What is the difference between ISO/IEC 24029 Part 1 and Part 2?

Part 1 (2021) establishes robustness terminology, threat taxonomy, and a framework for selecting assessment approaches. Part 2 (2023) operationalizes formal mathematical verification methods, including SMT, abstract interpretation, MILP, and Lipschitz bounding, for producing provable robustness guarantees within defined input regions.

Which sectors face the most direct compliance pressure from ISO/IEC 24029?

Healthcare AI (medical imaging), autonomous vehicles, financial services fraud detection, and critical infrastructure operators face the most direct pressure, given that these sectors overlap heavily with the EU AI Act high-risk categories and with regulatory regimes that require documented evidence of system resilience to adversarial inputs.

How does ISO/IEC 24029 relate to ISO/IEC 23894 and ISO/IEC TR 5469?

ISO/IEC 24029 provides the robustness-specific assessment layer within a broader ISO AI governance stack. ISO/IEC 23894 addresses AI risk management more broadly, while ISO/IEC TR 5469 covers functional safety. Robustness assessment outputs from 24029 should feed directly into the risk treatment and safety analyses required by those companion standards.

Can empirical testing alone satisfy ISO/IEC 24029 requirements for a high-risk neural network?

Part 1 permits empirical testing as a valid methodology, but Part 2 and the standard's risk-tiered guidance indicate that formal verification is expected for high-criticality systems where provable guarantees are feasible. Relying solely on empirical testing for a high-risk EU AI Act system is likely to be insufficient for a notified body submission.

What documentation does ISO/IEC 24029 require organizations to produce?

The standard requires documented evidence of the robustness threat scope, the assessment methodology selected and the rationale for that selection, perturbation budgets, proof scope conditions for formal methods, and interpretation of results in terms of operational risk. This documentation is designed to map directly to technical file requirements under AI regulations.

← Directory Compare with another →

VoluntaryFramework ISO/OECD/UN

ISO/IEC 24029 Robustness of Neural Networks

Issued by

International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), Joint Technical Committee JTC 1, Subcommittee SC 42 (Artificial Intelligence)

liveEffective 2021-08-01ISO/IEC 24029Verified April 2026

Official document →

ISO/IEC 24029 is a multi-part international standard providing formal methods and practical assessment approaches for evaluating the robustness of artificial neural networks (ANNs), addressing susceptibility to adversarial inputs, distributional shift, and other failure modes critical to trustworthy AI deployment.

Applies To

AI and machine learning engineers developing neural network-based systems for high-stakes or safety-critical applicationsEnterprise AI governance and compliance teams responsible for technical file preparation and conformity assessment under the EU AI Act or equivalent frameworksCybersecurity and adversarial ML teams assessing AI system resilience to adversarial attackVendors and integrators of AI systems subject to third-party conformity assessment or certificationRegulated-industry AI deployers in sectors including financial services, healthcare, autonomous vehicles, and critical infrastructureConformity assessment bodies and notified bodies conducting technical evaluations of high-risk AI systemsProcurement and vendor-risk functions acquiring neural network-based AI products or services

Overview

ISO/IEC 24029, Artificial intelligence, Assessment of the robustness of neural networks, is a multi-part standard developed by ISO/IEC JTC 1/SC 42. Part 1 (ISO/IEC 24029-1:2021), published in August 2021, provides an overview of robustness concepts, terminology, and assessment approaches applicable to artificial neural networks. Part 2 (ISO/IEC 24029-2:2023), published in 2023, specifies the use of formal methods for neural network robustness verification, offering rigorous mathematical techniques for proving or bounding robustness properties under defined input perturbation conditions. The standard series responds to a well-documented failure mode of deep learning systems: their sensitivity to small, adversarially crafted or naturally occurring input perturbations that can cause significant performance degradation or misclassification without any meaningful semantic change in the input. This brittleness has direct safety and security implications in high-stakes deployment contexts including autonomous vehicles, medical image analysis, fraud detection, and critical infrastructure management. Part 1 establishes a taxonomy of robustness threats-including adversarial examples, distributional shift, data corruption, and model poisoning-and describes categories of robustness assessment methods: empirical testing, formal verification, and statistical assessment. Part 2 operationalizes formal verification methods, detailing satisfiability-based, abstract interpretation, and Lipschitz-bound techniques that can provide provable robustness guarantees within specified input regions. Together, the parts provide a layered assessment toolkit scalable to the risk level and technical constraints of the deployment context. ISO/IEC 24029 is technically complementary to ISO/IEC 24028 (trustworthiness), ISO/IEC 23894 (risk management), and the safety-specific guidance in ISO/IEC TR 5469 (functional safety and AI systems). It is referenced in the EU AI Act's harmonized standards workplan as a technical instrument supporting conformity assessment for high-risk AI systems.

