Navigating AI standards: a practical guide for people professionals

International standards offer practical frameworks, shared language, and structured processes to support effective and ethical use of AI in organisations. Each of these standards is developed through expert panels and help promote trustworthy and safe AI systems across sectors and jurisdictions:  

• BS EN ISO/IEC 22989:2023 AI Concepts and Terminology. This standard helps people use the same definitions when talking about AI systems. 
• BS ISO/IEC 42001:2023 Artificial Intelligence Management System. This certifiable standard provides a structured framework for organisations to develop, use and govern AI systems responsibly.  
• BS EN ISO/IEC 23894:2024 AI Risk Management. This standard provides a structured approach for identifying, assessing and mitigating AI-related risks. 
• BS ISO/IEC 38507:2022 Governance of IT and AI. This standard provides guidance on how to oversee the use of AI across an organisation.  
• BS ISO/IEC 5338:2023 AI System Lifecycle Processes.  This standard defines concepts and AI-specific processes in an AI system’s lifecycle. 
• BS ISO/IEC 42005 AI System Impact Assessment. This standard provides a framework to assess the impact of an AI system on individuals, organisations and society. 

When exploring the standards, it’s important to note that the full standards are behind the British Standards Institution’s paywall. The acronyms in the standard names indicate whether the British Standards (BS) are adoptions of international (ISO or IEC) and/or European (EN) standards.  

While compliance is normally voluntary unless required by law, international standards are widely recognised as credible references for good practice. As the landscape evolves, ongoing learning, collaboration and review will remain essential and this guide serves as a valuable foundation for that journey. 

Further guidance is available from BSI’s Little Book of AI resource. To explore a wider range of standards on emerging digital technologies visit BSI Knowledge. 

Here we look at four AI risk management frameworks to help you choose according to your organisation’s needs and budget: 

• For quick and low-cost compliance focusing on just security: choose the NCSC AI Cyber Security Code of Practice. It has 13 principles across five stages of lifecycle. 
• For formal certification and client trust: choose to invest in the AI Management System standard and budget for audits. 
• For risk-focused governance without certification costs: choose the AI Risk Management standard and NCSC AI Cyber Security Code of Practice. 
• For regulated sectors: consider investing in the AI Management System standard for certification and governance. 
• For small enterprises: consider starting with the NCSC AI Cyber Security Code of Practice as a security baseline and the NIST AI Risk Management Framework for ensuring trustworthiness. 
• For medium or large enterprises: consider investing in the AI Management System standard for certification and governance.

For people professionals accessing these standards for the first time, the standard BS EN ISO/IEC 22989:2023 (behind paywall) defines essential AI concepts and terminology. This covers systems, algorithms, datasets, lifecycle stages and roles such as human in the loop as well as AI principles like transparency, explainability, robustness and bias management.  

Having a shared understanding when talking about AI with colleagues, vendors and other stakeholders helps to avoid misunderstandings. Using the same definitions helps ensure compliance with regulations.  

People professionals can use this standard to:  

• Create an organisation-wide AI vocabulary to communicate with internal and external stakeholders. It helps frame the language used in AI policy documents, training materials, compliance reports and vendor requests for proposals (RFPs). 
• Map AI features in people systems against the AI lifecycle model within the standard. This includes capturing business goals during the inception stage, defining roles and datasets during the design stage, and running bias and explainability tests during the validation stage. Followed by monitoring system performance during the deployment stage and documenting results during the retirement stage. 
• Embed transparency and fairness by using the key concepts from this standard to shape people processes and systems. For example, ensuring the people team and system users such as employees and job applicants understand the outputs.

BS ISO/IEC 42001:2023 (behind paywall) is a certifiable international standard for managing AI systems. It provides a structured framework for organisations to develop, use, and govern AI systems responsibly. It focuses on risk management, accountability, ethics and continual improvement.  

This standard integrates AI governance with existing management system standards such as ISO 9001 Quality Management System, ISO/IEC 27001 Information Security Management System and ISO/IEC 27701 Privacy Information Management System. 

Despite the varied approaches to AI regulation that are emerging globally, some AI principles consistently stand out. These include:  

• Safeguarding human decision-making and oversight. 
• Establishing clear accountability controls and guardrails for use.  
• Embedding proactive risk mitigation throughout the organisation. 

