New International Standard for AI Application, Development and Use (ISO/IEC 5339:2024)

England and Wales

Introduction  

The International Organisation for Standardisation (the “ISO”) has recently developed a new standard on AI, ISO/IEC 5339:2024 (“ISO 5339”). ISO 5339 was published in early 2024 and aims to establish a common framework that the relevant stakeholders can use to provide answers to the question: “What are the characteristics and considerations of an AI application?”. ISO 5339 should facilitate consistent stakeholder engagement throughout the AI system life cycle, promoting responsible AI development and implementation.

Understanding a Process Standard

As discussed in our previous Law-Now, ISO standards go through a set development process which usually takes 3 to 5 years. There are different types of standards. These include: 

  • Foundational and terminological standards provide shared vocabularies, terms, descriptions and definitions to build common understanding between stakeholders.
  • Interface and architecture standards define common protocols, formats and interfaces of a system, for example interoperability, infrastructure, architecture and data management standards.
  • Measurement and test methods standards provide methods and metrics for evaluating properties (e.g., security, safety) of AI systems.
  • Product and performance requirements standards set specific criteria and thresholds to ensure that products and services meet defined benchmarks, safeguarding consumers by setting safety and performance requirements.
  • Process, management, and governance standards set out clear processes and approaches for best practice in organisational management, governance and internal controls.

ISO 5339 is a process standard. Process standards do not require certification, but rather provide a common framework for ensuring consistent and responsible AI across different domains and applications.

Importance of the New Standard

ISO 5339 offers guidance on identifying the context, opportunities, and processes involved in developing and implementing AI applications. “AI applications” are defined in the standard as the use of AI with functional characteristics that operates in various stakeholder contexts to deliver an intended result.

ISO 5339 provides a high-level perspective on the AI application context, the roles of stakeholders, their relationship to the system's life cycle, and important characteristics and considerations specific to AI applications. Following the guidance in this document can allow stakeholders to have a common understanding of AI applications, how they operate, and the potential benefits and risks associated with them. This should promote effective communication, engagement, and acceptance among different parties involved in AI applications.

ISO 5339 aims to enhance multi-stakeholder communication and acceptance by offering a framework that includes the “make”, “use”, and “impact” perspectives of AI systems. 

ISO 5339 complements existing ISO standards such as ISO 42001 (see our LawNow article here), ISO 38507 (see our LawNow article here), and ISO 23894 (see our LawNow article here), which address responsible AI use, governance implications, and AI risk management, respectively.

Structure of ISO 5339

ISO 5539 addresses three key topics:

  • an approach to establishing an AI application’s stakeholders, context, functional and nonfunctional characteristics;
  • an AI application framework that can be used to answer the question: “What are the characteristics and considerations of an AI application?”;
  • guidance for AI applications based on the “make”, “use” and “impact” perspectives.

1. AI Application Context and Characteristics

This section provides an overview of the stakeholders, processes, and characteristics of an AI application (see following paragraphs for how these terms and concepts are described). It focuses on understanding who (stakeholders), what, when, where, why and how questions within the AI system lifecycle and outlines the various aspects and considerations that impact the quality and trustworthiness of AI systems.

  • Stakeholders: different stakeholders, such as producers, developers, providers, users, customers, regulators, and the community, have distinct roles and responsibilities at different stages of the AI lifecycle (make, use, and impact).
  • Processes: The AI system lifecycle consists of stages such as AI model creation, AI application development, AI services provision, and AI-augmented decision-making.
  • Functional Characteristics: AI applications acquire information, use model output to augment decisions or predictions, and continually improve through interactions.
  • Non-functional Characteristics: These include trustworthiness, ethics, societal concerns, risk management, security, privacy, and explainability. Non-functional characteristics should be addressed, assessed, and mitigated throughout the AI system lifecycle.
  • Risks: AI systems, such as traditional software systems, operate within a spectrum of risk, which is determined by the severity of the potential impact of a failure or unexpected behaviour and the impacted individuals or societies. Risks can be mitigated by risk management practices. The extent of risk management undertaken by an organization depends on its “risk appetite”. It is suggested that to consider risk and risk management in the AI context, ISO 23894 (Guidance on risk management) is used.

