ISO/IEC 23894:2023 (AI Risk Management)

Why it matters for NETEVO

ISO/IEC 23894:2023 — Guidance on AI risk management is the methodology layer that operationalises the AI risk obligations sitting inside the AI management system. NETEVO cites it as the engineered route from policy to executable risk treatment.

The 42001 risk-clause companion. 23894 operationalises ISO/IEC 42001 Clauses 6.1.2 (AI risk assessment) and 6.1.3 (AI risk treatment). The 42001 Statement of Applicability references 23894 alongside ISO 31000:2018 as the methodology source — meaning the integration the NETEVO Law-to-Code Methodology relies on is already encoded into the standards stack. The guide mirrors ISO 31000:2018's clause structure (Principles in Clause 4, Framework in Clause 5, Process in Clause 6) and overlays AI-specific guidance against each sub-clause, so an organisation already running ISO 31000 extends rather than rebuilds.

The AU regulatory mapping is unusually clean. The 12 objective categories in Annex A and the 8 risk source categories in Annex B map directly onto APRA CPS 234, the Privacy Act 1988, the NSW AI Assurance Framework, the AICD/HTI Director's Guide eight elements, and the proposed AU mandatory guardrails. One control set, multiple AU regulatory hooks — the same multi-regulatory-anchor economics that make integrated management systems tractable for NETEVO clients.

Annex C is the executable spine. The lifecycle matrix maps the five risk-management activities against each AI lifecycle stage — a state machine that drops cleanly into an orchestrated risk-management workflow. The standard carries no own definitions (terminology is imported from ISO 31000:2018, ISO Guide 73:2009, and ISO/IEC 22989:2022) and approximately 95 should obligations carry the normative force. 23894 is the methodology spine for the forthcoming AI-Washing Audit whitepaper, load-bearing for the forthcoming CPS 230 executable-edge-controls insight, and the cross-walking spine for the next revision of AI Governance in ANZ.