Enforcing these principles requires visible commitment from senior leadership, organisation-wide education and capability building regardless of whether roles directly interface with AI. Furthermore, there must be clearly delineated individual accountabilities so that AI systems remain robust, stable, and are subject to prompt correction if an error occurs. 

Following the AI Management System Standard shows compliance and readiness for internal and external audits.  

This standard is certifiable and provides a demonstrable proof of compliance with safe and responsible practice in the deployment of AI. By engaging with this standard, people professionals can uphold fairness and foster trust in AI-driven processes. It empowers people professionals to collaborate with colleagues (eg in IT, legal, procurement) to ensure that AI systems align with organisational goals, legal requirements and stakeholder expectations. This standard provides guidelines for identifying and managing AI risks holistically.  

People professionals can use it:  

• To identify and procure systems from technology vendors that comply with the AI Management System standard, as this is a certifiable standard. 
• To build governance and risk controls into AI systems and processes owned by the people team. This includes defining roles and responsibilities, assessing risk at all stages of the AI lifecycle and maintaining an audit log of decisions made and updates to both the data and the system. 
• To help align AI practices with organisational governance structures when working with the governance and compliance teams. 
• As a reference to develop a framework for embedding ethical principles into AI policies and practices across the organisation. 
• For guidance on assessing how an AI system may impact the people who use them, such as employees and job applicants. 

Explore this illustrative example of how a people team might use the AI Management System standard.   

Situation 

The people team is looking at buying a popular AI recruitment system to help them source high quality candidates. The system screens applicant CVs against the job description, automatically ranks and shortlists candidates. The software can also source candidates based on its assessment of their professional histories in the public domain and invite them to apply. 

The board has decided to use the AI Management System standard as a framework for considering new AI systems. The chief people officer is asked to run an AI impact assessment with the IT and legal teams.  

Concerns 

Among the many benefits identified, two key concerns were investigated through this exercise. 

• Concern 1: reliability and compliance. How did the vendor obtain the data that has been used to train the AI? How can the vendor demonstrate that the data is representative, for example in terms of gender, ethnicity, social mobility? Does the vendor continue to audit the data being used by the system for learned bias? 
• Concern 2: decision-making process. When evaluating and ranking CVs, how does the software demonstrate its decisions are unbiased? What candidate data does the system include in its decisions? What does it ignore? What is it unaware of?  
   

Solutions 

The team decided to evaluate the supplier’s own controls to see if there is information to address their concerns. Following the impact assessment two changes were made.  

Firstly, the people team created a policy and process to support meaningful human oversight in line with the responsible guidelines within the AI Management System standard. The policy confirmed that only human recruiters could shortlist candidates and AI can only recommend. The people team will regularly do random checks on candidate profiles (that the system rejected and shortlisted) and flag any biased decisions.  

Secondly the team decided to restrict the system to source candidates from only one popular professional networking site, where candidates have indicated that they’re ‘open to work’. This is to limit the risk of being accused of unsolicited contact even if it benefits the person concerned. 

As a result of these two changes, the organisation delivered a strengthened solution at the outset and avoided costly errors later. The other benefit was the learning and decision process the team went through as they considered new software. 

BS EN ISO/IEC 23894:2024 (behind paywall) is a standard that provides a structured approach to manage risks associated with AI. This standard draws on the ISO 31000 Risk Management Guidelines standard, which sets out risk management principles that apply to all kinds of business risk.  

One of the core responsibilities of the people team is to manage people risks. This includes the risks of AI on people. Many AI risks stem not from the technology alone but from how people design, deploy, use and oversee the system.  

This standard provides a structured approach to proactively examine and respond to AI risks such as:  

• Fairness. The risk of designing, deploying, using and overseeing AI in a way that unfairly affects people including those from underrepresented groups. 
• Privacy and data protection. The risk of personal data being shared or used without the individual’s consent. 
• Transparency and explainability. The risk of users not being aware that AI is used to make decisions. If users are aware, there’s a risk that they might not understand why or how AI decided on something or might always accept AI’s outputs at face value. 
• Security vulnerabilities. The risk of AI being compromised by cyber threats such as attackers stealing data (data breach) and inserting bad data (data poisoning). 
• Performance over time. The risk of AI learning bias from the input it receives or becoming less accurate where it does encounter a particular experience over time. As AI is used, the new data it receives may impact the quality of its decisions. 

