ISO IEC 38507-2022 PDF

Full title and description

ISO/IEC 38507:2022 — Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations. Guidance aimed at members of governing bodies (and related stakeholders) to help them enable, oversee and govern the effective, efficient and acceptable use of AI across any type or size of organization.

Abstract

This international standard provides high-level guidance for governing bodies, executive management and other stakeholders on the governance implications arising from the use of artificial intelligence. It describes responsibilities, oversight considerations and governance behaviours needed to manage benefits, risks and obligations associated with AI adoption and use, and links governance of AI to existing IT and data governance practices.

General information

• Status: Published
• Publication date: April 2022
• Publisher: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) — joint publication (JTC 1 / SC 42)
• ICS / categories: 35.020 (Information technology)
• Edition / version: Edition 1 (2022)
• Number of pages: 28

Scope

ISO/IEC 38507:2022 applies to governance of current and future uses of AI and to the implications those uses create for organizations. It is intended for governing bodies but also addresses executive managers, technical and legal specialists, service providers, auditors, public authorities and policymakers. The standard is descriptive and advisory — it sets out governance objectives, oversight questions and outcomes rather than prescriptive technical requirements.

Key topics and requirements

• Roles and accountability: clarifies governing body responsibilities for AI-related strategy, oversight and assurance.
• Risk and value balancing: guidance to assess AI benefits against risks and to align AI use with organizational risk appetite and objectives.
• Transparency and explainability: governance expectations for understandable decision-making, documentation and stakeholder disclosure where appropriate.
• Human oversight and control: requirements for appropriate human-in-the-loop or human-on-the-loop arrangements and escalation mechanisms.
• Data and lifecycle considerations: links to data governance and AI system lifecycle oversight (design, deployment, monitoring, decommissioning).
• Ethics, legality and conformity: ensuring AI use respects legal, regulatory and ethical obligations and organizational values.
• Competence and resourcing: expectations for organizational capability, training and access to external expertise where needed.
• Monitoring and assurance: establishing indicators, reporting and independent review to detect and respond to harms, drift and non-conformance.

Typical use and users

Primary users are boards, members of governing bodies and senior executives who set strategy and oversight for AI use. Secondary users include CIOs, risk and compliance officers, data and AI governance teams, external auditors, consultants, procurement and legal advisors, and public-sector policymakers who need a governance framework to inform policy or regulation.

Related standards

ISO/IEC 38507:2022 sits within the ISO/IEC governance of IT family and complements standards such as ISO/IEC 38500 (governance of IT), the ISO/IEC 38505 series (governance of data), ISO/IEC 38506 (IT‑enabled investments guidance), and the broader ISO AI series including ISO/IEC 22989 (AI concepts & terminology), ISO/IEC 23894 (AI risk management) and ISO/IEC 42001 (AI management systems). It is intended to be used alongside other industry and sector-specific guidance.

Keywords

AI governance, governance of IT, board oversight, accountability, explainability, human oversight, risk management, data governance, transparency, JTC 1/SC 42.

FAQ

Q: What is this standard?

A: An international guidance standard (ISO/IEC 38507:2022) that explains governance implications for the use of artificial intelligence and provides high-level guidance for governing bodies and related stakeholders.

Q: What does it cover?

A: It covers governance responsibilities, oversight considerations, risk/value trade-offs, transparency and explainability expectations, human oversight, data and lifecycle governance links, and monitoring/assurance approaches for organizational uses of AI.

Q: Who typically uses it?

A: Governing bodies and boards, senior executives, CIOs, risk/compliance officers, data/AI governance teams, auditors, consultants and policymakers — essentially anyone responsible for or advising on governance of AI within organizations.

Q: Is it current or superseded?

A: ISO/IEC 38507 was published in April 2022 and is current. It remains a valid, published guidance standard as of March 2, 2026 (check national/ISO catalogs for any later amendments or revisions).

Q: Is it part of a series?

A: Yes — it is part of the ISO/IEC governance of IT family (the 38500/38505/38506 series and related technical reports) and is linked to ISO/IEC AI standards developed by JTC 1/SC 42.

Q: What are the key keywords?

A: AI governance, governance of IT, accountability, explainability, human oversight, risk management, data governance, transparency, ISO/IEC 38507:2022.