Chapter Overview
Annex D is an informative annex providing sector-specific guidance for AI implementation. Different industries have unique requirements, regulations, and risk profiles for AI systems.
Annex D Purpose
Annex D helps organizations consider:
• Sector-specific regulatory requirements
• Industry-specific AI applications and risks
• Domain-specific ethical considerations
• Relevant industry standards and frameworks
Healthcare Sector
Key Considerations
| Area | Considerations |
|---|
| Regulatory | Medical device regulations (FDA, MDR), HIPAA, clinical trial requirements |
| Safety | Patient safety critical, clinical validation required |
| Privacy | Health data highly sensitive, strict consent requirements |
| Validation | Clinical validation, regulatory approval processes |
| Explainability | Clinicians need to understand AI recommendations |
| Human Oversight | Physician oversight typically required for clinical decisions |
Healthcare AI Applications
| Application | Risk Level | Key Controls |
|---|
| Diagnostic Support | High | Clinical validation, physician review, explainability |
| Treatment Recommendations | High | Evidence-based validation, human oversight |
| Medical Imaging | High | Regulatory approval, accuracy validation |
| Administrative | Lower | Data protection, accuracy monitoring |
| Drug Discovery | Medium | Scientific validation, documentation |
Healthcare Specific Standards
• IEC 62304 - Medical device software lifecycle
• ISO 14971 - Medical device risk management
• FDA guidance on AI/ML-based SaMD
• EU MDR/IVDR for medical devices
• HIPAA for health information protection
Financial Services Sector
Key Considerations
| Area | Considerations |
|---|
| Regulatory | Financial regulations, fair lending, AML/KYC, model risk management |
| Fairness | Non-discrimination in credit, insurance, employment |
| Explainability | Adverse action explanations required by law |
| Model Risk | SR 11-7 model risk management requirements |
| Audit | Extensive audit and documentation requirements |
| Resilience | Business continuity, operational resilience |
Financial AI Applications
| Application | Risk Level | Key Controls |
|---|
| Credit Decisions | High | Fair lending compliance, explainability, bias testing |
| Fraud Detection | Medium | Accuracy, false positive management, human review |
| Algorithmic Trading | High | Risk limits, circuit breakers, monitoring |
| Customer Service | Lower | Disclosure, escalation to humans |
| AML/KYC | Medium | Regulatory compliance, audit trails |
Financial Sector Standards
• SR 11-7 - Model risk management (US)
• EBA guidelines on ML for IRB models
• Fair Credit Reporting Act (FCRA)
• Equal Credit Opportunity Act (ECOA)
• GDPR automated decision-making provisions
Automotive Sector
Key Considerations
| Area | Considerations |
|---|
| Safety | Functional safety critical, SOTIF, fail-safe design |
| Regulatory | Type approval, homologation, UN regulations |
| Validation | Extensive testing including edge cases, simulation |
| Reliability | High reliability requirements, redundancy |
| Liability | Product liability considerations for autonomous systems |
Automotive AI Applications
| Application | Risk Level | Key Controls |
|---|
| Autonomous Driving (L4/5) | Critical | SOTIF, extensive validation, redundancy, monitoring |
| ADAS (L1-3) | High | Functional safety, driver oversight, clear handoff |
| Predictive Maintenance | Medium | Accuracy, safety margin, human verification |
| Infotainment | Lower | Driver distraction prevention, data privacy |
Automotive Sector Standards
• ISO 26262 - Functional safety
• ISO 21448 - SOTIF (Safety of the Intended Functionality)
• UN R155/R156 - Cybersecurity and software updates
• SAE J3016 - Levels of driving automation
• ASPICE - Automotive process maturity
Public Sector
Key Considerations
| Area | Considerations |
|---|
| Accountability | Public accountability, transparency requirements |
| Fairness | Equal treatment of citizens, non-discrimination |
| Due Process | Rights to explanation, appeal, human review |
| Procurement | Public procurement rules for AI vendors |
| Data Protection | Government data protection requirements |
Public Sector AI Applications
| Application | Risk Level | Key Controls |
|---|
| Benefits Decisions | High | Fairness, appeals process, human review, transparency |
| Law Enforcement | High | Bias prevention, oversight, civil liberties |
| Immigration | High | Due process, human review, non-discrimination |
| Administrative | Lower | Efficiency, data protection |
| Public Services | Medium | Accessibility, transparency, feedback |
Other Sectors
Manufacturing
| Consideration | Details |
|---|
| Safety | Worker safety, machinery safety, quality control |
| Standards | ISO 13849 (machinery safety), IEC 61508 (functional safety) |
| Applications | Quality inspection, predictive maintenance, robotics |
Retail & E-commerce
| Consideration | Details |
|---|
| Privacy | Customer data protection, consent, profiling |
| Fairness | Pricing fairness, recommendation bias |
| Applications | Recommendations, pricing, inventory, customer service |
Energy & Utilities
| Consideration | Details |
|---|
| Safety | Critical infrastructure, reliability |
| Regulation | Energy regulations, grid stability |
| Applications | Grid management, demand forecasting, maintenance |
HR & Employment
| Consideration | Details |
|---|
| Fairness | Non-discrimination in hiring, promotion |
| Regulation | Employment law, EEOC guidelines, NYC Local Law 144 |
| Applications | Recruitment screening, performance assessment |
Using Annex D
When implementing ISO 42001:
1. Identify your organization's sector(s)
2. Review relevant Annex D guidance
3. Identify sector-specific regulations
4. Consider sector-specific risks in assessments
5. Reference relevant sector standards
6. Tailor controls to sector requirements
Key Takeaways - Annex D
1. Annex D is informative guidance, not mandatory
2. Different sectors have different AI risk profiles
3. Sector regulations may impose additional requirements
4. Reference sector-specific standards alongside ISO 42001
5. Tailor your AIMS to your sector context
6. Consider cross-sector implications for multi-industry organizations