AI Impact Assessment Template

Introduction to the AIIA Template

This lesson provides a comprehensive AI Impact Assessment (AIIA) template that integrates all dimensions covered in previous lessons:

• Individual rights impact (Lesson 4.3)
• Societal impact (Lesson 4.2)
• Environmental considerations (Lesson 4.4)
• Risk-based methodology (Lesson 4.1)

The template is designed to be:

• Comprehensive: Covers all ISO 42001 and EU AI Act requirements
• Practical: Actionable guidance for each section
• Flexible: Scalable based on risk level
• Integrated: Combines DPIA, FRIA, and environmental assessment
• Auditable: Structured documentation for compliance verification

Use this template as a starting point and adapt it to your specific organizational context, legal jurisdiction, and AI system characteristics.

Template Structure Overview

Complete AIIA Sections

Part 1: Executive Summary
Part 2: System Description and Context
Part 3: Stakeholder Identification and Engagement
Part 4: Rights and Impact Identification
Part 5: Impact Analysis and Risk Assessment
Part 6: Mitigation Measures and Controls
Part 7: Environmental Assessment
Part 8: Residual Risk and Approval
Part 9: Monitoring and Review Plan
Part 10: Documentation and Appendices

Estimated Completion Time by Risk Level:

Part 1: Executive Summary

Purpose: Provide decision-makers with concise overview of key findings and recommendations.

Completed: After all other sections are complete.

Length: 2-3 pages maximum.

1.1 AI System Overview

System Name: [Official designation]

Business Owner: [Name, Title, Department]

Assessment Date: [Completion date]

Version: [Assessment version number]

Quick Description: [1-2 sentences describing what the AI system does]

Example:

System Name: SmartHire AI
Business Owner: Jane Smith, VP of Human Resources
Assessment Date: December 1, 2024
Version: 2.1
Description: AI-powered resume screening and candidate ranking system that analyzes
job applications and recommends top candidates for hiring manager review.

1.2 Risk Classification

Overall Risk Level: [Low / Medium / High / Critical]

Regulatory Classification:

• EU AI Act Category: [Prohibited / High-Risk / Limited Risk / Minimal Risk]
• GDPR Processing Type: [Standard / High-Risk requiring DPIA]
• Industry-Specific: [Any sector-specific classifications]

Rationale for Classification: [Brief explanation]

Example:

Overall Risk Level: HIGH

Regulatory Classification:
- EU AI Act: High-Risk AI System (Employment and worker management)
- GDPR: High-risk processing requiring DPIA (automated decision-making)
- EEOC: Subject to employment discrimination regulations

Rationale: System makes employment decisions that significantly affect individuals'
economic opportunities and is subject to non-discrimination requirements.

1.3 Key Impacts Identified

Top 5 Positive Impacts:

1. [Impact description] - [Affected stakeholders]
2. [Impact description] - [Affected stakeholders]
3. [Impact description] - [Affected stakeholders]
4. [Impact description] - [Affected stakeholders]
5. [Impact description] - [Affected stakeholders]

Top 5 Negative Impacts / Risks:

Example:

Top 5 Negative Impacts:

| # | Impact | Severity | Likelihood | Risk Score | Affected Groups |
|---|--------|----------|------------|------------|-----------------|
| 1 | Discrimination against protected groups | 5 | 4 | 20 | Women, minorities |
| 2 | Privacy violation through excessive data collection | 4 | 3 | 12 | All applicants |
| 3 | Bias perpetuating historical hiring patterns | 4 | 4 | 16 | Underrepresented groups |
| 4 | Lack of meaningful explanation for rejections | 3 | 5 | 15 | Rejected applicants |
| 5 | No effective human oversight | 4 | 3 | 12 | All applicants |

1.4 Mitigation Summary

Primary Mitigation Measures:

1. [Most critical mitigation] - [Expected risk reduction]
2. [Second most critical] - [Expected risk reduction]
3. [Third most critical] - [Expected risk reduction]

