Key Definitions
| Term | Definition |
|---|---|
| Fundamental Rights Impact Assessment (FRIA) | A systematic assessment of the impact of an AI system on fundamental rights of individuals, required under EU AI Act Art.27 for certain deployers of high-risk AI systems |
| Data Protection Impact Assessment (DPIA) | An assessment required under GDPR Art.35 when processing is likely to result in a high risk to the rights and freedoms of natural persons |
| Algorithmic Impact Assessment (AIA) | A structured process to evaluate the potential effects of an automated decision system, as mandated by Canada's Directive on Automated Decision-Making |
| Societal Impact Assessment | A broader evaluation of AI system effects on communities, economic structures, democratic processes, and social cohesion |
| Affected Persons | Individuals or groups whose rights, interests, or well-being may be impacted by the deployment and use of an AI system |
| High-Risk AI System | An AI system classified under EU AI Act Annex III that is subject to enhanced requirements including impact assessment obligations |
| Proportionality | The principle that restrictions on rights must be suitable, necessary, and balanced against the objectives pursued |
| Mitigation Measure | A safeguard, technical or organizational, designed to reduce identified risks to acceptable levels |
| Residual Risk | The remaining risk after all identified mitigation measures have been applied |
| Stakeholder Consultation | The process of engaging with affected parties and relevant stakeholders during the impact assessment process |
| Human Oversight | Mechanisms enabling human beings to oversee and intervene in the functioning of an AI system (EU AI Act Art.14) |
| Risk Appetite | The level and type of risk an organization is prepared to accept in pursuit of its objectives |
Chapter 1: Introduction to AI Impact Assessment
AI Impact Assessment is the systematic process of identifying, evaluating, and mitigating the potential adverse effects of AI systems on individuals, communities, and society. Unlike purely technical evaluations that focus on model performance, impact assessments examine the real-world consequences of AI deployment — from fundamental rights implications to broader societal effects. The EU AI Act has made this a legal obligation for many deployers of high-risk AI systems, elevating impact assessment from best practice to regulatory requirement.
1.1 The Imperative for AI Impact Assessment
Artificial intelligence systems possess unique characteristics that make impact assessment essential:
Scalability of Impact
AI systems can make thousands or millions of decisions per second, meaning that a biased or flawed system can cause harm at a scale and speed impossible for human decision-making. A discriminatory hiring algorithm, for example, could systematically exclude qualified candidates across an entire industry before the pattern is detected.
Opacity of Decision-Making
Many AI systems operate as "black boxes" where the relationship between inputs and outputs is not easily interpretable. This opacity creates challenges for accountability, redress, and the ability of affected individuals to understand and challenge decisions that affect them.
Emergent Behavior
AI systems, particularly those based on machine learning, can exhibit behaviors not explicitly programmed or anticipated by their developers. These emergent properties can have unforeseen consequences that only become apparent through systematic impact analysis.
Feedback Loops
AI systems that influence their own training data or operating environment can create self-reinforcing cycles. Predictive policing systems that direct more patrols to certain neighborhoods generate more arrest data from those neighborhoods, which in turn reinforces the prediction — regardless of actual crime distribution.
Power Asymmetries
AI systems are typically deployed by organizations with significant resources, while affected individuals often have limited ability to understand, challenge, or opt out of AI-driven decisions. Impact assessment serves as a balancing mechanism.
1.2 Legal Framework for AI Impact Assessment
Multiple legal instruments now require or encourage AI impact assessment:
| Instrument | Requirement | Scope |
|---|---|---|
| EU AI Act Art.27 | Fundamental Rights Impact Assessment | Deployers of high-risk AI systems (public bodies and certain private entities) |
| GDPR Art.35 | Data Protection Impact Assessment | Controllers processing likely to result in high risk |
| GDPR Art.36 | Prior consultation with supervisory authority | When DPIA indicates high risk that cannot be mitigated |
| Canada AIA Directive | Algorithmic Impact Assessment | Federal government automated decision systems |
| UNESCO AI Recommendation | Ethical impact assessment | Voluntary framework for member states |
| Council of Europe AI Convention | Human rights impact assessment | Signatory states (binding when ratified) |
| US Executive Order 14110 | AI risk assessment guidance | Federal agencies and government contractors |
| Brazil AI Framework (PL 2338) | Risk assessment for high-risk AI | When enacted, high-risk AI deployers |
1.3 Types of AI Impact Assessment
| Assessment Type | Focus | Legal Driver | When Conducted |
|---|---|---|---|
| Fundamental Rights Impact Assessment (FRIA) | Impact on EU Charter rights | EU AI Act Art.27 | Before first use of high-risk AI system |
| Data Protection Impact Assessment (DPIA) | Privacy and data protection risks | GDPR Art.35 | Before processing begins |
| Algorithmic Impact Assessment (AIA) | Automated decision-making effects | Canada AIA Directive | Before deployment |
| Equality Impact Assessment (EqIA) | Discrimination and equality effects | National equality legislation | Before deployment |
| Human Rights Impact Assessment (HRIA) | Broad human rights implications | UN Guiding Principles | Ongoing throughout lifecycle |
| Societal Impact Assessment (SIA) | Community and societal effects | Voluntary/emerging regulation | Ongoing throughout lifecycle |
| Environmental Impact Assessment | Environmental effects of AI | EU sustainability regulations | During design and operation |
1.4 Impact Assessment in the AI Lifecycle
Impact assessment is not a one-time activity but should be integrated throughout the AI system lifecycle:
Design Phase:
- Initial impact screening to identify potential issues
- Preliminary FRIA/DPIA to inform design decisions
- Stakeholder engagement to understand affected community concerns
Development Phase:
- Detailed impact assessment as system capabilities become clearer
- Bias testing and fairness evaluation of training data and model outputs
- Privacy-by-design and rights-by-design implementation
Pre-Deployment Phase:
- Comprehensive FRIA (Art.27 for high-risk systems)
- DPIA (if not already completed)
- Final risk-benefit analysis and deployment decision
Operational Phase:
- Ongoing monitoring of actual impacts against predicted impacts
- Periodic reassessment triggered by changes or new information
- Incident-driven impact review
Decommissioning Phase:
- Assessment of impacts related to system withdrawal
- Transition planning for affected individuals and processes