AI Risk Management, Impact Assessment and DPIA Explained
How to assess AI risks systematically (ISO 23894), how an AI impact assessment differs from classic risk management, and when it merges with the GDPR DPIA.
In short
Classic risk management (deepened by ISO/IEC 23894) asks what could harm your organization. An AI system impact assessment (guidance: ISO/IEC 42005) asks the opposite: what effects the AI has on individuals and society. If the AI processes personal data at high risk, the GDPR (Art. 35) additionally requires a data protection impact assessment (DPIA), which overlaps heavily with the impact assessment.
Auf Deutsch lesen: deutsche Fassung
AI without risk consideration is like machinery without guards. That is why ISO/IEC 42001 requires organizations to assess and treat the risks of their AI systematically. Three terms get mixed up in the process, and it pays to keep them apart.
Classic risk management: risk TO the organization
Familiar risk management asks: what could harm my organization? With AI, that includes things like faulty model decisions, poor data quality, outages, or dependence on suppliers. ISO/IEC 23894 gives this approach depth and ties into the general risk standard ISO 31000: identify, analyze, evaluate, treat, monitor.
- Treatment options: avoid, reduce, transfer, or knowingly accept the risk.
- AI-typical risk sources: bias, lack of robustness, drift in operation, missing transparency.
- Important: risks are documented and their treatment is tracked, not assessed once and forgotten.
Impact assessment: risk FROM the AI to others
This is where the decisive difference with AI lies. An AI system impact assessment (guidance: ISO/IEC 42005) does not ask what harms the organization, but what effects the AI has on affected people and society, for example on applicants, customers, or patients. Classic risk management does not capture this outward perspective in the same way, and it is exactly what responsible use of AI demands.
DPIA: the data protection impact assessment
If the AI processes personal data that is likely to result in a high risk, the GDPR (Art. 35) requires a data protection impact assessment (DPIA). In substance it overlaps heavily with the AI impact assessment, since both ask about the consequences for people.
Where AI processes personal data, it pays to combine the AI impact assessment and the DPIA into one consolidated document instead of two separate compliance exercises.
Why these belong together
ISO/IEC 42001 forces you to take both viewpoints: the risk to the organization and the effect on the outside world. It is precisely this dual perspective that turns "we use AI" into a responsible, auditable practice, and it incidentally produces the evidence that the EU AI Act requires for high-risk systems.
Frequently asked questions
What is the difference between risk management and an impact assessment?+
Risk management looks at risks to the organization. An impact assessment looks at the effects of the AI on affected people and society, the outward perspective.
Do I need the AI impact assessment and the DPIA separately?+
When AI processes personal data at high risk, both can sensibly be merged into one consolidated document, because their content overlaps substantially.
Author & expert review: Lars Zimmermann · ISO/IEC 42001 Senior Lead Auditor & ISO/IEC 27001 Lead Auditor (PECB)
Last updated: 26 May 2026. Researched and reviewed to the best of our knowledge; not a substitute for individual legal advice.
Sources & further reading
Questions about your own case?
In a free 15-minute intro call we assess where you stand on ISO 42001, ISO 27001 and the EU AI Act, honestly and without a sales pitch.