Residual Risk Level: [Low / Medium / High] after mitigation

Example:

Primary Mitigation Measures:

1. Fairness testing across all protected groups with demographic parity < 10%
   threshold - Reduces discrimination risk from 20 to 8

2. Human review of all AI recommendations before final decision - Reduces automation
   risk from 12 to 4

3. Explainable AI implementation with candidate feedback mechanism - Reduces
   transparency risk from 15 to 5

Residual Risk Level: MEDIUM after mitigation (reduced from HIGH)

1.5 Recommendation

Assessment Team Recommendation: [Deploy / Deploy with Conditions / Do Not Deploy / Redesign]

Required Approvals:

• Risk Committee
• Legal Counsel
• Data Protection Officer
• Executive Leadership
• [Other required approvers]

Conditions for Deployment (if applicable):

1. [Condition]
2. [Condition]
3. [Condition]

Example:

Recommendation: DEPLOY WITH CONDITIONS

Required Approvals:
- ✅ Risk Committee (Approved Dec 5, 2024)
- ✅ Legal Counsel (Approved Dec 6, 2024)
- ✅ Data Protection Officer (Approved Dec 6, 2024)
- ⏳ Chief HR Officer (Pending)
- ⏳ Executive Leadership (Pending)

Conditions for Deployment:
1. Complete 6-month pilot with enhanced monitoring before full rollout
2. Monthly fairness audits for first year
3. Quarterly external audit for first 2 years
4. Mandatory bias training for all hiring managers using the system

Part 2: System Description and Context

Purpose: Provide comprehensive understanding of the AI system and its context.

2.1 Detailed System Description

2.1.1 System Purpose and Objectives

What problem does this AI system solve?

Business Need: [Description]

Intended Benefits:

• [Benefit 1]
• [Benefit 2]
• [Benefit 3]

Success Criteria: [How success will be measured]

2.1.2 Technical Architecture

AI/ML Approach: [e.g., supervised learning, deep learning, natural language processing]

Algorithm Type: [e.g., neural network, random forest, gradient boosting]

Input Data:

Processing Steps:

Step 1: [Description]
   ↓
Step 2: [Description]
   ↓
Step 3: [Description]
   ↓
Step 4: [Output]

Output Type: [Classification / Ranking / Prediction / Generation / etc.]

Output Format: [How results are presented]

2.1.3 Training Data

Dataset Description:

• Dataset Name: [Name]
• Size: [Number of records]
• Time Period: [Date range]
• Source: [Origin of data]

Data Quality Assessment:

• Completeness: [Percentage complete]
• Accuracy: [Validation results]
• Representativeness: [How well it represents target population]
• Known Biases: [Any identified biases]

Data Preprocessing:

• [Cleaning steps]
• [Normalization methods]
• [Feature engineering]
• [Augmentation techniques]

Labeling Process:

• Method: [How labels were created]
• Quality Control: [Validation approach]
• Inter-rater Agreement: [If multiple labelers]

2.1.4 Model Performance

Performance Metrics:

Validation Approach:

• Training Set: [Size and composition]
• Validation Set: [Size and composition]
• Test Set: [Size and composition]
• Cross-Validation: [Method if used]

Known Limitations:

• [Limitation 1]
• [Limitation 2]
• [Limitation 3]

2.1.5 System Integration

Upstream Systems (data sources):

• [System 1]: [Data provided]
• [System 2]: [Data provided]

Downstream Systems (consumers of AI output):

• [System 1]: [How AI output is used]
• [System 2]: [How AI output is used]

Human-AI Interaction:

• Human Role: [How humans interact with system]
• Decision Authority: [Who makes final decisions]
• Override Capability: [Can humans override AI? How?]

