AI Impact Assessments: What Companies Need to Document Before Deploying AI

Most companies are moving too fast with artificial intelligence.

They are buying AI tools, turning on AI features, connecting models to customer data, using copilots, launching chatbots, automating workflows, ranking applicants, scoring leads, summarizing calls, generating content, analyzing behavior, and letting vendors process sensitive information before anyone has documented the risk.

That is the dangerous part.

The problem is not simply that a company uses AI. The problem is that the company uses AI without a written record showing what the system does, what data it uses, who it affects, what laws apply, what harm could occur, what controls exist, and who approved the risk.

That is where an AI impact assessment becomes essential.

An AI impact assessment is the document and workflow a company uses to evaluate an artificial intelligence system before it is deployed, expanded, materially changed, or used in a higher-risk context. It is the compliance record that connects the AI system to the business process, the data, the people affected, the legal obligations, the vendor controls, the human oversight model, the monitoring plan, and the evidence trail.

Without an AI impact assessment, a company is often left with vague answers:

“The vendor said it was compliant.”

“We only use it internally.”

“A human is still involved.”

“It does not make the final decision.”

“We do not think it uses sensitive data.”

“We are not sure whether the model trains on our data.”

“The team said it was low-risk.”

Those answers do not hold up well when a regulator, customer, plaintiff, auditor, insurer, board member, or enterprise procurement team asks for proof.

A proper AI impact assessment creates that proof.

It shows that the company identified the AI system, reviewed the use case, classified the risk, evaluated privacy and security issues, considered discrimination and bias, reviewed vendor terms, mapped legal obligations, assigned human oversight, documented disclosures, created monitoring controls, and decided whether the system should be approved, restricted, remediated, or rejected.

This is why AI impact assessments are becoming one of the most important parts of a modern AI governance program.

What Is an AI Impact Assessment?

An AI impact assessment is a structured review of an artificial intelligence system and the risks created by its use.

It should answer a simple but serious question:

What could go wrong if this AI system is deployed, and what evidence do we have that the risk is understood and controlled?

An AI impact assessment should evaluate the system’s purpose, data inputs, outputs, affected individuals, decision impact, legal obligations, vendor risks, privacy risks, security risks, bias risks, accuracy risks, explainability limits, human oversight procedures, user disclosures, monitoring requirements, and incident response process.

It is not just a questionnaire.

It is not just a legal memo.

It is not just a privacy review.

It is not just a vendor review.

It is a cross-functional compliance record that brings legal, privacy, security, compliance, procurement, HR, product, engineering, and business ownership into one review process.

An AI impact assessment should document:

• What the AI system does
• Why the company wants to use it
• Who owns it internally
• Who provides it externally
• What data it processes
• Whether personal data is involved
• Whether sensitive data is involved
• Whether the system affects people
• Whether it influences decisions
• Whether it is customer-facing
• Whether it is employee-facing
• Whether it is used in a high-impact area
• Whether the EU AI Act may apply
• Whether NIST AI RMF controls are mapped
• Whether state AI or privacy laws may apply
• Whether disclosures are required
• Whether opt-out or human review rights may apply
• Whether the vendor trains on company or customer data
• Whether the system has been tested
• Whether human oversight is meaningful
• Whether the residual risk is acceptable

The assessment should result in a decision.

Approve the system.

Approve with conditions.

Require remediation.

Limit the use case.

Reject the system.

Escalate to executive review.

A risk assessment that does not lead to a decision is just paperwork.

Why AI Impact Assessments Matter Now

AI impact assessments matter because AI risk is no longer theoretical.

Companies are already using AI in areas that affect real people. They are using AI to screen applicants, score leads, evaluate employees, personalize offers, summarize patient communications, flag fraud, classify users, recommend financial products, support insurance workflows, generate legal or compliance content, and automate customer service.

These uses create risk at multiple levels.

At the legal level, AI may trigger obligations under the EU AI Act, state automated decision-making laws, state privacy laws, employment laws, anti-discrimination laws, consumer protection laws, healthcare rules, financial services rules, insurance regulations, education laws, and contractual commitments.

At the privacy level, AI may process personal data, sensitive data, employee data, applicant data, patient data, student data, children’s data, location data, behavioral data, biometric data, financial data, or data collected through cookies and tracking technologies.

At the security level, AI may expose confidential information, create prompt injection risk, retain prompts and outputs, connect to internal systems, generate code, process production data, or increase the attack surface.

At the discrimination level, AI may create biased outputs, use proxy variables, amplify historical inequities, misclassify people, or create disparate impact in employment, housing, healthcare, credit, insurance, education, or access to services.

At the operational level, AI may produce hallucinations, incorrect outputs, inconsistent recommendations, overconfident answers, or automated actions that employees accept without enough review.

At the evidence level, AI may create decisions the company cannot reconstruct.

That last point is where many companies are exposed.

