ISO/IEC 23894:2023— Guidance on Risk management for AI
94% of organizations report that artificial intelligence (AI) is increasing their insider risk exposure— with 74% describing that increase as moderate or significant. As AI systems increasingly become more complex, humans are unable to fully understand, predict, or control them. This inability to understand at a fundamental level where AI models are going in the future makes it more difficult for organizations deploying AI to anticipate risks and apply guardrails. As such, it is crucial for organizations to effectively manage the risks associated with AI systems by adopting a risk management framework, and ISO/IEC 23894:2023—Information technology – Artificial intelligence – Guidance on risk management details the guidelines to do so.
What Are the Risks of AI?
AI risks are dynamic and can materialize at any point in the system lifecycle—from design and training to deployment and maintenance. They encompass a wide range of dangers, including biased decision-making, data privacy breaches, cybersecurity threats (e.g., model poisoning), and the spread of misinformation. Other risks include environmental damage from high energy consumption, job displacement, autonomous weapon systems, and the loss of human accountability.
- Rapid Rise in Incidents: AI-related incidents increased by 56.4% in 2024, with 233 documented cases spanning privacy violations, bias, and security breaches.
- Job Displacement: Goldman Sachs estimates that AI automation could affect or replace 300 million full-time jobs. You can learn more about how AI is impacting jobs in our blog post, The Future of Jobs: How AI is Reshaping Work as We Know It.
- Cybersecurity Attacks: In 2025, 93% of security leaders anticipated daily AI-powered attacks by 2025.
- Deepfake Proliferation: Deepfake incidents (i.e., AI-generated, hyper-realistic videos, audio, or images designed to impersonate individuals for malicious purposes) were projected to increase by 50%–60% in 2024, with roughly 140,000 to 150,000 global incidents.
- Environmental Impact: Training a single large language model can emit over 600,000 pounds of CO2, five times the lifetime emissions of an average car. Data centers for AI could consume up to 5 million gallons of water per day. You can learn more about AI sustainability in our blog post: The Sustainability Trade-Offs of Generative AI Technology.
- Misinformation: 66% of US adults are highly worried about AI generating inaccurate information.
- Bias: 55% of both AI experts and the public are highly concerned about AI perpetuating societal biases.
- Environmental Cost: By 2030, AI growth could produce 24 to 44 million metric tons of CO2 annually. These emissions are equivalent of adding 5 to 10 million cars to U.S. roadways.
These dangers emphasize the need for robust regulation, safety, and ethical guidelines to assure AI development benefits society, rather than harming it.
What Is AI Risk Management?
AI risk management is the systematic process of identifying, assessing, and mitigating potential risks associated with artificial intelligence technologies to minimize negative impacts (like bias, privacy issues, or security breaches) while maximizing benefits. Integrating frameworks such as ISO/IEC 23894:2023 into a risk management program helps assure AI is deployed in a trustworthy, secure, and ethical manner.
What Is ISO/IEC 23894:2023?
ISO/IEC 23894:2023 provides guidance on how organizations that develop, produce, deploy or use products, systems and services that utilize artificial intelligence (AI) can manage risk specifically related to AI. The guidance also aims to assist organizations to integrate risk management into their AI-related activities and functions. ISO/IEC 23894:2023 moreover describes processes for the effective implementation and integration of AI risk management.
ISO/IEC 23894:2023 is intended to be used in connection with ISO 31000:2018, which covers guidelines for risk management.
Identifying Risks of AI Systems
Identifying the risks of Artificial Intelligence (AI) systems involves a multifaceted approach to understanding the potential negative impacts on security, safety, ethics, and society. ISO/IEC 23894:2023 breaks down how to identify risk of AI systems by examining AI-related objectives as well as risk sources.
AI-Related Objectives
ISO/IEC 23894:2023 notes that various AI-related objectives should be taken into account, including:
- Accountability
- AI expertise
- Availability and quality of training and test data
- Environmental impact
- Fairness
- Maintainability
- Privacy
- Robustness
- Safety
- Security
- Transparency and explainability
Risk Sources
ISO/IEC 23894:2023 details that various risks sources should be taken into account, including:
- Complexity of environment
- Lack of transparency and explainability
- Level of automation
- Risk sources related to machine learning
- System hardware issues
- System life cycle issues
- Technology readiness
Why Adopt AI Risk Management?
Adopting AI risk management is essential to safely leverage AI technologies while mitigating critical threats like data breaches, regulatory non-compliance, and reputational damage. AI risk management assures ethical, unbiased, and transparent AI operations, preventing costly security incidents while building trust with stakeholders and enabling responsible, faster innovation.
Where to Find ISO/IEC 23894:2023
Managing AI risks requires a comprehensive approach focusing on governance, data integrity, security, and ethical oversight throughout the AI lifecycle. Key strategies include adopting frameworks like ISO/IEC 23894:2023.
ISO/IEC 23894:2023—Information technology – Artificial intelligence – Guidance on risk management is available on the ANSI Webstore and in the following Standards Packages:
- ISO/IEC 42001 / ISO/IEC 38507 / ISO/IEC 23894 – Artificial Intelligence Risk and Governance Package
- ISO/IEC 42001 / ISO/IEC 22989 / ISO/IEC 23894 – Artificial Intelligence Package
- ISO/IEC 42001 / ISO/IEC 23894 – Artificial Intelligence Set
- ISO/IEC 42001 / ISO/IEC 23894 / ISO/IEC 42006 – Artificial Intelligence Package