2.1.6 Deployment Context

Geographic Scope: [Where system will be deployed]

User Base:

• Primary Users: [Who operates the system]
• Affected Individuals: [Who is subject to AI decisions]
• Estimated Volume: [Number of users/decisions]

Deployment Timeline:

• Pilot Phase: [Dates]
• Staged Rollout: [Dates]
• Full Production: [Date]

Operational Environment:

• Infrastructure: [Cloud/On-premise/Hybrid]
• Availability Requirements: [Uptime SLA]
• Performance Requirements: [Response time, throughput]

2.2 Legal and Regulatory Context

2.2.1 Applicable Laws and Regulations

2.2.2 Legal Basis for Data Processing (GDPR)

Primary Legal Basis: [Consent / Contract / Legal Obligation / Vital Interests / Public Task / Legitimate Interest]

Justification: [Detailed explanation]

Special Categories of Data (if applicable):

• Types Processed: [Racial/ethnic, health, etc.]
• Additional Legal Basis: [Explicit consent / specific legal provision]
• Justification: [Why necessary]

2.2.3 Contractual and Policy Framework

Internal Policies:

Contractual Obligations:

• [Obligation 1]
• [Obligation 2]

Industry Standards:

• [Standard 1]: [Compliance approach]
• [Standard 2]: [Compliance approach]

2.3 Organizational Context

2.3.1 Governance Structure

System Owner: [Name, Role]

Responsible Team:

• Product Manager: [Name]
• Technical Lead: [Name]
• Legal: [Name]
• Compliance: [Name]
• DPO: [Name]

Oversight Bodies:

• [Committee/Board]: [Role in oversight]
• [Committee/Board]: [Role in oversight]

2.3.2 Resources and Capabilities

Budget: [Amount allocated]

Team Expertise:

• AI/ML Capability: [Assessment]
• Legal Expertise: [Assessment]
• Domain Knowledge: [Assessment]
• Ethics Training: [Assessment]

Technology Infrastructure:

• Existing Systems: [Relevant infrastructure]
• Gaps: [Any capability gaps]
• Investments Needed: [Requirements]

2.3.3 Risk Appetite and Values

Organizational Risk Appetite: [Conservative / Moderate / Aggressive]

Relevant Values:

• [Value 1]: [How it relates to AI system]
• [Value 2]: [How it relates to AI system]

Ethical Commitments:

• [Commitment 1]
• [Commitment 2]

Part 3: Stakeholder Identification and Engagement

Purpose: Identify all affected parties and document their engagement in the assessment.

3.1 Stakeholder Mapping

3.1.1 Primary Stakeholders (directly affected)

Example:

| Stakeholder Group | Size | Characteristics | Impact Severity | Vulnerability |
|-------------------|------|-----------------|-----------------|---------------|
| Job Applicants | 50,000/year | Diverse demographics | High | Low-Medium |
| Hiring Managers | 200 | Company employees | Medium | Low |
| Current Employees | 5,000 | Internal stakeholders | Low-Medium | Low |
| Rejected Applicants | 45,000/year | May face discrimination | High | High |

3.1.2 Secondary Stakeholders (indirectly affected)

3.1.3 Vulnerable Groups

Identify groups requiring special attention:

Example:

| Group | Vulnerability Factors | Special Considerations | Engagement Approach |
|-------|----------------------|------------------------|---------------------|
| Minority Applicants | Historical discrimination, bias risk | Fairness testing, bias mitigation | Community consultation, advocacy group input |
| Disabled Applicants | Accessibility barriers | ADA compliance, reasonable accommodation | Disability rights organizations |
| Older Workers | Age discrimination risk | Age bias testing | AARP consultation |
| Non-native Speakers | Language barriers | NLP bias for non-standard English | Multilingual review |

3.2 Stakeholder Engagement Process

3.2.1 Engagement Methods

Example:

| Method | Stakeholder Groups | Timing | Participants | Format |
|--------|-------------------|--------|--------------|--------|
| Survey | Applicants, Hiring Managers | Month 1 | 500 respondents | Online questionnaire |
| Focus Groups | Rejected applicants, minority communities | Month 2 | 6 groups, 8-10 each | Facilitated discussion |
| Expert Panel | Employment lawyers, ethicists, HR experts | Month 2 | 8 experts | Workshop |
| Public Consultation | General public, advocacy groups | Month 3 | Open participation | Online forum + town hall |
| User Testing | Hiring managers | Month 3 | 20 users | Usability sessions |

