence Basic Act Taiwan 1
UK Online Safety Act 2023 United Kingdom 1
EO 14319 — Preventing Woke AI in the Federal Government United States 1
Executive Order on AI State Law Preemption United States 1
Law on Artificial Intelligence Vietnam 1

Provisions (1)

AI-Specific Risk Management Guidance #

Obligation:
Risk Assessment
 enforcing
Effective:
Feb 1, 2023
Risk tier:
all
Scope:
providers, deployers
 cross-domain
ISO/IEC 23894 is the specialist AI risk guidance standard that extends the ISO 31000 risk management framework for AI-specific risks (bias, robustness, explainability failures). Regulators cite it as a reference for "state of the art" risk management when defining what compliant AI risk governance looks like.

Requirements

RequirementDetails
AI risk principlesApply AI-specific risk management principles adapted from ISO 31000 Clause 4
Risk identificationIdentify AI-specific risk sources including bias, robustness failures, explainability gaps, and misuse
Risk assessmentAssess likelihood and consequence of identified AI risks throughout the lifecycle
Risk treatmentSelect and implement risk treatment options proportionate to identified risks
Monitoring and reviewContinuously monitor AI risk posture and review risk management effectiveness
Recording and reportingDocument risk management activities, decisions, and outcomes
Lifecycle mappingApply risk management across the full AI system lifecycle per Annex C

Penalties

ViolationFine
Non-complianceVoluntary — no binding enforcement mechanism