ISO/IEC 38507:2022 (Governance Implications of AI)

Why it matters for NETEVO

ISO/IEC 38507:2022 is the governance standard addressed to the board itself, not to the AI management system the board owns — and that altitude is precisely why it closes the highest-leverage citation gap in NETEVO's substrate.

Direct overlay onto the AU board-paper regime. Where ISO/IEC 42001 governs the AI management system and ISO/IEC 23894 governs AI risk, ISO/IEC 38507 binds the governing body that owns the management system into Australian director-duty law. NETEVO's digest catalogues fourteen such mappings — Corporations Act 2001 (Cth) ss 180-183, ASX CGC Principles 1, 4 and 7, APRA CPS 230 operational risk management, Privacy Act 1988 governance hooks, the NSW AI Assessment Framework, and the AICD/HTI Director's Guide eight elements among them. This is the citation that lets NETEVO position director duties under section 180 as operationalised against an international standard rather than asserted from first principles.

Two substantive shall obligations carry unusual weight for a guidance standard. Clause 4.1 normatively forward-references Annex A, so the annex is treated as binding rather than informative; Clause 6.7.3 obligates stakeholder consideration of reputation and trust. Both modal verbs are preserved verbatim in the digest paraphrase, signalling compliance weight to anyone drafting board charters or policies against the standard.

The natural anchor for Implicit Authority Cascade. Where 42001 governs AI systems and 23894 governs AI risks, ISO/IEC 38507 governs who delegates authority into the AI system in the first place — the precise question Implicit Authority Cascade frames. It is the only international standard in the stack whose normative structure maps cleanly onto board-level agentic-authority accountability, and the natural anchor for the forthcoming AI-Washing Audit whitepaper alongside the AICD/HTI Director's Guide.