3.2.2 Key Concerns Raised

Document primary concerns from each stakeholder group:

Stakeholder Group: [Name]

Top Concerns:

1. [Concern 1]

   • Frequency Raised: [How many participants]
   • Severity Assessment: [High/Medium/Low]
   • Response: [How addressed in assessment]

2. [Concern 2]

   • Frequency Raised: [How many participants]
   • Severity Assessment: [High/Medium/Low]
   • Response: [How addressed in assessment]

3. [Concern 3]

   • Frequency Raised: [How many participants]
   • Severity Assessment: [High/Medium/Low]
   • Response: [How addressed in assessment]

3.2.3 Engagement Outcomes

Key Insights Gained:

• [Insight 1]: [How it influenced assessment]
• [Insight 2]: [How it influenced assessment]
• [Insight 3]: [How it influenced assessment]

Design Changes Made:

• [Change 1]: [Stakeholder input that led to change]
• [Change 2]: [Stakeholder input that led to change]

Ongoing Engagement Plans:

• [Plan for continued stakeholder involvement]

Part 4: Rights and Impact Identification

Purpose: Systematically identify all potential impacts on individuals, society, and environment.

4.1 Individual Rights Impact

4.1.1 Privacy and Data Protection Rights

4.1.2 Equality and Non-Discrimination Rights

Protected Characteristics Analysis:

Proxy Variable Analysis:

4.1.3 Other Fundamental Rights

4.2 Societal Impact

4.2.1 Employment and Economic Effects

Economic Impact Summary:

• Net Job Impact: [+/- number]
• Affected Industries: [List]
• Geographic Concentration: [Regions]
• Timeline: [When impacts will occur]

4.2.2 Social Cohesion and Community

4.2.3 Democratic Processes

Electoral Systems: ☐ Not Affected ☐ Affected - [Description]

Information Ecosystem: ☐ Not Affected ☐ Affected - [Description]

Civic Participation: ☐ Not Affected ☐ Affected - [Description]

Government Services: ☐ Not Affected ☐ Affected - [Description]

4.2.4 Cultural Impact

Cultural Considerations:

4.3 Environmental Impact

4.3.1 Energy and Carbon Footprint

Training Phase:

• Hardware: [Description]
• Training Duration: [Time]
• Energy Consumed: [kWh]
• Grid Carbon Intensity: [gCO₂/kWh]
• Training Emissions: [tons CO₂]

Inference Phase (Annual):

• Expected Query Volume: [Number]
• Energy per Query: [kWh]
• Annual Energy: [kWh]
• Annual Emissions: [tons CO₂]

Infrastructure:

• Data Center PUE: [Ratio]
• Renewable Energy %: [Percentage]
• Infrastructure Emissions: [tons CO₂/year]

Total Annual Carbon Footprint: [tons CO₂/year]

Carbon Equivalents: [Flights, cars, etc.]

4.3.2 Hardware and E-Waste

Hardware Inventory:

E-Waste Management Plan:

• Recycling Partner: [Name]
• Certifications: [e-Stewards, R2, etc.]
• Recycling Rate Target: [Percentage]

4.3.3 Other Environmental Factors

Water Consumption: [Liters/year]

Resource Extraction: [Rare earth materials, etc.]

Indirect Environmental Effects: [Description]

Part 5: Impact Analysis and Risk Assessment

Purpose: Evaluate severity and likelihood of identified impacts, calculate risk scores.