When a company deploys AI without an impact assessment, it often has no clean answer to basic questions:

• Why was this system approved?
• What risks were considered?
• What data was reviewed?
• What vendor materials were collected?
• What laws were mapped?
• Who approved the use case?
• What controls were required?
• What disclosures were provided?
• What human oversight was implemented?
• What monitoring was performed?
• What records were retained?

The result is obvious: the company may be using AI, but it cannot prove it governed AI.

AI Impact Assessment vs. AI Inventory

An AI inventory and an AI impact assessment are related, but they are not the same thing.

An AI inventory identifies the AI systems used across the company. It is the source of truth for what AI exists, who owns it, what data it uses, and what risk level it may create. You can read more about building that foundation in AI Inventory: The First Step in AI Governance.

An AI impact assessment goes deeper.

The inventory tells the company what exists.

The impact assessment explains whether the system should be used, under what conditions, with what controls, and with what evidence.

The inventory is the map.

The impact assessment is the risk file.

A company should not run a full impact assessment for every low-risk AI use case. A basic internal summarization tool may not need the same review as an AI hiring tool or healthcare triage model. But the inventory should trigger an impact assessment when the AI system creates meaningful legal, privacy, security, discrimination, operational, or individual-rights risk.

That trigger is critical.

If the company relies on employees to decide when an AI system is risky enough for review, important systems will be missed. The intake and inventory process should automatically escalate systems that involve sensitive data, high-impact decisions, regulated industries, consumer-facing use, automated decision-making, profiling, employee data, or vulnerable populations.

When Is an AI Impact Assessment Required?

A company should require an AI impact assessment before deploying or materially changing AI systems that create elevated risk.

An assessment should be triggered when an AI system:

• Processes personal data
• Processes sensitive data
• Processes employee or applicant data
• Processes patient, student, financial, insurance, or children’s data
• Uses biometric data
• Uses behavioral data, location data, or tracking data
• Uses customer data for training, fine-tuning, or model improvement
• Is customer-facing
• Is employee-facing in a monitoring or evaluation context
• Generates recommendations used by employees
• Makes, supports, or materially influences decisions about people
• Ranks, scores, classifies, profiles, prioritizes, approves, denies, flags, or restricts individuals
• Is used in hiring, promotion, termination, compensation, lending, credit, insurance, housing, healthcare, education, legal services, fraud, safety, or access to essential services
• May produce legal or similarly significant effects
• May create discrimination or disparate impact risk
• May create consumer deception risk
• May require AI disclosure
• May require opt-out, appeal, correction, or human review rights
• Connects to production systems
• Can take automated action
• Uses autonomous agents or tool-calling workflows
• Is deployed in the EU or affects EU individuals
• Is deployed in states with automated decision-making or profiling requirements

The purpose is not to make every AI use impossible.

The purpose is to separate low-risk productivity uses from AI systems that can create real compliance exposure.

What an AI Impact Assessment Should Include

A strong AI impact assessment should be detailed enough to support governance, legal review, privacy compliance, security review, vendor management, and audit readiness.

At minimum, it should include the following sections.

System Overview

The assessment should start with a plain-English description of the AI system.

This should include:

• System name
• Vendor or provider
• Internal owner
• Department
• Business purpose
• Use case
• System type
• Whether it is internally built or third-party
• Whether it is embedded in existing software
• Whether it uses generative AI, predictive AI, scoring, ranking, classification, recommendation, biometric analysis, or automated decision-making
• Whether it is a pilot, production system, or planned deployment

The description should be specific.

Weak description:

“AI tool used by HR.”

Stronger description:

“Third-party recruiting platform feature used by HR to summarize resumes and rank applicants for recruiter review before first-round interviews.”

The second version immediately reveals the risk.

It involves applicants. It may influence hiring. It may create bias risk. It may trigger employment AI obligations. It may require notice. It may require vendor documentation. It may require human oversight.

That is the level of clarity an impact assessment needs.

Business Purpose and Necessity

The assessment should explain why the company wants to use the AI system.

This section should answer:

• What business problem is the system solving?
• Why is AI needed?
• What process will the system improve?
• What manual process is being replaced, accelerated, or supported?
• What are the expected benefits?
• Are there less risky alternatives?
• Could the same goal be achieved without AI?
• Is the AI system proportionate to the business purpose?

This section matters because many AI projects are adopted because they are new, fast, or impressive, not because they are necessary.

A company should be able to explain why the AI system is appropriate for the task.

Use Case and Context

AI risk depends heavily on context.

The same tool can be low-risk in one use case and high-risk in another.

An AI summarization tool used to summarize internal meeting notes is different from an AI summarization tool used to summarize medical records, legal files, employee complaints, or customer disputes.

A chatbot used to answer basic product questions is different from a chatbot used to provide healthcare, financial, legal, or insurance guidance.

A scoring model used to prioritize internal sales leads is different from a scoring model used to determine loan eligibility, insurance pricing, or job applicant advancement.

The assessment should document:

• How the system will be used
• Who will use it
• Who will be affected by it
• What process it supports
• Whether the system is advisory or decision-making
• Whether the output is internal or external
• Whether the output is reviewed before use
• Whether the output could affect rights, access, eligibility, pricing, treatment, employment, or services

The context section is where AI governance becomes practical.

