ISO/IEC 23894:2023
AI risk management guidance from ISO. Companion to the general ISO 31000 risk-management standard, applied to the AI lifecycle.
What it is #
ISO/IEC 23894:2023 is a guidance standard (not certifiable) for AI risk management. It applies ISO 31000’s general risk-management framework to the AI lifecycle — from design through deployment to decommissioning.
The standard is short (15 pages) and reads as a checklist of risk-management activities to perform at each lifecycle stage. It’s often adopted alongside ISO 42001 (which is certifiable and broader) as the risk-management input to the wider management system.
How Regulus maps to it #
ISO 23894 risk categories map cleanly to Regulus controls:
- Design-time risks (model selection, training-data bias) — not runtime; addressed by your model-procurement and dataset processes.
- Operational risks (drift, misuse, security) — Regulus model-risk plugin (drift detection on outcomes), policy plugin (misuse prevention), kill switch (security incident response).
- Monitoring risks (visibility, evidence) — Regulus audit chain is the substrate.
- Decommissioning risks (data retention, model retirement) —
retention-event compactor handles the data-retention side; model
retirement is captured in the model registry’s
review-dueand retirement events.
Citations land as iso-23894:operational.monitoring etc.
Activating #
regulus:
frameworks:
- iso-23894Best used in combination with ISO 42001 (which provides the wider management system) and ISO 23053 (which provides the conceptual model behind the AI lifecycle).