5.1 Impact Scoring Methodology

Severity Scale (1-5):

1 - Negligible: Minimal impact, easily reversible
2 - Minor: Some inconvenience, reversible with effort
3 - Moderate: Significant impact or temporary harm
4 - Major: Substantial harm, difficult to reverse
5 - Severe: Fundamental rights violation, irreversible harm

Likelihood Scale (1-5):

1 - Rare: < 5% probability
2 - Unlikely: 5-25% probability
3 - Possible: 25-50% probability
4 - Likely: 50-75% probability
5 - Almost Certain: > 75% probability

Risk Score: Severity × Likelihood (1-25)

Risk Classification:

• 1-4: Low
• 5-9: Medium
• 10-15: High
• 16-20: Very High
• 21-25: Critical

5.2 Individual Rights Impact Analysis

Example:

| Impact | Affected Right | Severity | Likelihood | Risk Score | Classification | Priority |
|--------|---------------|----------|------------|------------|----------------|----------|
| Discrimination in hiring | Equality | 5 | 4 | 20 | Very High | P1 |
| Privacy breach | Data protection | 4 | 3 | 12 | High | P2 |
| No meaningful explanation | Transparency | 3 | 5 | 15 | High | P2 |
| Inadequate human review | Fair trial principles | 4 | 3 | 12 | High | P2 |
| Data retention excessive | Privacy | 3 | 4 | 12 | High | P3 |

5.3 Societal Impact Analysis

5.4 Environmental Impact Analysis

5.5 Cumulative and Intersectional Analysis

Cumulative Effects:

[Description of how multiple impacts may compound]

Intersectional Analysis:

[Analysis of how impacts affect individuals with multiple protected characteristics]

Example:

Intersectional Analysis:

Elderly women from minority communities face compounded risk:
- Age bias in resume keywords (severity: 4)
- Gender bias in job requirements (severity: 3)
- Racial bias in name recognition (severity: 4)
- Intersection of all three: Estimated severity increase to 5
- Targeted mitigation required for intersectional fairness

5.6 Overall Risk Summary

Risk Distribution:

Risk Heat Map:

Likelihood
    5 |  M  |  H  |  VH |  VH |  C  |
    4 |  M  |  M  |  H  |  VH |  VH |
    3 |  L  |  M  |  M  |  H  |  VH |
    2 |  L  |  L  |  M  |  M  |  H  |
    1 |  L  |  L  |  L  |  M  |  M  |
      +----+-----+-----+-----+-----+
        1     2     3     4     5   Severity

L = Low, M = Medium, H = High, VH = Very High, C = Critical

Plot each identified risk on this matrix.

Part 6: Mitigation Measures and Controls

Purpose: Define specific measures to prevent, reduce, or manage identified risks.

6.1 Mitigation Strategy

Hierarchy of Controls:

1. Eliminate: Redesign to prevent the impact
2. Reduce: Implement technical or procedural controls
3. Transfer: Share responsibility (insurance, partnerships)
4. Accept: Document and monitor residual risk

6.2 Technical Mitigation Measures

Example:

| Risk # | Impact | Mitigation Measure | Type | Expected Effectiveness | Responsibility | Timeline |
|--------|--------|-------------------|------|------------------------|----------------|----------|
| 1 | Gender discrimination | Fairness constraints in training | Eliminate | High (reduces to score 6) | ML Team | Pre-launch |
| 2 | Privacy violation | Differential privacy | Reduce | Medium (reduces to score 6) | Data Team | Pre-launch |
| 3 | Lack of explanation | SHAP explanations | Reduce | High (reduces to score 5) | ML Team | Pre-launch |

6.3 Procedural Mitigation Measures

6.4 Governance and Oversight Measures

Human Review Process:

• Trigger Criteria: [When human review is required]
• Review Level: [Who conducts review]
• Decision Authority: [Who has final say]
• Documentation: [What must be recorded]
• Timeline: [Response time requirements]

Monitoring and Auditing:

Example:

| Metric | Target | Monitoring Frequency | Alert Threshold | Responsible Party |
|--------|--------|---------------------|-----------------|-------------------|
| Demographic parity | < 10% difference | Weekly | > 8% | Fairness Team |
| False positive rate | < 5% | Daily | > 6% | Quality Team |
| User complaints | < 10/month | Daily | > 8/month | Support Team |
| Explanation requests | Response in 48h | Daily | > 50% SLA miss | Product Team |

