AI Regulation Reference

ISO/IEC 23894 AI Risk Management

Jurisdiction:
OECD
 voluntary
Effective:
Feb 6, 2023
Authority:
International Organization for Standardization
 Official text Verified Mar 26, 2026

Obligations Covered

Risk Assessment

Provisions (1)

AI-Specific Risk Management Guidance #

Obligation:
Risk Assessment
 enforcing
Effective:
Feb 1, 2023
Risk tier:
all
Scope:
providers, deployers
 cross-domain
ISO/IEC 23894 is the specialist AI risk guidance standard that extends the ISO 31000 risk management framework for AI-specific risks (bias, robustness, explainability failures). Regulators cite it as a reference for "state of the art" risk management when defining what compliant AI risk governance looks like.

Requirements

RequirementDetails
AI risk principlesApply AI-specific risk management principles adapted from ISO 31000 Clause 4
Risk identificationIdentify AI-specific risk sources including bias, robustness failures, explainability gaps, and misuse
Risk assessmentAssess likelihood and consequence of identified AI risks throughout the lifecycle
Risk treatmentSelect and implement risk treatment options proportionate to identified risks
Monitoring and reviewContinuously monitor AI risk posture and review risk management effectiveness
Recording and reportingDocument risk management activities, decisions, and outcomes
Lifecycle mappingApply risk management across the full AI system lifecycle per Annex C

Penalties

ViolationFine
Non-complianceVoluntary — no binding enforcement mechanism