The difference between AI impact and risk assessments?

Here's what ISO 42001 says -

An AI impact assessment is a way to:

"determine the potential consequences an AI system’s deployment, intended use[,] and foreseeable misuse has on individuals or groups of individuals, or both, and societies." (Clause 6.1.4)

Compare this to an AI risk assessment, which ISO 42001 says is how you:

"assess the potential consequences to the organization, individuals and societies that would result if the identified risks were to materialize." (Clause 6.1.2)

Because of these similar definitions, and the fact organizations must "consider the results of the AI system impact assessment in the risk assessment," I originally found it difficult to separate the two concepts.

To deal with this - and avoid unnecessary paperwork - StackAware assesses AI at three levels:

1. Organization - risk assessment only

2. Individual(s) - risk and impact assessments

3. Society(ies) - risk and impact assessments

ISO 23894, which gives additional guidance on AI risk management, mirrors this three-level structure (while using the term “communities” along with “societies”).

So that's one more point of reference.

But ISO 42001 has more to say. Per Annex B, your procedures should specify "circumstances under which an AI system impact assessment should be performed."

So you don't NEED to do impact assessments for every AI system (unlike risk assessments), but can consider:

-> criticality of the intended purpose and context

-> complexity and level of automation

-> sensitivity of data processed

To avoid gray area, I recommend either:

1. just doing impact assessments for every system.

OR

2. setting a clear trigger, e.g. processing protected health information (PHI) for a healthcare company.

Unfortunately, ISO 42005 (the formal guidance on AI system impact assessments) is still in draft, so there isn't yet a "final word."

And there probably never will be: ISO keeps it high-level.

But I can tell you this: StackAware has gotten multiple AI Management Systems (including ours) through ISO 42001 certification.

So I'm confident in the approach I laid out.

But how are you distinguishing AI impact assessments from risk assessments for ISO 42001?