Annex A Controls: Assessing Impacts of AI Systems (A.5)
Detailed guidance on implementing Annex A controls for AI impact assessment (A.5), covering individual and societal impacts with 4 controls.
Chapter Overview
This chapter covers the Assessing Impacts of AI Systems domain (A.5), which ensures organizations evaluate how AI systems affect individuals and society. This domain contains 4 controls and directly supports Clause 8.4 (AI System Impact Assessment).
A.5 Assessing Impacts of AI Systems
This domain requires systematic assessment of AI impacts on individuals and society.
A.5.2 Assessing Impacts on Individuals
| Attribute | Details |
|---|---|
| Control | Potential positive and negative impacts of AI systems on individuals shall be assessed and documented. |
| Purpose | Understand and manage how AI affects people |
| Related Clause | 8.4 (AI system impact assessment) |
Implementation Guidance
- Identify individuals affected by each AI system
- Assess both positive and negative impacts
- Consider direct and indirect impacts
- Evaluate impacts across different user groups
- Pay special attention to vulnerable populations
- Document assessment methodology and results
Individual Impact Categories
| Category | Positive Impacts | Negative Impacts |
|---|---|---|
| Rights & Freedoms | Enhanced access to services | Privacy violations, discrimination |
| Safety & Health | Improved safety predictions | Physical harm, mental health impacts |
| Economic | Better financial decisions | Job displacement, unfair denial of services |
| Autonomy | Augmented decision-making | Reduced agency, manipulation |
| Dignity | Personalized experiences | Dehumanization, unfair profiling |
| Access | Improved service access | Digital exclusion, accessibility barriers |
Vulnerable Groups Consideration
Pay special attention to impacts on:
• Children and elderly
• People with disabilities
• Minority groups
• Economically disadvantaged
• Those with limited digital literacy
• People in dependent relationships (employees, patients, students)
• How do you assess impacts on individuals?
• Show me an impact assessment for [specific AI system]
• How do you identify affected individuals?
• How do you consider vulnerable groups?
• What positive impacts have you identified?
• What negative impacts have you identified and how are they mitigated?
A.5.3 Assessing Societal Impacts
| Attribute | Details |
|---|---|
| Control | Potential positive and negative societal impacts shall be assessed and documented. |
| Purpose | Understand and manage broader societal effects of AI |
| Related Clause | 8.4 (AI system impact assessment) |
Implementation Guidance
- Consider impacts beyond direct users
- Assess effects on communities and society
- Evaluate economic and labor market impacts
- Consider environmental implications
- Assess democratic and cultural impacts
- Document methodology and findings
Societal Impact Categories
| Category | Positive Impacts | Negative Impacts |
|---|---|---|
| Social Cohesion | Improved connectivity | Polarization, filter bubbles |
| Economic | Productivity gains | Wealth concentration, job displacement |
| Democratic | Enhanced civic participation | Misinformation, manipulation |
| Environmental | Efficiency improvements | Energy consumption, e-waste |
| Cultural | Preservation, accessibility | Homogenization, bias amplification |
| Security | Threat detection | Surveillance, weapons |
Consider these questions:
• What happens if this AI system is widely adopted?
• Could this AI system be misused at scale?
• Does this AI system affect labor markets?
• What are the environmental implications?
• Could this AI system affect democratic processes?
• Does this AI system concentrate power or resources?
• How do you assess societal impacts?
• What societal impacts have you identified?
• How do you consider environmental impacts?
• How do you evaluate impacts on employment?
• Show me documentation of societal impact assessment
A.5.4 Assessment Documentation
| Attribute | Details |
|---|---|
| Control | Results of AI system impact assessments shall be documented, including the methodology used. |
| Purpose | Ensure assessments are traceable and reviewable |
| Related Clause | 7.5 (Documented information) |
Implementation Guidance
- Define standard assessment methodology
- Create assessment templates
- Document assessment scope and context
- Record all identified impacts
- Document mitigation measures
- Maintain assessment version history
- Make assessments accessible for review
Documentation Requirements
| Element | Content |
|---|---|
| Methodology | Assessment approach, criteria, scales used |
| Scope | AI system, affected parties, boundaries |
| Context | Use case, deployment environment |
| Findings | Identified impacts (positive and negative) |
| Analysis | Likelihood, severity, affected groups |
| Mitigations | Measures to address negative impacts |
| Conclusions | Overall assessment, recommendations |
| Approvals | Reviewer and approver signatures |
• What is your impact assessment methodology?
• Show me a completed impact assessment document
• How do you ensure consistency across assessments?
• Who reviews and approves assessments?
• How do you maintain assessment records?
A.5.5 AI System Impact Assessment Status
| Attribute | Details |
|---|---|
| Control | The status of AI system impact assessments shall be tracked. |
| Purpose | Ensure assessments are complete and current |
| Related Clause | 9.1 (Monitoring, measurement, analysis and evaluation) |
Implementation Guidance
- Maintain register of all AI systems requiring assessment
- Track assessment completion status
- Define reassessment triggers and schedules
- Monitor for changes requiring reassessment
- Report status to management
- Escalate overdue assessments
Assessment Status Tracking
| Status | Description |
|---|---|
| Not Started | Assessment required but not initiated |
| In Progress | Assessment underway |
| Under Review | Assessment complete, awaiting approval |
| Approved | Assessment approved, valid |
| Reassessment Due | Scheduled reassessment approaching |
| Expired | Assessment no longer valid, reassessment required |
Track for each AI system:
• AI System ID and name
• Assessment requirement (required/not required)
• Current assessment status
• Assessment date
• Assessor name
• Approver name
• Next reassessment date
• Reassessment triggers
• Link to assessment document
• How do you track impact assessment status?
• Show me your assessment status register
• Are any assessments overdue?
• What triggers reassessment?
• How often are assessments reviewed?
Control Implementation Summary
| Control | Key Evidence | Common Gaps |
|---|---|---|
| A.5.2 Individual Impacts | Impact assessments with individual impact analysis | Only negative impacts considered |
| A.5.3 Societal Impacts | Societal impact sections in assessments | Societal impacts overlooked |
| A.5.4 Documentation | Complete assessments with methodology | Inconsistent documentation |
| A.5.5 Status Tracking | Assessment register, status reports | No tracking mechanism |
1. Impact assessment must cover BOTH individuals AND society
2. Both positive AND negative impacts must be assessed
3. Vulnerable groups require special consideration
4. Documentation must include methodology used
5. Assessment status must be tracked for all AI systems
6. Regular reassessment is required when changes occur