ISO/IEC DIS 27091
ISO/IEC DIS 27091 is the draft ISO/IEC privacy-protection standard for addressing privacy risks in artificial intelligence systems and machine-learning models.
Definition
ISO/IEC DIS 27091 is titled Cybersecurity and Privacy - Artificial Intelligence - Privacy protection. ISO lists it as reference number ISO/IEC DIS 27091, Edition 1, a 31-page Draft International Standard under development in ISO/IEC JTC 1/SC 27, the subcommittee for information security, cybersecurity, and privacy protection.
The public abstract says the document gives organizations guidance for addressing privacy risks in AI systems and machine-learning models. Its stated focus is lifecycle privacy risk: identifying risks, evaluating their consequences, and treating them. ISO lists the draft as applicable to organizations of all sizes and sectors that develop or use AI systems. Because the public page is only an abstract and lifecycle record, governance claims should not infer undisclosed clauses from the title alone.
Status
As reviewed on July 10, 2026, ISO lists ISO/IEC DIS 27091 as under development, not as a published International Standard. Its stage is 40.99: "Full report circulated: DIS approved for registration as FDIS." ISO's lifecycle record dates that event to July 8, 2026.
The same lifecycle record shows the project was approved on February 3, 2023, that the Draft International Standard was registered on October 2, 2025, that a twelve-week DIS ballot began on December 3, 2025, and that voting closed on February 26, 2026. Until ISO changes the reference to FDIS or published International Standard, the disciplined citation is ISO/IEC DIS 27091.
There is a small status nuance worth preserving. ISO's public page still labels the item "Draft International Standard" and includes a generic sentence saying the draft is in the enquiry phase, while the lifecycle stage has advanced to 40.99, approved for registration as FDIS. For current status claims, cite the stage and date rather than only the page header.
Standards Stack
ISO/IEC DIS 27091 is one layer in a larger standards stack. It is a privacy-protection draft from ISO/IEC JTC 1/SC 27. ISO/IEC FDIS 27090 is the adjacent AI-security draft from the same subcommittee. ISO/IEC 42001, from ISO/IEC JTC 1/SC 42, is an AI management-system standard. ISO/IEC 23894 gives AI risk-management guidance, and ISO/IEC 42005 covers AI system impact assessment.
Those standards can support one governance program, but they answer different questions. ISO/IEC DIS 27091 is not an AIMS certification standard, not a complete DPIA template, not a cybersecurity threat taxonomy, and not a legal determination that processing is lawful. Its value is narrower and useful: it points privacy review toward the AI lifecycle rather than leaving privacy as a launch-page notice.
Privacy Surface
The useful reading of ISO/IEC DIS 27091 starts with the phrase "AI system lifecycle." Privacy work cannot stop at a notice, a consent screen, or a model card. A practical privacy surface includes data sourcing, labeling, retention, feature engineering, training, evaluation, retrieval, logging, monitoring, human review, output handling, and deletion.
For machine-learning systems, privacy risk can arise before deployment and continue after deployment. Training data may carry personal information, embeddings may preserve sensitive relationships, prompts and logs may capture private context, outputs may disclose information about people, and integrations may pass data into tools or vendors the user never directly sees. A lifecycle standard matters because privacy failures are often records of movement: who collected what, where it travelled, how long it stayed, and which later system used it.
AI privacy also includes inference. A system can generate personal data by predicting, classifying, clustering, ranking, summarizing, or matching people even when the raw input looked ordinary. Membership inference, model inversion, re-identification, hidden profiling, and context collapse are privacy risks, not merely technical curiosities. Privacy treatment therefore has to cover derived data, vector stores, memory, monitoring telemetry, evaluation examples, synthetic data, and post-deployment feedback loops.
Governance Use
ISO/IEC DIS 27091 should be treated as a privacy lens for AI governance, not as a general claim that a system is harmless or compliant. It can help teams ask whether an AI system has a mapped data lifecycle, privacy risk owners, review triggers, treatment decisions, and evidence that those decisions changed the system rather than just the documentation.
It also gives governance teams a clean way to separate privacy work from security work without isolating the two. ISO/IEC JTC 1/SC 27's public scope covers both security and privacy aspects of information and ICT protection. In practice, an AI privacy record should sit beside records for AI security, AI risk management, data governance, and incident response, because the same model service can be a privacy system, a security target, and a labor-management tool at once.
For regulated processing, 27091-style lifecycle evidence should map to existing privacy artifacts such as Data Protection Impact Assessments, Records of Processing Activities, vendor due diligence, transfer records, retention schedules, and data-subject rights workflows. The draft is useful only if it changes decisions: narrowing data collection, rejecting a vendor, shortening retention, disabling training reuse, adding redaction, changing logging, or triggering renewed review after a material system change.
