ISO/IEC 23893 — AI Risk Management Vocabulary

This topic is part of the SG Systems Global regulatory & operations glossary.

Updated November 2025 • ISO/IEC 23894, ISO/IEC 42001, ISO/IEC 23053, ISO/IEC TR 24028 • Governance, Risk, Quality, IT, Manufacturing

ISO/IEC 23893 provides the standardized vocabulary for AI risk management—defining the terms, concepts and relationships that underpin how organizations identify, analyse, treat and monitor risks in artificial intelligence. It acts as the companion glossary for ISO/IEC 23894, ensuring that all stakeholders—leadership, quality, IT, data science, legal, operations and regulators—use the same language when describing hazards, controls, probabilities, impacts, uncertainties and decision criteria. In regulated manufacturing, inconsistent terminology creates audit exposure, misaligned expectations and gaps in lifecycle control. ISO/IEC 23893 removes that ambiguity and makes AI risk management interoperable across teams and documents.

“Risk management collapses when teams don’t speak the same language. ISO/IEC 23893 provides that shared vocabulary.”

1) Purpose & Intent of ISO/IEC 23893

ISO/IEC 23893 defines the terminology needed to perform AI risk management effectively. Without a shared vocabulary, organizations risk misclassification of hazards, inconsistent definitions of severity or likelihood, and confusion between controls, mitigations, constraints and safeguards. The standard’s intent is to standardize communication across functions so that AI risk management becomes a systematic, repeatable and evidence-based discipline. This is particularly important in regulated manufacturing, where risk terminology intersects with GxP concepts, deviation handling, CAPA, validation, and product-quality impact assessments. ISO/IEC 23893 ensures everyone—from data scientists to QA managers—talks about AI risks with compatible definitions.

2) Relationship to 23894, 42001, 23053, 24028 & 22989

ISO/IEC 23893 is part of the AI risk-management ecosystem. ISO/IEC 23894 provides the methodology; ISO/IEC 23893 provides the vocabulary needed to apply it consistently. ISO/IEC 42001 requires organizations to manage AI risks within their governance system, relying on the terms defined in 23893. ISO/IEC 23053 requires risk concepts to appear across the lifecycle; those concepts are defined here. ISO/IEC TR 24028 uses 23893 terminology to describe trustworthiness properties such as robustness, fairness, security and reliability. And ISO/IEC 22989 supplies adjacent AI vocabulary that complements the risk-focused terms in 23893. Together these standards create a complete language and structure for AI governance and risk control.

3) Why Vocabulary Matters for AI Risk Management

AI risk management often fails not because risks are unknown but because different stakeholders use the same words differently. For instance, “bias,” “drift,” “uncertainty,” “validation,” “hazard,” “control,” “mitigation,” “severity,” “impact” and “consequence” can all mean different things to different teams. ISO/IEC 23893 establishes single-source definitions to prevent ambiguity. This allows risk assessments to be reviewed, audited and repeated without confusion. In regulated industries, vocabulary alignment becomes part of compliance: regulators expect clarity about how risks are identified, evaluated and treated. ISO/IEC 23893 standardizes how organizations communicate risks both internally and externally, reducing audit findings and improving cross-team collaboration.

4) Core Concepts Defined in ISO/IEC 23893

The standard defines key terms that appear throughout AI risk management. These include: AI system risk (risk associated with AI outputs or decisions), hazard (potential cause of harm), harm (negative impact on individuals, processes or organizations), risk source (origin of a risk), uncertainty (incomplete knowledge), likelihood (chance a risk event occurs), impact (severity of harm), risk criteria (rules used to evaluate risk), risk control (measure implemented to reduce risk), risk treatment (action taken to modify risk), risk acceptance (decision to accept residual risk), risk appetite (tolerance for risk), drift (deviation in model behaviour over time) and residual risk (remaining risk after controls). These terms ensure that risk processes built on ISO/IEC 23894 and lifecycle processes from 23053 have a stable foundation.

5) Vocabulary for Data, Drift, Bias & Uncertainty

AI risk arises heavily from data characteristics. ISO/IEC 23893 defines terms such as data quality, representativeness, imbalance, sampling bias, measurement bias, annotation bias, uncertainty and distribution shift. It clarifies how bias differs from randomness or noise, and how uncertainty differs from risk. Drift terms—data drift, concept drift and model drift—are defined to support monitoring expectations under 23053. By standardizing data-related vocabulary, the standard ensures risk assessments identify the correct causes and contexts for potential harm rather than relying on vague descriptions or misunderstood concepts.

6) Vocabulary for Controls, Safeguards & Mitigation

ISO/IEC 23893 distinguishes between control, safeguard, constraint, mitigation and compensating measure. This prevents teams from assuming that any action taken reduces risk. A control is a specific, effective risk-reduction measure; a safeguard prevents hazard exposure; a constraint limits system behaviour; a mitigation reduces severity after a risk event occurs; a compensating measure provides alternative protection. These distinctions matter in GxP environments because regulators require clarity about how risks are prevented, detected, corrected and mitigated. ISO/IEC 23893 clarifies these relationships so risk registers and validation documents can distinguish between preventive and reactive measures.

7) Vocabulary for Impact, Harm & Consequence

Many AI risks involve indirect or multi-party harm. ISO/IEC 23893 defines harm broadly—covering individuals, organizations, the environment, regulatory outcomes and societal welfare. Impact is the magnitude of that harm. Consequence is the result of a risk event. These distinctions are important in regulated industries where product quality, patient safety, brand reputation and compliance exposure all intersect. ISO/IEC 23893 allows risk-assessment teams to categorize harms clearly: physical, economic, ethical, organisational, environmental or informational. This vocabulary supports risk prioritization under ISO/IEC 23894.