There are ways in which people professionals can use and customise the standard according to their organisational needs: 

• Create a risk register for AI in people systems, which defines people-specific objectives of the system and the risk criteria. When using AI in recruitment, this could be to assess the risks of unlawful discrimination (both direct and indirect). In AI-driven performance analytics, this could be to monitor for biased assessments and unintended consequences. Where an AI system is used to collect employee personal data, this involves assessing privacy risks and compliance with data protection laws. 
• Establish escalation protocols for AI-related incidents in people systems or play a supporting role in other AI systems that carry people risks (such as AI fraud detection). 
• Document decisions for transparency and accountability because risk requires regular monitoring, evaluation and process improvement.   
• Train the people team on AI governance and ethics and how to raise concerns. 
• Integrate the risk management principles into communications and consultations with employees.  

Explore this illustrative example of how a people team might use the AI Risk Management standard. 

Situation 

The people team would like to replace its in-house helpdesk with an AI people assistant, a chatbot that answers employee questions and points to sources for further advice. The IT team decided to refer to the AI Risk Management standard for guidelines on risk assessment and involves the people and legal teams in this. 

Concerns 

The IT, legal and people teams created a risk register to record the different types of risks. For example, what questions could employees ask the assistant and what’s the risk of the assistant giving wrong answers? What’s the risk of an employee receiving an answer they don’t understand, and if this is the case how do they escalate their question to a human?  

Following the risk assessment, it was decided that the assistant was not yet providing robust answers to all employee questions for the people team, so this risk was flagged in the risk register. The assistant sometimes used words (eg ‘should’ instead of ‘must’) that completely changed the legal and policy position of a response. While some AI processes can resolve this common problem with assistants that use large language models (LLMs), it created significant risks that can’t be defended easily.  

Solutions 

To mitigate the risk of giving wrong answers, the assistant was restricted to answering simpler questions, such as providing leave balance or referencing a section in a policy. Complex questions were still escalated to the people team. The assistant would not try to answer complex questions that needed human judgment and nuanced interpretation of employees’ terms and conditions, organisation’s policies or the law.  

Having evaluated the trade-offs, the people team decided that the assistant wouldn’t replace the helpdesk, but it would free up some time for the people team to work on other tasks. A side benefit of the assistant is employees have an assistant they can access at all times instead of trawling through policies and procedures to find an answer. Over time the organisation will continue to train the assistant to answer more employee questions and improve its answers whilst maintaining an acceptable risk profile for the solution. 

The value of this exercise was to find a solution that met the organisation’s needs without exposing it to costly risk. In this illustrative example, the organisation decided to rollout a more basic AI people assistant instead of taking the risk and finding problems during testing or live use. A different organisation might decide not to implement an AI people assistant at all and instead focus on simplifying their policies and procedures for employees.  

An organisation selling AI solutions might have felt it necessary to make improvements and implement a more sophisticated assistant in their people team to demonstrate the value to their customers. In other words, the outcome of a risk assessment would vary depending on the organisation’s circumstances. 

BS ISO/IEC 38507:2022 (behind paywall) explains governance implications of using AI in an organisation and how to control its use. This standard is aimed at governing bodies such as board of directors and senior leadership teams as well as technical specialists and auditors who support the governance process. 

This standard is useful for people professionals because it highlights controls that need to exist for an organisation to respond meaningfully and systematically to AI risks and opportunities. It helps you understand how to align AI use with organisational values, legal obligations and ethical practice. 

Should AI risks such as those raised in the AI Risk Management standard happen, following this standard ensures the right people in the organisation are aware of and responsible for resolving them. For the most serious challenges, it ensures the channels exist for senior leadership to get involved. 

People professionals can use this standard as a guide for setting and maintaining the governance of the AI systems used by the people team as well as supporting the governance of other systems. For example, you might help the board assess the organisation’s use of AI by gathering employee feedback through surveys and focus groups. You might be in an AI ethics committee or a review panel to assess whether the use of an AI system aligns with employment law and ethical people practice. 