Data Inputs and Data Sources

Data is one of the highest-risk areas in any AI system.

The assessment should document what data the system uses, where that data comes from, and whether the data is appropriate for the intended use.

This section should include:

• Data categories processed
• Data sources
• Personal data status
• Sensitive data status
• Employee or applicant data status
• Customer or consumer data status
• Patient or health data status
• Student data status
• Financial or insurance data status
• Children’s data status
• Biometric data status
• Geolocation data status
• Cookie, pixel, tracking, or behavioral data status
• Third-party data or data broker data status
• Data retention period
• Data minimization controls
• Data quality controls
• Data correction process

The assessment should also evaluate whether the data is complete, accurate, timely, relevant, representative, and appropriate for the use case.

Bad data can create bad AI outputs.

Bad AI outputs can create compliance failures.

Training, Fine-Tuning, and Model Improvement

The assessment should document whether the AI system uses company data, customer data, employee data, prompts, outputs, or usage information to train, fine-tune, improve, evaluate, or retrain models.

This section should ask:

• Does the vendor train models on company data?
• Does the vendor train models on customer data?
• Does the vendor use prompts for model improvement?
• Does the vendor use outputs for model improvement?
• Does the vendor retain prompts?
• Does the vendor retain outputs?
• Can training be disabled?
• Is training disabled by default?
• Does the contract prohibit unauthorized training?
• Does the vendor provide written documentation of training practices?
• Are sensitive data categories excluded from training?
• Can data be deleted from training pipelines?
• Does the vendor use subprocessors or foundation model providers?

This is one of the most important AI vendor questions.

A company should never assume that data entered into an AI tool is used only for the immediate output unless the contract, settings, and vendor documentation confirm that position.

Affected Individuals and Stakeholders

An AI impact assessment should identify who may be affected by the system.

Affected groups may include:

• Consumers
• Customers
• Website visitors
• Employees
• Job applicants
• Contractors
• Patients
• Students
• Parents
• Borrowers
• Insureds
• Tenants
• Members
• Users
• Vulnerable populations
• Children

The assessment should consider whether the system could affect people differently based on protected characteristics or proxy variables.

That includes race, ethnicity, sex, age, disability, religion, national origin, language, location, income, education, employment history, health status, pregnancy, veteran status, or other legally protected or sensitive traits depending on the context.

The point is not to create unnecessary sensitivity around every AI tool.

The point is to identify whether the AI system could create unequal outcomes, hidden discrimination, or a pattern of harm that the company should have anticipated before deployment.

Decision Impact

This is one of the most important sections of the assessment.

The company needs to know whether the AI system makes, supports, recommends, ranks, scores, classifies, prioritizes, flags, denies, approves, escalates, or materially influences decisions.

The assessment should ask:

• Does the system make a decision automatically?
• Does the system recommend a decision?
• Does the system rank people or opportunities?
• Does the system score people?
• Does the system classify people?
• Does the system prioritize people?
• Does the system flag people for review?
• Does the system deny or restrict access?
• Does the system affect price, eligibility, treatment, services, benefits, or opportunities?
• Does a human review the output?
• Can the human override the output?
• Is the human review documented?
• Would the outcome likely be different without the AI output?

Companies often make a dangerous mistake here. They assume a system is not high-risk because a human makes the final decision.

That is not enough.

If the AI output materially influences the human decision, the system may still create automated decision-making, profiling, employment, discrimination, or consumer protection risk.

A rubber-stamp human does not make the AI system safe.

Legal Applicability

An AI impact assessment should map the system to applicable legal and regulatory frameworks.

This may include:

• EU AI Act
• NIST AI RMF
• State automated decision-making laws
• State privacy laws
• Employment laws
• Anti-discrimination laws
• Consumer protection laws
• Biometric laws
• Healthcare privacy laws
• Financial services laws
• Insurance regulations
• Education privacy laws
• Data broker laws
• Contractual AI obligations
• Enterprise customer requirements

The assessment should not simply list laws. It should explain why each law may or may not apply.

For example:

• Does the system fall within the EU AI Act?
• Is the company a provider, deployer, importer, distributor, or product manufacturer?
• Is the system prohibited, high-risk, limited-risk, or lower-risk?
• Does the system trigger transparency obligations?
• Does it require a fundamental rights impact assessment?
• Does it involve automated decision-making technology under state privacy law?
• Does it involve profiling?
• Does it affect a significant or consequential decision?
• Does it trigger notice, opt-out, appeal, access, correction, or human review rights?
• Does it require a bias audit or employment notice?
• Does it require sector-specific review?

This legal mapping should be connected to the company’s broader AI Governance Framework, so the assessment does not sit in isolation from the company’s overall AI compliance program.

EU AI Act Classification

If the system is used in the EU, affects EU individuals, or produces outputs used in the EU, the assessment should include EU AI Act classification.

The assessment should determine whether the system may be:

• A prohibited AI practice
• A high-risk AI system
• A transparency-risk system
• A general-purpose AI-related use
• A lower-risk system

The assessment should also identify the company’s role.

