Introduction of ISO/IEC 38507:2022
The integration of artificial intelligence (AI) into everyday operations has transformed how organizations innovate, deliver services and make decisions, this transformation comes a responsibility to ensure that AI use aligns with ethical values and corporate strategy. As regulators and stakeholders increase scrutiny over AI systems, governance is essential. To support organizations at the highest levels of leadership, ISO/IEC 38507:2022 provides practical guidance for overseeing the responsible use of AI from a boardroom perspective. This standard builds upon ISO/IEC 38500’s governance principles and offers a roadmap for managing AI-related decisions in a structured and accountable manner.
If you need assistance with ISO/IEC 3850, contact us at support@pacificcert.com!
What is ISO/IEC 38507:2022?
ISO/IEC 38507:2022 is an international standard titled "Information Technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations." It was developed to provide board members and executive stakeholders with a framework for evaluating, directing, and monitoring AI usage across the enterprise.
ISO/IEC 38507 focuses specifically on the governance layer unlike other AI specific standards, ensuring that decision-making related to AI aligns with corporate objectives, legal requirements, ethical expectations and societal values.
The purpose of ISO/IEC 38507 is to equip organizations with high-level governance tools to manage the strategic risks and opportunities that come with AI adoption. It helps stakeholders:
- Understand the enterprise-wide impact of AI
- Establish clarity over roles and responsibilities for AI-related decisions
- Develop mechanisms for risk management, performance evaluation, and stakeholder assurance
- Integrate AI governance into existing corporate governance frameworks
Scope and Applicability of ISO/IEC 38507
ISO/IEC 38507:2022 applies to all organizations that develop or use AI-based systems and solutions, regardless of industry, size, or technical capability. The standard is relevant across the public and private sectors, and is particularly valuable to:
- Companies deploying AI for automated decision-making
- Public service agencies integrating AI into critical infrastructure
- Boards responsible for overseeing AI risk, compliance, and impact
- Governance, risk, and compliance teams tasked with defining oversight procedures
- Organizations seeking to align with U.S. or international AI regulations
It complements existing governance models by ensuring that AI-specific risks and obligations are embedded at the strategic level.
Clause-wise Structure of ISO/IEC 38507:2022
| Clause | Title | Summary |
| 1 | Scope | Defines the application and boundaries of AI governance responsibilities |
| 2 | Normative References | References ISO/IEC 38500 and related governance standards |
| 3 | Terms and Definitions | Clarifies key AI and governance terminology |
| 4 | Application of ISO/IEC 38500 Principles to AI Governance | Maps ISO 38500 principles to AI-specific contexts |
| 5 | Governance Considerations for AI | Outlines board-level strategic, ethical, and regulatory considerations |
| 6 | Implementation Guidance | Provides structured steps and best practices for integrating AI governance |
Need support? Contact us at support@pacificcert.com today!
What are the requirements of ISO/IEC 38507:2022?
The standard provides guidance rather than prescriptive controls. However, its implementation requires organizations to:
- Establish board-level accountability for AI outcomes and decisions
- Integrate AI risk management into existing enterprise risk frameworks
- Define clear AI governance roles and escalation pathways
- Ensure transparency and traceability in AI decisions that impact customers, regulators, or society
- Build multi-disciplinary oversight across legal, technical, and ethical teams
- Develop internal policies aligned with human-centric and lawful AI use
What is the documentation required for ISO/IEC 38507?
Organizations adopting the standard should maintain structured documentation such as:
- AI governance policies and board position papers
- AI-specific risk registers and ethical assessments
- Board review records and oversight meeting minutes
- Internal audit and monitoring frameworks for AI systems
- Stakeholder transparency reports and communications protocols
What are the benefits of ISO/IEC 38507:2022?
- Aligns AI decisions with strategic direction and ethical mandates
- Establishes governance controls to manage compliance and liability exposure
- Demonstrates proactive governance of emerging technology
- Encourages transparency, explainability, and fairness in automated systems
- Aligns governance with frameworks like the EU AI Act and U.S. executive orders
The demand for ISO/IEC 38507:2022 in the United States has significantly increased due to mounting regulatory attention and public concern over the ethical use of AI. Government agencies such as the Federal Trade Commission (FTC) and Securities and Exchange Commission (SEC) have issued guidance on algorithmic fairness, transparency, and non-discrimination, areas squarely addressed by this standard.
Meanwhile, major U.S. corporations are incorporating AI ethics into their ESG frameworks and boardroom discussions, particularly in tech-forward cities like San Francisco, New York, Washington D.C., Boston, and Austin. As states implement their own AI risk management laws, forward-thinking organizations are adopting ISO/IEC 38507 to establish leadership in responsible AI governance.
Who Needs ISO/IEC 38507:2022?
This standard is especially important for organizations in AI-intensive or regulated environments, such as:
- Healthcare systems and research organizations using AI for diagnostics or treatment support
- Financial services firms deploying AI for credit scoring or fraud detection
- Public sector agencies implementing smart city or surveillance technologies
- Defense contractors and aerospace manufacturers governed by national security frameworks
- Tech firms and AI startups working on algorithmic solutions with social impact
Even organizations with minimal in-house AI development may face governance challenges when procuring or integrating third-party AI systems—making this standard broadly relevant across industries.
Implementation Timeline
| Stage | Estimated Duration |
| Initial board-level awareness workshop | 1–2 weeks |
| Gap assessment and documentation review | 2–3 weeks |
| Drafting of AI governance policies | 3–4 weeks |
| Integration with ERM and IT governance | 4–6 weeks |
| Ongoing monitoring and periodic review | Continuous (quarterly/annually) |
How Pacific Certifications Can Help?
At Pacific Certifications, we understand the critical importance of strategic governance in the age of AI. For ISO/IEC 38507, our role as an accredited certification body enables us to support your organization in integrating this standard with systems such as ISO 27001, ISO 9001, and ISO/IEC 42001.
We can assist by:
- Conducting structured governance audits based on ISO/IEC 38507 guidance
- Identifying integration points with existing management systems (e.g., ISO/IEC 27001, 42001)
- Reviewing AI governance frameworks to ensure transparency and alignment with international norms
- Supporting internal compliance assessments for board-level oversight of AI
- Providing audit documentation for organizational reporting or board-level review
To begin aligning your organization’s AI strategy with global governance principles, contact us at support@pacificcert.com.
FAQs
Is ISO/IEC 38507:2022 certifiable?
No, it is a guidance standard meant to be integrated into broader governance frameworks. However, it can be referenced during ISO audits or internal risk assessments.
Can it be adopted independently?
Yes, organizations can adopt the principles and apply them internally without the need for external certification.
Is it relevant for organizations outside of AI development?
Absolutely. Any organization using or procuring AI systems—whether developed in-house or by third parties—can benefit from this governance framework.
How does this differ from ISO/IEC 42001?
ISO/IEC 42001 focuses on the operational management of AI systems. ISO/IEC 38507 addresses the strategic and governance-level implications of AI use.
Ready to get ISO 38507 certified?
Contact Pacific Certifications to begin your certification journey today!
Suggested Certifications –
Read more: Pacific Blogs
