ISO/IEC 38507
ISO/IEC 38507 is the International Standard for the governance implications of using artificial intelligence inside organizations.
Definition
ISO/IEC 38507:2022 is titled Information technology - Governance of IT - Governance implications of the use of artificial intelligence by organizations. ISO lists it as reference number ISO/IEC 38507:2022, Edition 1, a 28-page International Standard published in April 2022.
The standard is addressed first to members of a governing body. Its public abstract says it provides guidance so an organization can enable and govern the use of AI in an effective, efficient, and acceptable way. ISO also lists executive managers, legal or accounting specialists, professional bodies, public authorities, policymakers, service providers, assessors, and auditors among the wider audience.
Status
As reviewed on July 10, 2026, ISO lists ISO/IEC 38507:2022 as published, with publication stage 60.60. The lifecycle record shows a new project approved on November 28, 2018, Draft International Standard ballot activity in 2021, final approval activity in early 2022, and International Standard publication on April 8, 2022.
ISO lists ISO/IEC JTC 1/SC 42 as the technical committee, and the SC 42 committee page describes that subcommittee's scope as standardization in artificial intelligence. The ISO page also classifies the standard under ICS 35.020, the broad information-technology classification.
Governance Surface
The key move in ISO/IEC 38507 is that it puts AI use before the governing body, not only before developers, product managers, compliance staff, or procurement teams. The standard's public scope covers current and future uses of AI, the implications of those uses for the organization itself, and organizations of any size, including public, private, government, and not-for-profit bodies.
That framing fits the way AI changes organizational power. A model can alter hiring, pricing, fraud review, customer service, education, healthcare triage, software delivery, media production, surveillance, and resource allocation without appearing as a single board-level project. The governance surface is therefore not "the model." It is the chain of authorization, delegation, accountability, monitoring, and correction that lets an organization use AI in its own name.
Board Use
For a board or equivalent governing body, ISO/IEC 38507 is useful as a question engine. What AI uses exist or are planned? Which ones change the organization's obligations to workers, customers, affected communities, partners, regulators, or shareholders? Who is accountable for use of AI when the system is purchased, embedded in a vendor service, tuned internally, or used informally by staff?
The standard should not be read as a declaration that governance is solved by adopting a policy. A governing body needs enough visibility to direct, evaluate, and monitor AI use. That means it needs inventories, decision rights, risk appetite, exception handling, escalation paths, and evidence that management is not turning AI governance into a slide deck detached from operational systems.
Evidence Record
An ISO/IEC 38507-informed governance record should identify the governing body or delegated committee, the AI uses under review, the organizational purpose each use is meant to serve, accountable owners, affected stakeholder groups, risk appetite, decision criteria, management controls, oversight cadence, reporting routes, and review triggers. It should also record where AI is developed, acquired, embedded in third-party services, or used through general-purpose tools.
The record should preserve decisions, not just systems. A board-level AI governance file should show why a use was authorized, constrained, paused, escalated, or retired. It should make visible the difference between management preference and governing-body direction. Without that distinction, accountability dissolves into an operational fog where everyone "uses AI" but no one can say who accepted the institutional consequences.
Boundary With Other Standards
ISO/IEC 38507 is not an AI management-system standard, a risk-management standard, an impact-assessment standard, or a technical model-evaluation method. It sits above those practices as governance guidance for the organization. ISO/IEC 42001 covers AI management systems, ISO/IEC 23894 covers AI risk-management guidance, and AI audits and assurance turn claims into reviewable evidence.
Source Discipline
Use the official ISO standard page for the title, reference number, status, publication date, stage, edition, page count, technical committee, ICS classification, public abstract, and lifecycle dates. Use the ISO/IEC JTC 1/SC 42 page for committee scope. Do not cite training vendors, compliance software, or consulting pages for the standard's formal status. Do not treat ISO/IEC 38507 as a certification mark, model approval, legal safe harbor, or substitute for sector law.
Spiralist Reading
Spiralism reads ISO/IEC 38507 as a check against the familiar ritual in which an institution treats AI as both inevitable and ownerless. The standard's public scope insists that organizational use of AI has governance implications. That is a sober claim, but it cuts deeply: if AI is used to pursue organizational objectives, then the organization cannot hide behind the tool, the vendor, the model, or the user prompt.
The danger is governance theater. Boards may request an AI policy, accept a dashboard, and call the matter supervised while the actual systems spread through procurement, workplace tools, customer funnels, and informal automation. The stricter reading is that every material AI use should have a named governance path: who authorized it, which purpose it serves, which stakeholders it affects, what evidence is reviewed, and what event reopens the decision.
Open Questions
- Which AI uses are material enough to require direct governing-body review rather than management-only approval?
- How should boards distinguish experimentation, informal staff use, vendor-embedded AI, and production AI systems?
- What evidence should be shareable with workers, customers, regulators, or communities affected by an organization's AI use?
Related Pages
- AI Governance
- ISO/IEC 42001
- ISO/IEC 23894
- AI Audits and Assurance
- AI System Inventory
- Human Oversight of AI Systems
- Algorithmic Impact Assessments
- AI Procurement
Sources
- ISO, ISO/IEC 38507:2022 standard page, title, status, scope, lifecycle, committee, ICS code, and page count, reviewed July 10, 2026.
- ISO, ISO/IEC JTC 1/SC 42 committee page, artificial-intelligence committee scope and structure, reviewed July 10, 2026.