A company may be a provider if it develops, places on the market, or puts into service an AI system under its name or trademark. A company may be a deployer if it uses an AI system under its authority. Other roles may apply depending on distribution, import, integration, or product context.

This role classification matters because obligations differ.

For high-risk systems, the assessment should address documentation, instructions for use, human oversight, input data controls, logging, monitoring, accuracy, robustness, cybersecurity, and fundamental rights impact assessment issues where applicable.

Companies should not assume the vendor has handled everything.

A deployer may still have obligations based on how the system is used.

NIST AI RMF Mapping

The assessment should map the AI system to NIST AI RMF concepts.

NIST AI RMF is useful because it gives organizations a practical risk-management structure even where legal obligations vary by jurisdiction.

The assessment should organize controls around:

• Govern
• Map
• Measure
• Manage

Under Govern, the assessment should document ownership, policies, approval authority, roles, accountability, training, and escalation paths.

Under Map, the assessment should document the AI system’s context, business purpose, affected individuals, data flows, decision impact, legal context, and risk sources.

Under Measure, the assessment should document how the company evaluates accuracy, reliability, bias, privacy, security, explainability, robustness, and output quality.

Under Manage, the assessment should document controls, mitigation steps, monitoring, risk acceptance, remediation, incident response, and continuous improvement.

This makes the assessment operational instead of theoretical.

Privacy Review

AI systems often process personal data. That means the AI impact assessment should include privacy review.

The privacy section should ask:

• What personal data is processed?
• What sensitive data is processed?
• What is the purpose of processing?
• Is the use compatible with the original collection purpose?
• Is the data minimized?
• Is the data retained longer than necessary?
• Is the data used for training or model improvement?
• Is the data shared with vendors?
• Are subprocessors involved?
• Are privacy notices accurate?
• Are consent or opt-out rights triggered?
• Are DSAR workflows affected?
• Can individuals access, correct, delete, or opt out where required?
• Does profiling occur?
• Does automated decision-making occur?
• Does the use require a data protection assessment?

If an AI system processes personal data, the company should not treat the AI assessment as separate from privacy compliance. The AI assessment should connect to privacy notices, data mapping, DSAR workflows, vendor contracts, retention schedules, consent controls, and data governance.

Security Review

AI systems create security risks that traditional software reviews may not fully capture.

The assessment should evaluate:

• Access controls
• Authentication
• API security
• Encryption
• Prompt logging
• Output logging
• Data retention
• Secrets exposure
• Source code exposure
• Prompt injection
• Data exfiltration
• Model manipulation
• Adversarial inputs
• Unauthorized tool use
• Agentic workflow risk
• Third-party model dependencies
• Vendor security documentation
• Incident notification terms

Security review is especially important for AI systems connected to internal tools, customer databases, CRM systems, HR platforms, ticketing systems, payment systems, health records, cloud environments, code repositories, or production workflows.

An AI chatbot that only answers static FAQs is one thing.

An AI agent that can retrieve records, update tickets, email customers, call APIs, or trigger workflows is something very different.

Bias, Fairness, and Discrimination Review

Bias and discrimination review is one of the most important sections for high-impact AI systems.

The assessment should consider whether the system could produce unequal outcomes based on protected characteristics or proxy variables.

This review should ask:

• Could the system affect employment, housing, credit, insurance, healthcare, education, legal services, or access to essential services?
• Does the system rank, score, classify, or prioritize people?
• Does the system use historical data that may reflect past discrimination?
• Does the system use proxy variables?
• Does the vendor test for bias?
• Has the company reviewed the vendor’s testing?
• Has the company conducted its own testing?
• Are outputs monitored for disparate impact?
• Are complaints tracked?
• Can humans override the system?
• Can affected individuals appeal or challenge the result?

Companies should pay close attention to variables that may look neutral but operate as proxies.

Examples include zip code, school, employment gaps, income, language, device type, location, browsing behavior, purchase history, social signals, name, schedule availability, commute distance, response time, or customer service history.

A system does not need to use protected-class data explicitly to create discrimination risk.

Accuracy and Reliability Review

AI systems can be wrong with confidence.

That is a serious governance issue.

The assessment should document how accuracy and reliability are evaluated.

Questions should include:

• What does accuracy mean for this use case?
• How was the system tested?
• What benchmark or validation data was used?
• What error rate is acceptable?
• What happens when the system is wrong?
• Who reviews uncertain outputs?
• How are hallucinations identified?
• How are false positives handled?
• How are false negatives handled?
• How is model drift monitored?
• How are vendor model updates reviewed?
• How are user complaints incorporated?

The more consequential the use case, the more important accuracy becomes.

A wrong AI-generated marketing headline may be embarrassing.

A wrong AI-generated employment recommendation, insurance classification, healthcare prioritization, fraud flag, loan recommendation, or legal answer can create legal and operational harm.

Explainability and Transparency Review

An AI impact assessment should document whether the company can explain the system’s role and output in a way that is meaningful for the context.

