AIG-006 AI Impact Assessment
Description
Before deploying an AI system that may affect individuals or groups, a documented impact assessment is completed. The assessment evaluates potential harms to individuals (including discrimination, privacy, safety, and economic effects) and societal harms (including systemic bias, labour displacement, and environmental impact). Assessments consider vulnerable groups including minors. Results are retained and reviewed when the system's purpose or data inputs change materially.
Rationale
AI systems can cause population-scale harms invisible in individual-system risk assessments; a dedicated impact assessment surface forces proportionate consideration of downstream effects.
Framework Mappings (9)
| EU-AI-Art.26.8 | Deployer Obligations — GDPR Data Protection Impact Assessment Support | partial |
| EU-AI-Art.9.6 | AI Risk Management System — Vulnerable Groups Consideration | full |
| A.5.2 | AI system impact assessment process | full |
| A.5.3 | Documentation of AI system impact assessments | full |
| A.5.4 | Assessing AI system impact on individuals or groups of individuals | full |
| A.5.5 | Assessing societal impacts of AI systems | full |
| MAP 3.2 | AI Error Costs and Risk Tolerance | full |
| MAP 5.1 | Impact Likelihood and Magnitude Documentation | full |
| MEASURE 2.12 | AI Environmental Impact Assessment | partial |
Evidence (2)
Completed AI impact assessment for each AI system that may affect individuals or groups, covering individual harms (discrimination, privacy, safety, economic), societal harms, and consideration of vulnerable groups.
Example: AI Impact Assessment — Loan Eligibility Model (Confluence), dated 2025-07-20, covering discrimination risk, vulnerable group (minors) analysis, societal bias risk, and retention date
Test: Request impact assessments for all Tier 2+ AI systems affecting individuals. Verify each assessment: (1) covers individual harm categories (discrimination, privacy, safety, economic effects), (2) includes societal harm analysis, (3) explicitly addresses vulnerable group risk, (4) records the outcome and any required mitigations, (5) a re-assessment trigger condition (material change to system purpose or data inputs) is documented.
Bias and fairness evaluation report produced prior to deployment, disaggregated by protected characteristics, demonstrating that potential discriminatory impacts have been quantitatively assessed.
Example: Pre-deployment Fairness Report — Hiring Screen Model v2 (MLflow artefact), showing demographic parity metrics across gender, ethnicity, and age cohorts, with pass/fail against defined thresholds
Test: Request the pre-deployment fairness report for the assessed system. Verify: (1) evaluation is disaggregated by relevant protected characteristics, (2) fairness metric definitions match those in the impact assessment, (3) results are compared to documented thresholds, (4) any threshold failures have a documented remediation decision.
Questions (2)
Does your organisation complete a documented impact assessment before deploying an AI system that may affect individuals or groups?
AI impact assessments must go beyond standard risk assessments to address population-scale harms including discrimination, privacy, economic effects, and societal impacts. The assessment should be retained and revisited when system purpose or data inputs change.
Which of the following harm categories does your AI impact assessment explicitly evaluate?
All six categories should be assessed for systems affecting individuals. Missing vulnerable group analysis or societal harm evaluation are common gaps that create regulatory exposure under the EU AI Act and GDPR.