ISO/IEC 22989:2022 Artificial intelligence — Concepts and terminology

ISO/IEC 22989:2022 is a foundational international standard developed by the joint technical committee ISO/IEC JTC 1/SC 42. Its primary purpose is to provide a definitive and harmonized set of concepts and vocabulary for the field of Artificial Intelligence (AI). The standard defines key terms such as 'AI system,' 'machine learning,' 'data,' and 'trustworthiness.' In the context of enterprise risk management, it serves as a 'Rosetta Stone,' creating a common language essential for implementing other critical standards like ISO/IEC 42001 (AI management system) and ISO/IEC 23894 (AI risk management). This alignment is crucial for accurately identifying, assessing, and communicating AI-related risks and ensuring consistency with global regulations like the EU AI Act.

Enterprises can apply ISO/IEC 22989 in risk management through three practical steps: 1. **Establish a Common Lexicon:** Use the standard as the official glossary for internal training across departments like legal, R&D, and compliance. This ensures a unified understanding of critical risk concepts like 'bias,' 'explainability,' and 'robustness,' preventing risks from being overlooked due to semantic ambiguity. 2. **Refine Risk Identification and Assessment:** Apply the standard's definitions, such as the 'AI system lifecycle,' to scope risk assessments comprehensively from data acquisition to model decommissioning. Differentiating between 'verification' and 'validation' as defined in the standard allows for more rigorous model testing and precise risk quantification. 3. **Standardize Documentation and Communication:** Adopt the standard's terminology in supplier contracts, terms of service, and regulatory filings. This minimizes legal ambiguity and demonstrates a mature AI governance posture to auditors and partners, potentially reducing compliance review cycles by up to 20%.

Taiwanese enterprises face three main challenges: 1. **Concept-to-Practice Gap:** The standard defines terms but does not prescribe controls, making it difficult for non-technical teams to implement. **Solution:** Pair it with actionable frameworks like the NIST AI Risk Management Framework (RMF) or ISO/IEC 42001. Start with a pilot project to map standard terms to concrete risk scenarios and controls. 2. **Interdisciplinary Talent Shortage:** Effective AI governance requires a blend of technical, legal, and ethical expertise, which is rare. **Solution:** Form a cross-functional AI governance committee and invest in targeted training for legal and audit teams, supplemented by external consultants to accelerate knowledge transfer. 3. **Integration with Existing Systems:** Creating a separate AI governance system alongside existing ones like ISO 27001 is inefficient. **Solution:** Leverage the common ISO high-level structure (Annex SL) to extend the existing information security risk assessment process to include AI-specific assets like models and training data, ensuring seamless integration.

Winners Consulting specializes in ISO/IEC 22989:2022(E) for Taiwan enterprises, delivering compliant management systems within 90 days. Free consultation: https://winners.com.tw/contact