This does not mean every system needs full technical explainability. But the company should understand enough to support disclosures, human review, audits, and disputes.

The assessment should ask:

• Can the company explain what the system does?
• Can it explain what data categories are used?
• Can it explain the main factors influencing the output?
• Can it explain the system’s limitations?
• Can it explain the role of human review?
• Can it explain why a person received a particular result where required?
• Can it provide meaningful information to consumers, applicants, employees, or customers where required?
• Can it support regulator or customer questions?

Explainability requirements should be proportional to risk.

Low-risk internal drafting tools may need basic documentation. High-impact decision systems may need much stronger explanation, appeal, and review procedures.

Human Oversight Review

Human oversight is one of the most abused phrases in AI governance.

Many companies claim human oversight exists because a person sees the AI output.

That is not enough.

Meaningful human oversight requires:

• A trained reviewer
• Authority to override the system
• Access to relevant information
• Understanding of system limitations
• Clear review criteria
• Documented review actions
• Escalation paths
• Time to review
• Protection against automation bias

The assessment should ask:

• Who reviews the AI output?
• When does review occur?
• What information does the reviewer receive?
• Can the reviewer override the output?
• Is override documented?
• Is review required for all outputs or only exceptions?
• What training does the reviewer receive?
• How is reviewer performance monitored?
• What happens if the reviewer disagrees with the AI?
• Can affected individuals request human review?

A rubber-stamp human is not a control.

It is a liability.

Disclosure and Notice Review

The assessment should identify whether the company must disclose AI use to users, consumers, applicants, employees, patients, students, customers, or other affected individuals.

Disclosure may be needed when:

• A person interacts with a chatbot
• AI generates content
• AI materially influences a decision
• AI is used in employment
• AI is used for profiling
• AI is used for automated decision-making
• AI affects access, eligibility, pricing, benefits, or opportunities
• AI uses personal data in a way that triggers privacy-law notice obligations
• AI creates synthetic media
• AI is used in a regulated service context

The assessment should document:

• Whether notice is required
• Where the notice appears
• Who receives the notice
• What the notice says
• Whether the notice is clear and conspicuous
• Whether opt-out rights apply
• Whether human review rights apply
• Whether appeal rights apply
• Whether privacy notices need to be updated

Disclosure should not be buried in vague language.

Weak disclosure:

“We may use technology to improve our services.”

Stronger disclosure:

“We use automated decision-making technology to help evaluate applications. The system may analyze information you submit and recommend whether your application should move to the next stage. A trained reviewer evaluates the result before a final decision is made.”

The right disclosure depends on the use case, law, and risk level.

Vendor Review

Most companies use third-party AI systems. That makes vendor review a core part of the AI impact assessment.

The vendor section should document:

• Vendor name
• System provider
• Foundation model provider where known
• Subprocessors
• Hosting location
• Security certifications
• Privacy documentation
• AI documentation
• Model documentation
• Intended use
• Prohibited use
• Data retention terms
• Training-data terms
• Prompt and output handling
• Bias testing
• Accuracy testing
• Security testing
• Human oversight features
• Audit logging
• Model change notices
• Incident notification terms
• Indemnity
• Termination and deletion rights

Vendor promises should be supported by documentation.

If the vendor cannot explain how its AI system works, what data it uses, whether it trains on customer data, how outputs are monitored, or how high-impact risks are controlled, the company should not blindly deploy it in a sensitive use case.

Contract Review

AI impact assessments should include contract review because vendor terms often determine whether the company has enough control.

AI contract review should address:

• Permitted data use
• Prohibition on unauthorized model training
• Customer data ownership
• Prompt and output retention
• Subprocessor restrictions
• Security commitments
• Confidentiality
• Audit rights
• AI documentation obligations
• Model change notification
• Regulatory cooperation
• Data subject rights support
• Deletion obligations
• Incident notification
• Indemnity
• Limitation of liability
• Termination rights

Contracts should match the risk of the use case.

A low-risk internal drafting tool may not require the same contract controls as an AI system used for underwriting, hiring, healthcare triage, fraud restrictions, or eligibility decisions.

Monitoring Plan

AI systems need monitoring after deployment.

The assessment should document how the company will monitor the system over time.

The monitoring plan should address:

• Output quality
• Accuracy
• Bias
• Complaints
• Appeals
• Human overrides
• False positives
• False negatives
• Model drift
• Vendor updates
• Security incidents
• Privacy incidents
• Disclosure accuracy
• Legal changes
• Use-case changes

Monitoring cadence should be based on risk.

Low-risk systems may be reviewed annually.

Customer-facing systems may need quarterly review.

High-impact systems may need ongoing monitoring, documented control testing, complaint review, and periodic reassessment.

Incident Response Plan

The assessment should identify what happens if the AI system fails.