Evidence Record
A serious ISO/IEC DIS 27091-aligned record should identify the AI system, lifecycle stage, model or service version, data categories, purposes, legal or policy basis, retention limits, training and evaluation stores, retrieval stores, vector stores, log stores, memory stores, processors and subprocessors, transfer paths, human review roles, deletion mechanisms, and review owners. It should distinguish privacy risks introduced by development from privacy risks introduced by use.
The record should also preserve treatment decisions: what was minimized, aggregated, redacted, encrypted, isolated, excluded from training, deleted, or placed behind additional access controls; what residual risk was accepted; who accepted it; and what evidence would reopen the decision. Data-subject access, correction, deletion, opt-out, and appeal paths should be tested rather than merely described.
Change history is essential. AI privacy evidence decays when prompts, datasets, embeddings, routing rules, vendors, monitoring tools, permissions, or user populations change without renewed review. A privacy statement that describes last quarter's pipeline is not evidence for today's agent, recommender, classifier, or copiloting workflow.
Source Discipline
Use the official ISO standard page for the reference number, title, Draft International Standard status, page count, committee, lifecycle dates, and public abstract. Use the ISO/IEC JTC 1/SC 27 committee page for the committee mandate. Use the SC 27 catalogue to confirm that ISO lists ISO/IEC DIS 27091 under development at stage 40.99. Use the official ISO pages for adjacent standards such as ISO/IEC 27090, 42001, 23894, and 42005.
Do not cite vendor summaries for final-publication status. Do not treat the draft as a certification mark, product approval, model evaluation, or legal safe harbor. Do not quote or paraphrase paywalled draft clauses unless the source text is available and the citation is precise. Public claims should be limited to the ISO public abstract, lifecycle metadata, committee context, and separately sourced governance frameworks such as the NIST Privacy Framework.
Spiralist Reading
Spiralism reads ISO/IEC DIS 27091 as a pressure test for AI institutions that want privacy language without privacy memory. The draft's public scope points away from one-time disclosure and toward lifecycle accountability. The relevant question is not whether a system has a privacy paragraph, but whether the organization can show how personal information enters, changes form, generates outputs, leaves records, and is eventually constrained or removed.
The danger is standard theater. An organization can cite a draft standard while leaving its live data flows vague, its retention habits unchanged, and its model integrations invisible to affected people. The useful reading is stricter: every AI privacy claim should point to a system boundary, a data lifecycle, a treatment decision, an owner, and a trigger for renewed review.
Open Questions
- Which data, model, retrieval, logging, or vendor changes should automatically trigger renewed privacy review?
- How should organizations report privacy treatment decisions for AI systems without exposing sensitive internal architecture?
- What evidence should be shared with workers, customers, regulators, and affected communities when an AI system changes its data lifecycle?
- How should ISO/IEC DIS 27091 evidence be mapped to ISO/IEC 42001, DPIAs, records of processing, and customer-facing AI system documentation?
Related Pages
- NIST Privacy Framework
- NIST AI Risk Management Framework
- Data Protection Impact Assessment
- Records of Processing Activities
- Data Privacy Vocabulary
- Differential Privacy
- Federated Learning
- Privacy Workforce Taxonomy
- Data Minimization
- AI Data Retention
- AI Data Provenance
- AI Audit Trails
- AI System Inventory
- AI Bill of Materials
- AI Data Security
- ISO/IEC FDIS 27090
- ISO/IEC 42001
- ISO/IEC 23894
- ISO/IEC 42005
- ISO/IEC 42006
- Membership Inference Attacks
- Model Inversion Attacks
- Contextual Integrity
- AI Procurement
- AI Change Management
Sources
- ISO, ISO/IEC DIS 27091 page, status, title, scope, lifecycle, committee, and page count, reviewed July 10, 2026.
- ISO, ISO/IEC JTC 1/SC 27 committee page, committee scope and working-group context, reviewed July 10, 2026.
- ISO, ISO/IEC JTC 1/SC 27 standards catalogue, ISO/IEC DIS 27091 listing and stage 40.99, reviewed July 10, 2026.
- ISO, ISO/IEC FDIS 27090 page, AI-security draft status and scope, reviewed July 10, 2026.
- ISO, ISO/IEC 42001:2023 AI management systems, reviewed July 10, 2026.
- ISO, ISO/IEC 23894:2023 AI guidance on risk management, reviewed July 10, 2026.
- ISO, ISO/IEC 42005:2025 AI system impact assessment, reviewed July 10, 2026.
- NIST, Privacy Framework homepage, reviewed July 10, 2026.
- NIST Computer Security Resource Center, CSWP 10, NIST Privacy Framework Version 1.0, final publication, January 16, 2020; reviewed July 10, 2026.