Key Requirements

•Part 1 defines robustness in the ANN context as the degree to which a neural network maintains correct and intended behavior when subject to input perturbations, distributional shifts, or adversarial manipulation.
•Part 1 provides a structured taxonomy of robustness threats, enabling organizations to scope and prioritize robustness assessment activities in proportion to deployment risk.
•Part 1 describes three categories of robustness assessment methodology—empirical testing, formal/mathematical verification, and statistical approaches—and provides selection criteria based on system criticality and available resources.
•Part 2 specifies formal verification methods including satisfiability modulo theories (SMT), abstract interpretation, mixed-integer linear programming (MILP), and Lipschitz continuity bounding for neural network robustness proofs.
•Part 2 defines the scope conditions under which formal robustness guarantees are valid, including input space constraints, network architecture requirements, and property specification formats.
•Organizations are guided to document robustness assessment scope, methods selected, perturbation budgets, and results in a manner that supports technical file requirements under AI regulations.
•The standard recommends integration of robustness assessment into the AI system development lifecycle rather than as a post-deployment afterthought.
•Guidance is provided on interpreting robustness assessment results in terms of operational risk, supporting risk-tiered governance and deployment-decision processes.

What Your Organization Must Do

→Assign an AI systems engineer or ML lead to conduct a threat taxonomy review using ISO/IEC 24029-1 for every neural network deployed or under development in high-risk contexts (including fraud detection, medical imaging, and autonomous systems), completing initial scoping within 90 days of deployment or procurement decision.
→Select and document a robustness assessment methodology (empirical testing, formal verification, or statistical approaches) for each neural network system based on its criticality tier, referencing Part 1 selection criteria; record the rationale in the system's technical file before any conformity assessment submission.
→Engage ML engineers to apply at least one formal verification technique specified in ISO/IEC 24029-2 (SMT, abstract interpretation, MILP, or Lipschitz bounding) for all neural networks designated as high-risk under the EU AI Act, with results including perturbation budgets and proof scope conditions documented prior to market placement.
→Integrate robustness assessment checkpoints into the AI development lifecycle by updating existing MLOps or SDLC procedures to require robustness testing at model validation gates, not solely as a post-deployment review.
→Require third-party AI vendors and integrators to provide robustness assessment evidence aligned with ISO/IEC 24029 as a contractual deliverable during procurement, updating vendor questionnaires and contractual terms within the next procurement cycle.
→Align ISO/IEC 24029 robustness documentation with the technical file requirements under the EU AI Act harmonized standards workplan, ensuring the compliance team cross-references robustness results against ISO/IEC 23894 risk management outputs and ISO/IEC TR 5469 functional safety guidance for any submission to a notified body.

Playbook Guidance

Step-by-step implementation guidance for compliance teams.

20Is our AI red-teaming rigorous enough?18What is our process for model drift monitoring?24What does audit-ready AI documentation look like in practice?27How do we perform an AI risk assessment?30What AI documentation do we actually need?

Frequently Asked Questions

Is ISO/IEC 24029 compliance mandatory for EU AI Act high-risk systems?: ISO/IEC 24029 is not directly mandatory, but it is referenced in the EU AI Act harmonized standards workplan as a technical instrument supporting conformity assessment for high-risk AI systems. Aligning with it strengthens a technical file and reduces conformity assessment friction with notified bodies.
What is the difference between ISO/IEC 24029 Part 1 and Part 2?: Part 1 (2021) establishes robustness terminology, threat taxonomy, and a framework for selecting assessment approaches. Part 2 (2023) operationalizes formal mathematical verification methods, including SMT, abstract interpretation, MILP, and Lipschitz bounding, for producing provable robustness guarantees within defined input regions.
Which sectors face the most direct compliance pressure from ISO/IEC 24029?: Healthcare AI (medical imaging), autonomous vehicles, financial services fraud detection, and critical infrastructure operators face the most direct pressure, given that these sectors overlap heavily with the EU AI Act high-risk categories and with regulatory regimes that require documented evidence of system resilience to adversarial inputs.
How does ISO/IEC 24029 relate to ISO/IEC 23894 and ISO/IEC TR 5469?: ISO/IEC 24029 provides the robustness-specific assessment layer within a broader ISO AI governance stack. ISO/IEC 23894 addresses AI risk management more broadly, while ISO/IEC TR 5469 covers functional safety. Robustness assessment outputs from 24029 should feed directly into the risk treatment and safety analyses required by those companion standards.
Can empirical testing alone satisfy ISO/IEC 24029 requirements for a high-risk neural network?: Part 1 permits empirical testing as a valid methodology, but Part 2 and the standard's risk-tiered guidance indicate that formal verification is expected for high-criticality systems where provable guarantees are feasible. Relying solely on empirical testing for a high-risk EU AI Act system is likely to be insufficient for a notified body submission.
What documentation does ISO/IEC 24029 require organizations to produce?: The standard requires documented evidence of the robustness threat scope, the assessment methodology selected and the rationale for that selection, perturbation budgets, proof scope conditions for formal methods, and interpretation of results in terms of operational risk. This documentation is designed to map directly to technical file requirements under AI regulations.