6.5 Mitigation for Specific Rights

Privacy Protection Measures:

• Data minimization implemented
• Purpose limitation enforced
• Storage limitation defined
• Privacy-preserving techniques applied
• Security measures appropriate for risk
• Data subject rights enabled
• Privacy notices provided
• DPO consulted

Non-Discrimination Measures:

• Fairness metrics defined
• Bias testing completed
• Fairness thresholds set
• Mitigation techniques applied
• Disaggregated monitoring
• Regular fairness audits scheduled
• Complaint mechanism established

Transparency Measures:

• System notice provided
• Explanation capability implemented
• Technical documentation complete
• User-friendly explanations available
• Appeal process defined

6.6 Societal Impact Mitigation

Employment Impact Mitigation:

Social Cohesion Measures:

• [Specific interventions]

Cultural Adaptation:

• [Localization and cultural sensitivity measures]

6.7 Environmental Mitigation

Carbon Reduction Measures:

Example:

| Measure | Expected Reduction | Cost | Timeline | Responsibility |
|---------|-------------------|------|----------|----------------|
| Shift to 100% renewable energy | 95% (190 tons CO₂/year) | $50K/year | 6 months | Infrastructure |
| Model quantization | 40% inference energy | $20K one-time | 3 months | ML Team |
| Hardware lifecycle extension | 30% embodied carbon | -$30K savings | Ongoing | Operations |

Part 7: Residual Risk and Approval

Purpose: Assess remaining risks after mitigation and obtain approval for deployment.

7.1 Residual Risk Assessment

Overall Residual Risk Level: [Low / Medium / High / Critical]

7.2 Acceptance Criteria

Risk Acceptance Thresholds:

• Critical Risks (21-25): [Not acceptable / Board approval required]
• Very High Risks (16-20): [Executive approval required]
• High Risks (10-15): [Risk committee approval required]
• Medium Risks (5-9): [Product owner approval required]
• Low Risks (1-4): [Acceptable with documentation]

Residual Risks Summary:

After mitigation:
- Critical: 0
- Very High: 0
- High: 2 (require Risk Committee approval)
- Medium: 8 (documented and monitored)
- Low: 15 (accepted)

Conclusion: Within acceptable risk appetite with appropriate approvals.

7.3 Approval and Sign-Off

Approval Workflow:

Final Approval Decision: ☐ Approved ☐ Approved with Conditions ☐ Rejected

Conditions (if applicable):

1. [Condition 1]
2. [Condition 2]
3. [Condition 3]

Part 8: Monitoring and Review Plan

Purpose: Define ongoing monitoring to ensure impacts remain within acceptable levels.

8.1 Monitoring Framework

8.1.1 Performance Monitoring

8.1.2 Fairness Monitoring

8.1.3 Rights Protection Monitoring

8.1.4 Environmental Monitoring

8.2 Incident Response

Incident Classification:

Incident Response Process:

Incident Detected
      ↓
Classify Severity
      ↓
Immediate Actions (stop/contain)
      ↓
Investigation (root cause analysis)
      ↓
Remediation (fix underlying issue)
      ↓
Communication (affected parties)
      ↓
Documentation (lessons learned)
      ↓
Follow-up (prevent recurrence)

8.3 Review and Reassessment Schedule

Regular Reviews:

Extraordinary Review Triggers:

• Significant system change or update
• New use case or deployment context
• Adverse incident or failure
• Change in applicable law or regulation
• Stakeholder request or complaint pattern
• Performance degradation beyond threshold
• Fairness metric violation
• Material change in organizational context

Reassessment Process:

1. Trigger identified → 2. Scope determination → 3. Assessment update → 4. Stakeholder consultation → 5. Approval → 6. Implementation

Part 9: Documentation and Appendices

Purpose: Organize supporting documentation and evidence.

