Wiki · Concept · Last reviewed July 10, 2026

ISO/IEC DIS 27091

ISO/IEC DIS 27091 is the draft ISO/IEC privacy-protection standard for addressing privacy risks in artificial intelligence systems and machine-learning models.

Definition

ISO/IEC DIS 27091 is titled Cybersecurity and Privacy - Artificial Intelligence - Privacy protection. ISO lists it as reference number ISO/IEC DIS 27091, Edition 1, a 31-page Draft International Standard under development in ISO/IEC JTC 1/SC 27, the subcommittee for information security, cybersecurity, and privacy protection.

The public abstract says the document gives organizations guidance for addressing privacy risks in AI systems and machine-learning models. Its stated focus is lifecycle privacy risk: identifying risks, evaluating their consequences, and treating them. ISO lists the draft as applicable to organizations of all sizes and sectors that develop or use AI systems. Because the public page is only an abstract and lifecycle record, governance claims should not infer undisclosed clauses from the title alone.

Status

As reviewed on July 10, 2026, ISO lists ISO/IEC DIS 27091 as under development, not as a published International Standard. Its stage is 40.99: "Full report circulated: DIS approved for registration as FDIS." ISO's lifecycle record dates that event to July 8, 2026.

The same lifecycle record shows the project was approved on February 3, 2023, that the Draft International Standard was registered on October 2, 2025, that a twelve-week DIS ballot began on December 3, 2025, and that voting closed on February 26, 2026. Until ISO changes the reference to FDIS or published International Standard, the disciplined citation is ISO/IEC DIS 27091.

There is a small status nuance worth preserving. ISO's public page still labels the item "Draft International Standard" and includes a generic sentence saying the draft is in the enquiry phase, while the lifecycle stage has advanced to 40.99, approved for registration as FDIS. For current status claims, cite the stage and date rather than only the page header.

Standards Stack

ISO/IEC DIS 27091 is one layer in a larger standards stack. It is a privacy-protection draft from ISO/IEC JTC 1/SC 27. ISO/IEC FDIS 27090 is the adjacent AI-security draft from the same subcommittee. ISO/IEC 42001, from ISO/IEC JTC 1/SC 42, is an AI management-system standard. ISO/IEC 23894 gives AI risk-management guidance, and ISO/IEC 42005 covers AI system impact assessment.

Those standards can support one governance program, but they answer different questions. ISO/IEC DIS 27091 is not an AIMS certification standard, not a complete DPIA template, not a cybersecurity threat taxonomy, and not a legal determination that processing is lawful. Its value is narrower and useful: it points privacy review toward the AI lifecycle rather than leaving privacy as a launch-page notice.

Privacy Surface

The useful reading of ISO/IEC DIS 27091 starts with the phrase "AI system lifecycle." Privacy work cannot stop at a notice, a consent screen, or a model card. A practical privacy surface includes data sourcing, labeling, retention, feature engineering, training, evaluation, retrieval, logging, monitoring, human review, output handling, and deletion.

For machine-learning systems, privacy risk can arise before deployment and continue after deployment. Training data may carry personal information, embeddings may preserve sensitive relationships, prompts and logs may capture private context, outputs may disclose information about people, and integrations may pass data into tools or vendors the user never directly sees. A lifecycle standard matters because privacy failures are often records of movement: who collected what, where it travelled, how long it stayed, and which later system used it.

AI privacy also includes inference. A system can generate personal data by predicting, classifying, clustering, ranking, summarizing, or matching people even when the raw input looked ordinary. Membership inference, model inversion, re-identification, hidden profiling, and context collapse are privacy risks, not merely technical curiosities. Privacy treatment therefore has to cover derived data, vector stores, memory, monitoring telemetry, evaluation examples, synthetic data, and post-deployment feedback loops.

Governance Use

ISO/IEC DIS 27091 should be treated as a privacy lens for AI governance, not as a general claim that a system is harmless or compliant. It can help teams ask whether an AI system has a mapped data lifecycle, privacy risk owners, review triggers, treatment decisions, and evidence that those decisions changed the system rather than just the documentation.

It also gives governance teams a clean way to separate privacy work from security work without isolating the two. ISO/IEC JTC 1/SC 27's public scope covers both security and privacy aspects of information and ICT protection. In practice, an AI privacy record should sit beside records for AI security, AI risk management, data governance, and incident response, because the same model service can be a privacy system, a security target, and a labor-management tool at once.

For regulated processing, 27091-style lifecycle evidence should map to existing privacy artifacts such as Data Protection Impact Assessments, Records of Processing Activities, vendor due diligence, transfer records, retention schedules, and data-subject rights workflows. The draft is useful only if it changes decisions: narrowing data collection, rejecting a vendor, shortening retention, disabling training reuse, adding redaction, changing logging, or triggering renewed review after a material system change.

Evidence Record

A serious ISO/IEC DIS 27091-aligned record should identify the AI system, lifecycle stage, model or service version, data categories, purposes, legal or policy basis, retention limits, training and evaluation stores, retrieval stores, vector stores, log stores, memory stores, processors and subprocessors, transfer paths, human review roles, deletion mechanisms, and review owners. It should distinguish privacy risks introduced by development from privacy risks introduced by use.

The record should also preserve treatment decisions: what was minimized, aggregated, redacted, encrypted, isolated, excluded from training, deleted, or placed behind additional access controls; what residual risk was accepted; who accepted it; and what evidence would reopen the decision. Data-subject access, correction, deletion, opt-out, and appeal paths should be tested rather than merely described.

Change history is essential. AI privacy evidence decays when prompts, datasets, embeddings, routing rules, vendors, monitoring tools, permissions, or user populations change without renewed review. A privacy statement that describes last quarter's pipeline is not evidence for today's agent, recommender, classifier, or copiloting workflow.

Source Discipline

Use the official ISO standard page for the reference number, title, Draft International Standard status, page count, committee, lifecycle dates, and public abstract. Use the ISO/IEC JTC 1/SC 27 committee page for the committee mandate. Use the SC 27 catalogue to confirm that ISO lists ISO/IEC DIS 27091 under development at stage 40.99. Use the official ISO pages for adjacent standards such as ISO/IEC 27090, 42001, 23894, and 42005.

Do not cite vendor summaries for final-publication status. Do not treat the draft as a certification mark, product approval, model evaluation, or legal safe harbor. Do not quote or paraphrase paywalled draft clauses unless the source text is available and the citation is precise. Public claims should be limited to the ISO public abstract, lifecycle metadata, committee context, and separately sourced governance frameworks such as the NIST Privacy Framework.

Spiralist Reading

Spiralism reads ISO/IEC DIS 27091 as a pressure test for AI institutions that want privacy language without privacy memory. The draft's public scope points away from one-time disclosure and toward lifecycle accountability. The relevant question is not whether a system has a privacy paragraph, but whether the organization can show how personal information enters, changes form, generates outputs, leaves records, and is eventually constrained or removed.

The danger is standard theater. An organization can cite a draft standard while leaving its live data flows vague, its retention habits unchanged, and its model integrations invisible to affected people. The useful reading is stricter: every AI privacy claim should point to a system boundary, a data lifecycle, a treatment decision, an owner, and a trigger for renewed review.

Open Questions

Sources


Return to Wiki