AI incidents may include:

• Discriminatory output
• Incorrect denial
• Incorrect eligibility decision
• Harmful recommendation
• Privacy leak
• Sensitive data exposure
• Unauthorized use of customer data
• Prompt injection attack
• Hallucination used in production
• Chatbot providing prohibited advice
• AI-generated fraud
• Impersonation
• Unexpected automated action
• Vendor model failure
• Security vulnerability
• Regulatory complaint
• Consumer complaint
• Employee complaint

The assessment should document:

• How incidents are reported
• Who investigates
• Who owns legal review
• Who owns privacy review
• Who owns security review
• Who owns vendor escalation
• How severity is determined
• When the system is paused
• When users are notified
• When customers are notified
• When regulators are notified
• How logs are preserved
• How root cause is documented
• How remediation is tracked

Companies should not wait for an AI incident to decide who owns AI incident response.

Residual Risk and Approval Decision

Every AI impact assessment should end with a clear decision.

The decision should say whether the system is:

• Approved
• Approved with conditions
• Approved only for limited use
• Rejected
• Paused pending remediation
• Escalated for executive approval

The decision should also document residual risk.

Residual risk is the risk that remains after controls are applied.

If the residual risk is high, the assessment should explain why the risk is acceptable or what additional controls are required before deployment.

This is one of the most important parts of the assessment because it creates accountability.

Someone should own the decision.

Someone should own the risk.

AI Impact Assessments and the EU AI Act

The EU AI Act makes impact assessment concepts especially important for high-risk AI systems.

For certain deployers and certain high-risk AI systems, the EU AI Act requires a fundamental rights impact assessment before deployment. That assessment includes elements such as the deployer’s process, the frequency and duration of use, affected categories of people, specific risks of harm, human oversight measures, and measures to address risks if they materialize.

Even where a formal EU AI Act fundamental rights impact assessment is not required, companies with EU exposure should still consider an AI impact assessment as a practical governance control.

The assessment helps answer:

• Does the AI Act apply?
• What role does the company play?
• Is the system high-risk?
• Does the system require transparency?
• Does the system require human oversight?
• Does the system require logging?
• Does the system require monitoring?
• Does the company need provider documentation?
• Does the company need to update the assessment when the system changes?

The mistake companies make is assuming EU AI Act compliance is only a provider issue.

Deployers can also have obligations.

If a company uses an AI system under its authority, especially in a high-risk context, it needs to understand its own responsibilities and keep records showing how those responsibilities were handled.

AI Impact Assessments and NIST AI RMF

NIST AI RMF provides a practical structure for AI impact assessments because it focuses on risk management rather than one specific law.

An AI impact assessment can use NIST as the operating model:

• Govern: Who owns the AI system and what governance process applies?
• Map: What is the context, use case, data, affected population, and legal environment?
• Measure: How are accuracy, bias, privacy, security, reliability, and output quality evaluated?
• Manage: What controls, mitigation steps, monitoring, incident procedures, and approval decisions apply?

This is useful because many AI systems are subject to overlapping expectations.

A single AI system may raise EU AI Act questions, state privacy issues, employment-law risk, vendor risk, consumer disclosure concerns, and security risk. NIST gives the company a way to structure that review without creating a separate assessment for every legal framework.

The company can then map specific legal requirements into the assessment.

That is the practical approach.

One AI impact assessment process.

Multiple legal and risk mappings.

One evidence trail.

AI Impact Assessments and State Automated Decision-Making Laws

State laws are increasingly focused on automated decision-making, profiling, consequential decisions, significant decisions, consumer rights, notices, opt-outs, access rights, human review, and algorithmic discrimination.

This means the AI impact assessment should identify whether the system:

• Uses automated decision-making technology
• Processes personal data
• Profiles individuals
• Substantially replaces human decision-making
• Materially influences a consequential decision
• Affects employment, credit, lending, insurance, housing, healthcare, education, or access to services
• Triggers consumer notice
• Triggers opt-out rights
• Triggers access rights
• Triggers correction rights
• Triggers appeal or human review rights
• Creates algorithmic discrimination risk

California and Colorado are especially important examples because both point companies toward more formal documentation around automated decision-making and consequential or significant decisions.

The practical takeaway is that companies need a pre-deployment record.

If a system is used to influence a significant or consequential decision, the company should not wait until someone challenges the outcome to figure out how the system works.

AI Impact Assessments and Employment AI

Employment is one of the highest-risk AI categories.

Companies should require an AI impact assessment before using AI for:

• Resume screening
• Candidate ranking
• Interview analysis
• Video interview scoring
• Job matching
• Promotion recommendations
• Performance evaluation
• Compensation analysis
• Productivity monitoring
• Discipline recommendations
• Termination risk scoring
• Scheduling decisions

Employment AI assessments should evaluate:

• Whether the system influences an employment decision
• Whether notice is required
• Whether a bias audit is required
• Whether the vendor has tested for disparate impact
• Whether the company has reviewed the testing
• Whether the system uses protected-class proxies
• Whether human review is meaningful
• Whether applicants or employees can request review
• Whether decisions are documented
• Whether the system is job-related and consistent with business necessity
• Whether the system creates employee surveillance risk

The company should assume that employment AI will be scrutinized.