9.1 Core Documentation

Required Documents:

• This completed AIIA template
• Executive Summary (Part 1)
• Technical Specification
• Data Protection Impact Assessment (if applicable)
• Fairness Testing Results
• Stakeholder Consultation Records
• Environmental Impact Calculation
• Mitigation Plan
• Monitoring Dashboard Design
• Approval Records

9.2 Technical Appendices

Appendix A: Model Documentation

• Model architecture diagram
• Training procedure
• Hyperparameters
• Performance validation results
• Limitation analysis

Appendix B: Data Documentation

• Data sources and lineage
• Data quality assessment
• Preprocessing steps
• Feature descriptions
• Known biases

Appendix C: Fairness Analysis

• Protected group definitions
• Disaggregated performance metrics
• Fairness metric calculations
• Disparity analysis
• Mitigation technique details

9.3 Stakeholder Engagement Records

Appendix D: Consultation Documentation

• Stakeholder identification matrix
• Engagement methods and timeline
• Consultation materials (surveys, focus group guides)
• Participation records
• Summary of feedback received
• Response to stakeholder concerns

9.4 Environmental Documentation

Appendix E: Carbon Footprint Calculation

• Energy consumption measurements
• Carbon intensity data sources
• Embodied carbon calculations
• Mitigation measure cost-benefit analysis
• Monitoring tool configuration

9.5 Legal and Compliance

Appendix F: Legal Analysis

• Applicable regulations detailed analysis
• Legal basis justification
• Contractual obligations review
• Compliance checklist
• Legal counsel opinion (if obtained)

9.6 Version Control

Assessment Version History:

Using This Template: Quick Reference

Template Customization Guide

Scaling by Risk Level:

Low Risk Systems:

• Complete sections: 1, 2.1, 2.3, 4, 5, 6 (abbreviated)
• Light stakeholder engagement (surveys, user feedback)
• Simplified monitoring
• Internal approval only

Medium Risk Systems:

• Complete all sections
• Moderate stakeholder engagement (surveys + focus groups)
• Standard monitoring framework
• Risk committee approval

High Risk Systems:

• Complete all sections in detail
• Extensive stakeholder engagement (all methods)
• Comprehensive monitoring
• External review + executive approval

Critical Risk Systems:

• Complete all sections with extensive detail
• Maximum stakeholder engagement + public consultation
• Real-time monitoring
• Board approval + regulatory consultation

Section Completion Checklist

Before Starting:

• Assemble assessment team with appropriate expertise
• Define scope and boundaries of AI system
• Identify preliminary risk level
• Allocate time and resources based on risk level
• Review applicable legal and regulatory requirements

During Assessment:

• Complete all relevant sections systematically
• Engage stakeholders meaningfully
• Collect evidence and data to support analysis
• Document assumptions and limitations
• Consult experts (legal, technical, ethical, domain)
• Iterate based on feedback

Before Finalization:

• Peer review by independent experts
• Legal and compliance review
• DPO review (if GDPR applies)
• Stakeholder validation
• Executive summary accurately reflects findings
• All appendices complete and referenced
• Version control and approval tracking current

Key Takeaways

1. Comprehensive assessment integrates individual rights, societal impacts, and environmental considerations

2. Risk-based approach scales effort and detail to system risk level

3. Stakeholder engagement is critical throughout assessment, not just consultation

4. Quantitative and qualitative analysis both important for robust assessment

5. Mitigation is mandatory - high risks cannot simply be documented and accepted

6. Monitoring is ongoing - AIIA is not one-time but continuous process

7. Documentation supports accountability and regulatory compliance

8. Approval must be appropriate to risk level and organizational governance

Next Steps

Proceed to Lesson 4.6: Stakeholder Engagement for detailed guidance on conducting meaningful stakeholder consultation throughout the AIIA process.

This template provides structure for comprehensive AI impact assessment aligned with ISO 42001, GDPR, and EU AI Act requirements.