ISO/IEC 38507:2022 - AI Governance for Organizations

Summary

ISO/IEC 38507:2022 is the first international standard specifically addressing how organizations should govern their use of artificial intelligence systems. Unlike technical AI standards that focus on algorithms or data, this standard tackles the strategic governance challenges that emerge when AI becomes part of business operations. It provides a framework for boards and senior executives to understand their responsibilities, establish appropriate oversight mechanisms, and ensure AI initiatives align with organizational objectives while managing associated risks.

The governance gap this standard fills

Many organizations rush into AI implementation without considering the fundamental governance questions: Who's accountable when an AI system makes a decision? How do we ensure AI projects deliver value? What oversight is needed for autonomous systems? ISO/IEC 38507 addresses this gap by extending traditional IT governance principles to the unique challenges of AI, including issues of transparency, accountability, and ethical decision-making that don't exist with conventional software systems.

Core governance principles covered

The standard establishes six key governance principles specifically for AI systems:

• Responsibility: Clear accountability chains for AI decisions and outcomes
• Strategy: Alignment of AI initiatives with business objectives and risk appetite
• Acquisition: Governance of AI procurement, development, and deployment decisions
• Performance: Monitoring and measurement of AI system effectiveness and impact
• Conformance: Ensuring AI systems comply with applicable laws, regulations, and standards
• Human behaviour: Managing the human factors in AI governance, including skills, culture, and change management

Each principle includes specific guidance on what governing bodies need to consider and implement.

What sets this apart from other AI governance resources

Unlike regulatory frameworks or technical guidelines, ISO/IEC 38507 is designed specifically for organizational governance structures. It doesn't prescribe technical solutions but instead provides a governance layer that sits above technical implementations. The standard is also jurisdiction-agnostic, making it valuable for multinational organizations that need consistent governance approaches across different regulatory environments.

The standard explicitly builds on ISO/IEC 38500 (IT Governance) while addressing AI-specific challenges like algorithmic bias, explainability requirements, and the governance of systems that learn and adapt over time.

Who this resource is for

• Board members and directors who need to understand their governance responsibilities for AI initiatives
• C-suite executives implementing AI strategies and needing governance frameworks
• Chief Risk Officers and compliance teams establishing AI risk management processes
• IT governance professionals extending existing governance frameworks to cover AI systems
• Internal auditors developing audit approaches for AI governance
• Consultants and advisors helping organizations establish AI governance capabilities
• Standards and certification bodies developing AI governance assessment criteria

Getting started with implementation

The standard emphasizes that AI governance isn't a separate discipline but an extension of existing governance practices. Organizations should begin by assessing their current governance maturity and identifying where AI introduces new considerations. The standard provides evaluation questions for each governance principle, making it practical for self-assessment.

Key implementation steps include establishing AI-specific governance policies, defining roles and responsibilities for AI decisions, implementing monitoring mechanisms for AI system performance, and ensuring appropriate skills and knowledge exist at governance levels.

Relationship to certification and compliance

ISO/IEC 38507 is a guidance standard rather than a certification standard. However, it provides the governance foundation that supports other AI-related standards and regulations. Organizations using this standard will be better positioned for compliance with emerging AI regulations and for potential future AI management system certifications.

The standard also references other relevant ISO standards, creating a coherent framework when used alongside standards like ISO/IEC 23053 (AI risk management) and ISO/IEC 23894 (AI risk management techniques).