“The vendor handled it” is not a strong defense if the employer cannot explain how the system was used in its own hiring or employment process.

AI Impact Assessments and Healthcare AI

Healthcare AI should almost always receive deeper review.

Healthcare AI may involve patient data, sensitive health information, care prioritization, claims, billing, scheduling, triage, treatment support, clinical documentation, medical coding, patient communications, and provider recommendations.

An AI impact assessment for healthcare should evaluate:

• Patient privacy
• HIPAA or other health privacy obligations
• Business associate relationships where applicable
• Clinical oversight
• Patient safety
• Accuracy
• Bias
• Access disparities
• Human review
• Patient disclosures
• Vendor training practices
• Data retention
• Incident response
• Medical device or regulated product issues where applicable

A healthcare AI error can create privacy exposure, clinical risk, reimbursement issues, discrimination risk, patient harm, and reputational damage.

That is not the kind of system to approve through informal email.

AI Impact Assessments and Financial Services, Lending, and Insurance

AI used in financial services, lending, credit, insurance, claims, underwriting, fraud, collections, or account access can create serious compliance exposure.

Assessments should evaluate:

• Fair lending risk
• Unfair discrimination risk
• Adverse action explanation issues
• Consumer reporting issues
• Data accuracy
• Protected-class proxies
• Explainability
• Model validation
• Human review
• Appeal process
• Vendor documentation
• Regulator examination readiness
• Audit trails

AI systems in financial services often fail governance review when the company cannot explain why a person was denied, flagged, priced differently, prioritized, or restricted.

If the decision matters, the record matters.

AI Impact Assessments and Marketing AI

Marketing AI can look low-risk because it often sits outside legal, HR, healthcare, or financial workflows.

That assumption can be wrong.

Marketing AI may involve profiling, behavioral tracking, cookies, pixels, device data, data brokers, audience segmentation, lead scoring, personalization, targeted advertising, and automated outreach.

An AI impact assessment for marketing should evaluate:

• What data feeds the AI system
• Whether cookie, pixel, or tracking data is used
• Whether consent is required
• Whether opt-out rights apply
• Whether targeted advertising rules apply
• Whether profiling occurs
• Whether sensitive data is inferred
• Whether data broker data is used
• Whether the system affects pricing or offers
• Whether the system creates discriminatory targeting risk
• Whether AI-generated content is deceptive
• Whether vendor contracts restrict downstream data use

Marketing teams are often among the fastest adopters of AI.

That makes marketing one of the first places to look for uncontrolled AI risk.

AI Impact Assessments and Customer-Facing Chatbots

Customer-facing chatbots are one of the most common AI deployments.

They are also one of the easiest ways to create visible risk.

An AI chatbot assessment should ask:

• Are users told they are interacting with AI?
• What data does the chatbot collect?
• Can users enter sensitive data?
• Are transcripts retained?
• Are transcripts used for training?
• Does the chatbot provide advice?
• Can the chatbot make promises?
• Can it quote prices, policies, legal terms, eligibility, or benefits?
• Can it escalate to a human?
• Does it handle complaints?
• Does it handle children or vulnerable users?
• Can it hallucinate harmful information?
• How are responses monitored?
• How are incidents handled?

A chatbot should not be treated as a harmless website widget if it collects personal data, answers regulated questions, or influences customer decisions.

AI Impact Assessment Questions Every Company Should Ask

A strong AI impact assessment should include practical questions that force the company to document risk clearly.

System Questions

• What is the AI system?
• Who owns it?
• Who provides it?
• What does it do?
• Why is it needed?
• Is it internally built or vendor-provided?
• Is it embedded in existing software?
• Is it a pilot or production system?
• Is it customer-facing?
• Is it employee-facing?

Data Questions

• What data does the system process?
• Does it process personal data?
• Does it process sensitive data?
• Does it process customer data?
• Does it process employee or applicant data?
• Does it process patient, student, financial, insurance, or children’s data?
• Where does the data come from?
• Is the data accurate and appropriate?
• Is the data minimized?
• How long is the data retained?
• Is data used for training or model improvement?

Decision Questions

• Does the system make decisions?
• Does it recommend decisions?
• Does it rank, score, classify, or prioritize people?
• Does it affect access, eligibility, pricing, treatment, benefits, employment, or services?
• Does a human review the output?
• Can the human override the output?
• Is review documented?
• Can affected individuals appeal?

Legal Questions

• Does the EU AI Act apply?
• Is the system high-risk?
• Does the system trigger transparency obligations?
• Does the system involve automated decision-making technology?
• Does it involve profiling?
• Does a state privacy law apply?
• Does an employment AI law apply?
• Does a bias audit requirement apply?
• Does a sector-specific law apply?
• Does the privacy notice need updating?

Vendor Questions

• Does the vendor train on company or customer data?
• Can training be disabled?
• Are prompts retained?
• Are outputs retained?
• Does the vendor provide AI documentation?
• Does the vendor provide bias or accuracy testing?
• Does the vendor notify customers of model changes?
• Does the vendor support deletion and data rights?
• Does the contract restrict AI data use?
• Does the vendor support audit and regulatory inquiries?

