Home · Synthesis · cl-ai-impact-assessment

AI system impact assessment (AISIA / FRIA / DPIA convergence)

DPDPAEU AI ActISO 42001MeitY AINIST AI RMF

Primary statement

AI impact assessment per ISO 42001 Clause 6 (AI risk assessment) + Clause 8 (operational planning) + EU AI Act Art 27 FRIA + DPDPA SDF DPIA + NIST AI RMF MAP + MeitY. Convergent artifact covering AI-specific risks (bias, fairness, robustness, safety) + societal impact + fundamental rights.

Audit-fatigue payoff

A unified AI impact assessment template covering AISIA + FRIA + DPIA satisfies impact assessment for AI across all 5 contributing frameworks.

Strictness matrix

Scope
Scope: AI risk assessment considering consequences for the organisation AND individuals AND society. Three-stakeholder scope. Ceiling source: iso42001:Cl.6 Rationale: ISO 42001 Clause 6 three-stakeholder scope is uniquely broad.
Threshold
Threshold: AI risk assessment triggered at planning + per material change. Three-stakeholder analysis required. Ceiling source: iso42001:Cl.6 Rationale: ISO 42001 Clause 6 trigger is comprehensive.
Method
Method: AI risk assessment per Clause 6 + operational planning per Clause 8 + FRIA fields for EU AI Act Art 27 in-scope deployers + DPIA fields for SDFs (DPDPA Rule 13(2)) + MAP function from NIST AI RMF. Ceiling source: iso42001:Cl.6 Rationale: ISO 42001 Cl.6 + Cl.8 anchored method is the most prescriptive AI-specific.
Frequency
Per AI system at inception + on material change + annual for SDF DPIA. EU AI Act FRIA at deployment + on material change. Ceiling source: dpdpa:DPDP.20 Rationale: DPDPA annual SDF DPIA is the strictest periodic cadence.
Evidence
Evidence: AI impact assessment per system + three-stakeholder analysis + FRIA fields where applicable + DPIA fields where applicable + Board reporting of high-risk AI. Ceiling source: iso42001:Cl.6 Rationale: ISO 42001 Clause 6 evidence with three-stakeholder is comprehensive.

Auditor test pattern

Step 1: Inspect AI impact assessment template. Step 2: Sample 1 AI system; verify three-stakeholder analysis. Step 3: For EU-deployed AI, verify FRIA fields. Step 4: For SDFs, verify annual DPIA. Step 5: Verify Board reporting of high-risk AI.

Common findings

Common findings: (1) AI assessment covers organisational risk only, not individual/societal; (2) FRIA fields absent for EU deployers; (3) Annual SDF DPIA absent; (4) Board reporting limited to incidents.