When setting up governance controls, take the following actions:  

• Differentiate where and how AI is used to assist or make automated decisions. Keep an AI risk register to keep the board or governing body informed of any implications of AI on people. 
• Be aware that the governing body needs to assign clear roles and responsibilities for AI-assisted decision making. For example, it could help you set up human-led processes for critical people decisions such as hiring, appraisal and disciplinary actions. 
• Set accountability and oversight in the use of AI. The organisation’s leadership must be able to explain, justify and account for AI-supported decisions. In turn, the people team can apply these organisational goals and objectives by setting and managing appropriate policies and decision boundaries. 

Explore this illustrative example of how a people team might use the Governance of IT and AI standard.  

Situation 

The people team would like to set up the necessary governance controls of a new AI-driven talent management system. The system identifies high-potential leaders from performance review data.  

With help from two senior IT and compliance colleagues, several members of the people team including the head of talent and CPO set out to propose governance controls for the system.  

Concerns

Following the guidance in the Governance and IT standard, they considered the system’s operating context. That is, the business pressures and needs, stakeholder expectations and regulatory obligations. 

Solutions 

Having considered the system’s operating context, they identified the sources of authority they could call on for direction on strategy and policy as well as expertise for monitoring the system’s performance. 

In this illustrative example, the following governance controls were set: 

• The organisation’s AI ethics committee was named as the accountable executive body responsible for ensuring the talent team had set the right guardrails for automated decisions made by this system.  
• The AI ethics committee would be responsible for ensuring the talent team set out how to deal with employee complaints and other problems from the system.  
• The AI ethics committee would assure the board who have oversight of the organisation’s corporate governance.  
• The AI ethics committee accepted the head of talent’s proposal for a new organisational policy for responsible AI in talent management.  
• The policy stated that AI can only nominate candidates and the selection of high-potential leaders must be done by a diverse panel of senior leaders, with justifications for selection documented.  
• The AI ethics committee agreed that the CPO would present the system decisions to them annually, including evidence on whether the system showed signs of bias and how these were addressed.  

The standard BS ISO/IEC 5338:2023 (behind paywall) defines concepts and AI-specific processes in an AI system’s lifecycle. It builds on the standard ISO/IEC 12207 Software Lifecycle Processes. The AI System Lifecycle Processes standard helps integrate AI governance into existing software engineering practices. 

It’s useful for people professionals who are curious to know more about AI system concepts and the processes to control, manage, execute and improve it. Being aware of these helps you make smart choices about AI systems, and have informed discussions with IT colleagues and technology vendors when developing or buying an AI system. 

For example, this standard defines two types of AI systems: heuristic and machine learning. In practice, most AI systems are a hybrid of machine learning and heuristic models. 

A heuristic model is a model or program that relies on predefined rules. The candidate shortlisting rule below is heuristic because the rule is predefined. The model does not need to be trained on data, and the outcomes follow clear decision logic, such as:‘If a candidate has one of the project management certifications in our list AND at least 5 years’ experience then shortlist. Otherwise, don’t shortlist.’ 

A machine learning model (or program) relies on finding patterns from large datasets. A key point to note is a machine learning model is inherently probabilistic, which means it cannot always be guaranteed to be correct. Ensuring sufficient and representative data is important for machine learning models, in case there are hidden societal biases in the data. For instance, jobs traditionally being done by one gender, or non-native English speakers using non-typical words to describe their experience. 

Applying this standard embeds transparency and accountability in the organisation through documentation of, for example, decisions, test results and compliance reports. 

It also helps embed risk management and ethical principles into processes in an AI system’s lifecycle. This includes agreement processes and organisational project-enabling processes. Technical management processes such as risk management and quality assurance. As well as technical processes covering a system’s lifecycle such as design and development, verification and validation, and deployment.  

People professionals can use this standard to: 

• Learn more about technical AI concepts and processes to help make smart choices and have more informed conversations on AI systems. 
• Foster a culture of accountability underpinned by clear policies and processes. Like other IT systems, an AI system also requires security management and other general IT controls.