8) Vocabulary for Stakeholders & Responsibilities

The standard provides explicit terms for actors in the AI ecosystem: provider, deployer, user, operator, auditor, stakeholder, impacted party and decision maker. This vocabulary aligns with role models defined in ISO/IEC 22989 and governance responsibilities defined in ISO/IEC 38507. In regulated manufacturing, these terms help distinguish between system owners, QA reviewers, trained operators, engineering teams and vendors—avoiding gaps in accountability or unclear ownership in risk registers, validation plans or deviation investigations.

9) Vocabulary for Validation, Verification & Evidence

ISO/IEC 23893 clarifies the relationship between verification, validation, evaluation and evidence. Verification confirms the system was built correctly. Validation confirms it is fit for intended purpose. Evaluation includes broader technical and non-technical assessments. Evidence consists of documented proof of conformance. These definitions integrate directly with CSV expectations and lifecycle controls in 23053. Using consistent validation vocabulary ensures that AI validation aligns with regulated validation expectations for other computerized systems—avoiding discrepancies in audit narratives.

10) Vocabulary for Monitoring, Drift Detection & Review

ISO/IEC 23893 includes terms for ongoing oversight: monitoring, review, trigger, indicator, drift, recalibration, retraining, degradation, incident and non-conformance. These support operational monitoring requirements from ISO/IEC 42001 and lifecycle monitoring from 23053. In manufacturing, these terms map directly to deviation handling, CAPA workflows and periodic review cycles—ensuring AI-specific issues fit seamlessly into the QMS rather than forming parallel or informal processes.

11) Role of Vocabulary in Regulatory Alignment

Regulatory agencies increasingly expect AI systems to be governed with the same clarity as validated software or analytical methods. ISO/IEC 23893 supports this by providing consistent definitions for risk-related language used in documentation submitted to regulators or reviewed during inspections. Clear vocabulary reduces the chance of misinterpretation of risk registers, validation plans, monitoring reports or incident logs. It also strengthens communication with vendors and auditors, ensuring that contractual documents, supplier assessments and audits use shared terminology. By standardizing terms such as “risk control,” “constraint,” “residual risk,” “hazard” and “mitigation,” the standard reduces ambiguity that could otherwise lead to audit findings.

12) Impact on Cross-Functional Collaboration

AI risk management involves diverse stakeholders—quality, operations, data science, IT, legal, regulatory and leadership. ISO/IEC 23893 helps these groups collaborate by ensuring they use the same definitions. When teams speak different technical languages, misunderstandings delay projects, distort risk priorities or generate conflicting documentation. A unified vocabulary avoids these breakdowns. For example, when QA asks about “mitigations,” data scientists may think of algorithmic adjustments, while QA expects procedural controls. ISO/IEC 23893 resolves these discrepancies by defining each term precisely. This improves risk workshops, validation planning, documentation drafting and governance reviews—giving AI projects smoother execution and fewer late surprises.

13) Integration with Lifecycle, Governance & Risk Systems

ISO/IEC 23893 becomes most powerful when integrated into the broader AI ecosystem. Vocabulary from this standard feeds directly into risk-assessment templates based on ISO/IEC 23894, lifecycle documentation from ISO/IEC 23053, governance processes from ISO/IEC 42001 and trustworthiness criteria from ISO/IEC TR 24028. These standards form an integrated system: ISO/IEC 23893 ensures every risk concept has a standard meaning; 23894 structures the risk process; 23053 determines where risks appear; 42001 governs how risks are escalated and reviewed. For regulated industries, this alignment reduces redundancy, inconsistency and confusion, making AI risk management fit naturally into existing QMS and IT-governance structures.

14) Benefits for Regulated Manufacturing & Quality Systems

Standardized vocabulary is a core asset for GxP organizations. ISO/IEC 23893 ensures that documentation supporting CSV, deviations, CAPA, change control, risk files, supplier qualification, audit responses and regulatory submissions uses the same definitions consistently. This reduces regulatory risk and ensures AI fits smoothly into established workflows rather than being treated as a mysterious exception. For AI systems that influence regulated records—e.g., sampling recommendations, batch-release insights, QC alerts, training verification or anomaly scoring—clear vocabulary allows inspectors to understand how risk was evaluated and controlled. ISO/IEC 23893 therefore becomes foundational for inspection readiness.

15) FAQ

Q1. Does ISO/IEC 23893 replace ISO/IEC 23894?
No. ISO/IEC 23893 provides the vocabulary; ISO/IEC 23894 provides the methodology. They must be used together for consistent AI risk management.

Q2. Is ISO/IEC 23893 only for technical teams?
No. It is intended for any stakeholder who participates in AI risk discussions—quality, governance, operations, compliance, legal and leadership—not just engineers or data scientists.

Q3. Does ISO/IEC 23893 include lifecycle terms?
It includes many risk-related lifecycle terms, but lifecycle structure comes from ISO/IEC 23053. Together they form a unified terminology set.

Q4. How does ISO/IEC 23893 support regulatory compliance?
By ensuring consistent, unambiguous terminology in documentation used for audits, validation, deviations, CAPA and supplier oversight. Regulators value clarity and consistency.

Q5. What is a practical first step?
Align your existing AI-related templates—risk assessments, validation plans, governance forms, SOPs and monitoring logs—to ISO/IEC 23893 vocabulary. This gives teams an immediate and practical benefit.

Related Reading
• AI Risk & Governance: ISO/IEC 23894 | ISO/IEC 42001 | ISO/IEC 38507 | ISO/IEC TR 24028
• Core AI Standards: ISO/IEC 22989 | ISO/IEC 23053 | ISO/IEC 24027 | ISO/IEC 24030
• Quality & Compliance: CSV | ISO 9001 | ISO 13485