axigetik: AI System Impact Assessment

An artificial intelligence system impact assessment, or AI impact assessment (AIIA) is by far the most substantial piece of work that you will undertake in the development and implementation of an ISO/IEC 42001:2023 conformant artificial intelligence management system (AIMS).

ISO/IEC 42005:2025 provides guidance on how and when to perform AIIAs. An AIIA must be completed at the very beginning of the AI lifecycle, prior to inception or use of the AI technology, and must also be regularly updated and maintained throughout the system’s lifecycle / whilst the system is in use.

But whether you are chasing ISO/IEC 42001:2023 or another AI certification, or simply investing in an structured approach to inventory and analysis of AI in-use in your organization, an AI System Impact Assessment can provide significant value.

We can help with:

There is some flexibility around how AIIAs are conducted; the best approach will depend on the specifics of your organisation.

The basic approach to conducting an AIIA is similar to an data systems inventory and audit – we need to gather and document information in line with each section of the assessment. Unlike an audit, there is no need to gather evidence to support the assessment, which makes process slightly easier and more efficient.

How we can help ...

• Confirming your position with regard to AI systems - are you a developer/producer or a user/consumer or both ?
• Determining the most relevant and useful approach to grouping or splitting AI system impact assessments
• Identifying the most useful template for AI system impact assessments (there are a number of commonly used variations - ISO/IEC 42001:2023 isn't prescriptive, but ISO/IEC42001:2025 is a good default)
• Facilitating the gathering of information to complete the AI system impact assessment
• Developing the draft AI system impact assessment itself - typically a very substantial document

However, it is important to remember that if you are using AI systems for different outcomes and with different associated risks, you may need to conduct multiple separate assessments of those systems.

We can also work with you to review and update existing AI system impact assessments, including using historical and overlapping documentation to make the end-to-end process more time and cost efficient, and cross-validate the documentation against systems in use using our extensive engineering knowledge.

We usually suggest a bi-annual / 6 monthly review of AIIAs, owing to the speed at which AI systems are incrementally changed and improved.

Specific AWS Services Addressed

An AI System Impact Assessment AI is not AWS specific and will capture a wide range of information across any/all cloud and on-prem AI services and providers. If you have a significant AWS footprint, including AI services on Sagemaker (including Studio, Custom Models, Hyperpod, Inference, MLflow), Bedrock (including Nova & Agentcore - Runtime, Gateway, Memory, Browser Tool, Code Interpreter, Identity, Observability), open source agent frameworks (eg Strands, LangGraph, CrewAI), other foundation model providers accessed via Bedrock (eg OpenAI, Google Gemini, Anthropic Claude, Meta Llama, Mistral, Cohere) or older AI services such as Comprehend, Kendra, Lex, Personalize, Polly, Rekognition, Textract, Transcribe, Translate we have specific expertise and experience in designing, implementing and operating and documenting these solutions and the wider AWS security and compliance services wrapepd around them (such as Organizations, Identity & Access Management, Config, CloudFormation, Control Tower, Security Hub) to ensure you gain maximum leverage in documenting your AI System Impact Assessment.