The standard BS ISO/IEC 42005 (behind paywall) details how to perform AI impact assessments effectively and can form part of compliance with the AI Management System standard. This standard can be tailored to fit with the organisation’s policies and procedures, risk levels and intended use of the AI system. Where major changes arise, repeating the impact assessment is recommended.  

The AI impact assessment is a live document that can support board-level decisions and risk management. It can inform internal procedural guidance on AI as well as training resources on working with the AI system.  

This standard provides a systematic approach for reviewing people, ethical and operational consequences of an AI system in an organisation. The impact assessment can include, for example, how people from different cultures (and ethical values and norms) might interact with the AI system. It can also cover the AI system’s external impact on society and environment. This standard looks at all forms of AI impact, not just technical and legal impacts.  

A key feature of this standard is its emphasis on stakeholder engagement, which could help with any wider consultation on an AI system.  Employee representatives should be involved in the procurement and implementation of AI in people systems. And where AI systems are implemented more widely employees should be consulted about any potential impact on their role. Encouraging two-way dialogue for employees to safely voice opinions and ideas supports CIPD’s viewpoint on employee voice. 

People professionals can use it as a guide to systematically assess the impact of an AI system on people. To begin with, choose which aspect of the AI system needs to be examined for the impact assessment. This could be all AI systems owned by the people team or focus on just one AI feature in a system. Once the scope of the impact assessment is defined, responsibilities for conducting the assessment can be assigned accordingly.  

Then, systematically evaluate potential consequences of the AI system (or feature) in each stage of its lifecycle (eg procurement, deployment). This can cover potential impacts on: 

• Fairness. Could automated decisions disadvantage certain groups or individuals? Could the AI system design negatively affect terms and conditions set out in employment contracts or collective agreements? Could it, for example, influence promotions or enforce disciplinary measures in problematic ways? 
• Privacy. Is the collection and use of personal employee data proportionate and transparently communicated? 

Based on these considerations, the people team can develop a scale to measure risk levels (eg red, amber, green) and agree the level of risk the organisation is comfortable with. Then define escalation thresholds to determine when additional review, mitigation or remediation is needed. 

If new concerns surface, this should be recorded and monitored through ongoing reviews. 

The outcome of an AI impact assessment can be linked with the organisation’s various governance controls. In the case of the people team’s AI system, details of the risks can be integrated with the team’s existing risk and compliance framework and aligned with the data protection impact assessments. This may include integrating risks that have been identified from an impact assessment of non-AI people systems or from a data protection impact assessment on the processing of employee data.  

Here’s an illustrative example of how a people team might use the AI impact assessment standard. 

Situation 

A regional people leader in a global organisation piloted an AI-driven employee listening system and shared their early success with the CPO. The system analysed employee messages and other communications to gauge employee morale in different groups. Insights from the system helped them implement targeted low-cost initiatives that improved employee wellbeing and reduced unwanted employee turnover. For example, the insights enabled the people team to identify employees at risk of leaving because of burnout and prompted line managers to check-in with team members. The regional people leader confirmed the system complies with local laws. Employees were supportive and no concerns were raised.  

The regional people leader proposed that the system is rolled out across the whole organisation to support proactive employee listening and response. 

As part of the AI Management System standard, a manager from the global people team was appointed to work with the regional people leader, IT, risk and legal teams to conduct an AI impact assessment.  

A small, carefully managed employee consultation exercise was conducted in several regions.  

Concerns 

Risks were uncovered that had not emerged in the region that piloted the system. For example, employees in the other regions were concerned about privacy. Some employees questioned whether the system would recognise cultural nuances, sarcasm or emojis. 

The AI impact assessment team were unsure whether this meant employees in the pilot region had a different attitude to privacy, were unwilling to express concerns to management, or felt privacy was a worthwhile price for the gains they received. The team also concluded that while the piloted system appeared to comply with the law, this use of AI hadn’t yet been tested in the courts in that jurisdiction. The system breached privacy laws in several other regions, but there were ways to comply. For example, the impact assessment suggested limiting the channels that were monitored, being transparent with employees on what communications the system monitored and why, and give employees the right to opt out. 

Solutions 

In this illustrative example, it was decided that the AI-enabled employee listening system would be scaled back to summarising employee feedback in pulse surveys and tickets raised through the people team helpdesk in a global deployment.