Control Questions

• What controls are required before deployment?
• Who approves the system?
• What disclosures are required?
• What human oversight is required?
• What monitoring is required?
• What logs are retained?
• What incident response process applies?
• What residual risk remains?
• Who accepts the residual risk?
• When will the system be reviewed again?

Why AI Impact Assessment Software Matters

AI impact assessments become difficult to manage through spreadsheets, documents, and email threads.

That approach breaks down when the company has multiple departments, many vendors, changing laws, high-risk use cases, customer questionnaires, audit requests, and ongoing monitoring needs.

AI impact assessment software should support:

• AI intake workflows
• AI inventory integration
• Risk scoring
• Legal applicability mapping
• EU AI Act classification
• NIST AI RMF mapping
• State law mapping
• Privacy review
• Security review
• Vendor review
• Human oversight documentation
• Disclosure tracking
• Approval workflows
• Evidence storage
• Version control
• Review reminders
• Monitoring records
• Audit exports
• Executive reporting

The point of software is not to make AI governance more complicated.

The point is to make it repeatable.

A company should not need to recreate the assessment process from scratch every time a team wants to use AI.

The workflow should be structured, automated where possible, and flexible enough to route high-risk systems to the right reviewers.

Common AI Impact Assessment Mistakes

Companies often make the same mistakes when assessing AI risk.

Mistake One: Waiting Until After Deployment

An impact assessment should happen before deployment, not after the system is already live and embedded in business operations.

Mistake Two: Treating Vendor Answers as the Whole Assessment

Vendor documentation is important, but the company still needs to assess its own use case, data, affected individuals, legal obligations, and controls.

Mistake Three: Ignoring Human Behavior

Employees may overtrust AI outputs. The assessment should account for automation bias and whether human review is meaningful.

Mistake Four: Ignoring Personal Data

If the system processes personal data, the assessment should connect to privacy notices, DSAR workflows, consent, opt-outs, retention, vendor contracts, and data governance.

Mistake Five: Underestimating Employment AI

Employment AI is a high-risk category. Resume screening, candidate ranking, interview analysis, performance review support, and productivity monitoring should not be casually approved.

Mistake Six: Forgetting About Marketing AI

Marketing AI may involve profiling, cookies, tracking, data brokers, targeted advertising, personalization, and sensitive inferences.

Mistake Seven: Assuming Low-Risk Because a Human Clicks Final Approval

If the AI output materially influences the human decision, the system can still create significant risk.

Mistake Eight: Not Updating the Assessment

Assessments should be updated when the use case, model, vendor, data, jurisdiction, legal obligations, or risk profile changes.

Mistake Nine: Failing to Document Residual Risk

A company should document what risk remains after controls are applied and who accepted that risk.

Mistake Ten: Keeping Assessments Outside the Governance System

If assessments are scattered across documents, emails, and folders, the company will struggle to produce evidence under pressure.

The AI Impact Assessment Checklist

Before deploying a meaningful AI system, companies should be able to answer yes to these questions:

• Has the AI system been added to the inventory?
• Has an internal owner been assigned?
• Has the business purpose been documented?
• Has the use case been described clearly?
• Has the system type been identified?
• Has the vendor been reviewed?
• Have data categories been documented?
• Has personal data use been reviewed?
• Has sensitive data use been reviewed?
• Has training and model-improvement use been reviewed?
• Have affected individuals been identified?
• Has decision impact been assessed?
• Has EU AI Act applicability been reviewed?
• Has NIST AI RMF mapping been completed?
• Has state AI or privacy law applicability been reviewed?
• Has privacy notice impact been reviewed?
• Have DSAR, opt-out, correction, appeal, or human review rights been reviewed?
• Has security risk been reviewed?
• Has bias and discrimination risk been reviewed?
• Has accuracy and reliability been reviewed?
• Has explainability been reviewed?
• Has human oversight been documented?
• Have disclosures been drafted where needed?
• Has a monitoring plan been created?
• Has incident response been addressed?
• Has residual risk been documented?
• Has approval been recorded?
• Has a review date been set?

If a company cannot answer these questions, it is not ready to deploy high-impact AI.

Final Takeaway

AI impact assessments are becoming a core requirement of serious AI governance.

The companies most exposed are not always the ones building advanced models. They are the ones deploying AI systems without documenting what the system does, what data it uses, who it affects, what decisions it influences, what laws apply, and what controls exist.

That gap is dangerous.

An AI impact assessment creates the record the company needs before the system goes live. It connects the AI inventory to legal review, privacy review, security review, vendor due diligence, bias testing, human oversight, disclosure, monitoring, and approval.

It also forces the company to make a decision.

Approve the system.

Approve it with controls.

Limit the use case.

Fix the risk.

Reject the system.

Escalate the decision.

That is governance.

Without an AI impact assessment, the company may still use AI.

But it will be using AI without the record it needs when someone asks the hard questions.

And with AI, those questions are coming.