2. Stakeholders' Perspectives and AI Application Framework

This section brings together the component concepts into a framework that illustrates how each stakeholder interacts with an AI application. It provides a macro-level view based on the perspectives of “make”, “use”, and “impact” and aims to answer the question: “What are the characteristics and considerations of an AI application?”

This is illustrated in Figure 2 of ISO 5339. In a series of tables, the standard emphasises the different aspects of an AI application that each type of stakeholder must consider and sets out the stages at which they will need to consider their role in the AI application.

The "make" perspective stems from AI producers, developers, and data providers who are involved in the creation of the AI application. The AI provider can also share this perspective as they may be engaged in both the production and deployment processes. On the other hand, the "use" perspective is held by the AI customer and AI user, as they are the ones utilising the AI application to enhance their decision-making. The community's perspective revolves around how the deployment of the AI application affects them. The regulator's perspective focuses on ensuring compliance with legal requirements set forth by policy makers, particularly regarding the impact of non-compliance on the product or service within the jurisdiction.

Some stakeholders have a role in all stages, while others are more limited. For instance, AI producers must consider AI application characteristics at all stages, while AI application providers and regulators can focus on deployment, operation and monitoring of AI.

3. Guidance for AI Applications (Clause 7)

This section offers specific recommendations and best practices for stakeholders based on their perspectives and roles in the AI application context. It presents minimum sets of questions for stakeholders to address (based on the perspectives identified in Figure 2of ISO 5339), some of which are common across stakeholders, while others are specific to certain types.

By way of example, the AI producer should address at least the following questions:

  • Who are the AI customers and AI users?
  • Who are the AI developers? Are they qualified and skilled employees or contractors?
  • Who are the AI application providers and their relationship with the AI producer?
  • Who are the stakeholders in each stage of the AI system life cycle?
  • What is the AI system and its capabilities? What algorithm is the AI model based on?
  • What are the AI characteristics of the AI application?
  • What data are used to create the AI model? What is the source of these data? Who are the data providers and their partners?
  • What are the trustworthiness and risk concerns of the AI application? What is being done to assess and mitigate these concerns? Is a risk management system in place for the organization?
  • What are the ethics, societal concerns, security, confidentiality, privacy and other legal requirement considerations in producing and deploying the AI application? How are they being addressed?
  • What is the technological ecosystem for the accessible deployment of the AI application?
  • What is the overall quality of the AI system?
  • How is the AI application built, applied and updated? How is the AI model trained or programmed?
  • Where is the AI application to be deployed, on-premise or as a cloud service? Where will the AI application be developed? Where are the AI developers located? Where are the data sources located?

The standard also contains s helpful list of questions to be considered from a point of view of data providers, AI developers, AI application providers, AI customer and users, policy makers and regulators. Stakeholders should analyse these questions within the context of the AI application framework.

ISO 5339 encourages stakeholders to explore the applicability of other ISO standards to their AI applications and consider the questions set for other stakeholders to develop AI applications that all stakeholders can accept. For instance, AI developers may benefit from considering the regulator questions internally. The answers could guide the development of AI applications which are less likely to cause concerns from a regulatory perspective.

Conclusion

ISO 5339 provides a comprehensive process framework for AI stakeholders involved in the development, deployment, operation, and monitoring of AI applications. By considering the various aspects outlined in the standard, such as purpose, characteristics, performance, risks, and benefits, stakeholders can ensure ethical, legal, and social compliance. The standard promotes alignment with existing best practices and principles, including other ISO standards, and helps companies to identify areas for improvement by posing a series of questions for various stakeholders to consider.

While ISO 5339 does not specifically address generative AI, the process, concepts, and framework are technology-agnostic and could be applied to generative AI applications and contexts.

The authors would like to thank Tycho Orton, associate, for his help in writing this article.