AI Governance Institute logo
AI Governance Institute

Practical Governance for Enterprise AI

← DirectoryCompare with another →
VoluntaryFrameworkISO/OECD/UN

ISO/IEC 24028 AI Trustworthiness

Issued by

International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), Joint Technical Committee JTC 1, Subcommittee SC 42 (Artificial Intelligence)

liveEffective 2020-05-01ISO/IEC 24028Verified April 2026
Official document →

ISO/IEC 24028:2020 provides a comprehensive overview of trustworthiness concepts, characteristics, and threats in AI systems, offering a structured technical and organizational framework for assessing and improving the trustworthiness of AI across the system lifecycle.

Applies To

Enterprise AI governance and compliance teams benchmarking internal programs against international standardsAI system developers and MLOps teams seeking structured guidance on trustworthiness by designConformity assessment and audit bodies evaluating AI systems for certification or regulatory approvalProcurement and vendor-risk teams assessing third-party AI products and servicesGeneral counsel and risk managers at organizations subject to regulations that reference ISO/IEC AI standards (e.g., EU AI Act)Policy and standards teams engaged in national or international AI standards developmentInsurance underwriters and due-diligence advisors assessing AI-related risk exposure

Overview

ISO/IEC 24028:2020, Information technology, Artificial intelligence, Overview of trustworthiness in artificial intelligence, is a foundational standards document published by ISO/IEC JTC 1/SC 42 in May 2020. The standard defines 'trustworthiness' in the AI context as encompassing a cluster of interrelated properties including reliability, resiliency, accuracy, robustness, safety, security, privacy, and fairness. The document does not prescribe specific technical implementations but instead establishes a conceptual and terminological baseline that underpins subsequent SC 42 standards addressing specific dimensions of trustworthy AI. ISO/IEC 24028 maps the landscape of threats and risks to trustworthiness across the AI system lifecycle-from data acquisition and model training through deployment and ongoing operation-and identifies the organizational, technical, and process-level measures that contribute to trustworthiness. The standard addresses both ML-based and non-ML-based AI systems and is intended to serve multiple audiences: technical practitioners designing AI systems, organizations deploying AI, conformity assessment bodies, and policymakers seeking to align regulation with technical standards. ISO/IEC 24028 is explicitly cross-referenced in the EU AI Act's standardization workplan, in NIST AI RMF documentation, and in the OECD AI Principles implementation guidance, giving it significance beyond purely technical communities. It should be read in conjunction with ISO/IEC 22989 (AI concepts and terminology), ISO/IEC 23894 (AI risk management), and ISO/IEC 42001 (AI management systems) as part of SC 42's integrated standards family.

Key Requirements

  • Defines the core trustworthiness properties of AI systems: reliability, resiliency, availability, accuracy, robustness, safety, security, privacy, and fairness, providing a shared definitional basis for enterprise governance.
  • Identifies and categorizes threats to AI trustworthiness across the full system lifecycle, including data poisoning, model evasion, distribution shift, and adversarial attacks.
  • Describes measures—technical, organizational, and process-based—that contribute to each trustworthiness property.
  • Provides guidance on documenting trustworthiness-related decisions and trade-offs, supporting auditability and explainability obligations in downstream regulation.
  • Establishes a mapping between trustworthiness properties and stakeholder concerns, enabling risk-tiered governance approaches.
  • Identifies human oversight and accountability structures as prerequisites for trustworthy AI deployment.
  • Addresses the role of transparency and explainability as enabling conditions for trustworthiness, particularly in high-stakes automated decision contexts.
  • Provides a reference framework that organizations can use to benchmark internal AI governance programs against internationally recognized trustworthiness criteria.

What Your Organization Must Do

  • Map your organization's existing AI governance program against the nine trustworthiness properties defined in ISO/IEC 24028 (reliability, resiliency, availability, accuracy, robustness, safety, security, privacy, and fairness), identifying gaps and assigning remediation owners within the AI governance or risk committee.
  • Conduct a lifecycle threat assessment for each deployed AI system using the standard's threat taxonomy (covering data poisoning, model evasion, adversarial attacks, and distribution shift), documenting findings in a risk register reviewed at least annually or upon material system changes.
  • Establish a trustworthiness documentation requirement for all AI projects at design stage, requiring technical leads to record property trade-offs (for example, accuracy versus fairness, or performance versus explainability) so that audit trails satisfy downstream regulatory obligations such as the EU AI Act.
  • Integrate ISO/IEC 24028 criteria into third-party and vendor AI procurement checklists, requiring suppliers to demonstrate alignment with at least the safety, security, and privacy properties before contract execution.
  • Align internal AI governance vocabulary and policy definitions with ISO/IEC 24028 terminology in coordination with ISO/IEC 22989, ensuring consistency across teams and supporting interoperability with conformity assessment bodies or regulators referencing SC 42 standards.
  • Assign a standards liaison within the compliance or policy team to track updates from ISO/IEC JTC 1/SC 42 and monitor how references to ISO/IEC 24028 evolve in the EU AI Act standardization workplan and NIST AI RMF documentation, reporting material changes to the board-level AI risk committee at least semi-annually.

Playbook Guidance

Step-by-step implementation guidance for compliance teams.

10How do we document AI decision-making for auditability?06What does meaningful human oversight look like for high-risk AI decisions?14What is our explainability standard for AI decisions?13How do we measure and mitigate algorithmic bias?27How do we perform an AI risk assessment?

Frequently Asked Questions

Is ISO/IEC 24028 a certifiable standard or a guidance document?
ISO/IEC 24028 is a guidance and reference standard, not a certifiable standard. It establishes a conceptual framework and terminology for AI trustworthiness. Certification-level requirements are addressed through related standards such as ISO/IEC 42001, the AI management systems standard.
How does ISO/IEC 24028 relate to the EU AI Act's conformity requirements?
The EU AI Act's standardization workplan explicitly cross-references ISO/IEC 24028, meaning harmonized standards developed under that workplan are expected to align with its trustworthiness framework. Organizations demonstrating alignment with ISO/IEC 24028 properties will be better positioned when harmonized technical standards for high-risk AI systems are finalized.
What are the nine trustworthiness properties defined in ISO/IEC 24028?
The standard identifies reliability, resiliency, availability, accuracy, robustness, safety, security, privacy, and fairness as the core trustworthiness properties. Each property is defined with associated threats and organizational or technical measures, giving compliance teams a structured checklist for AI system assessment.
Does ISO/IEC 24028 cover non-machine-learning AI systems?
Yes. The standard explicitly addresses both ML-based and non-ML-based AI systems, making it applicable across a broader range of deployed technologies than frameworks focused solely on deep learning or statistical models.
How does ISO/IEC 24028 fit within the broader SC 42 standards family?
ISO/IEC 24028 functions as a foundational reference document within SC 42's integrated suite. It should be read alongside ISO/IEC 22989 (AI concepts and terminology), ISO/IEC 23894 (AI risk management), and ISO/IEC 42001 (AI management systems), which together form a coherent governance architecture for enterprise AI programs.
Can organizations use ISO/IEC 24028 in AI vendor procurement and due diligence?
Yes. The standard's nine trustworthiness properties provide a structured basis for vendor assessment checklists. Procurement and vendor-risk teams can require suppliers to demonstrate alignment with specific properties, particularly safety, security, and privacy, as a pre-contract condition.