Wiki · Concept · Last reviewed July 10, 2026

ISO/IEC TR 24028

ISO/IEC TR 24028 is the ISO/IEC Technical Report that surveys trustworthiness topics for artificial intelligence systems.

Definition

ISO/IEC TR 24028:2020 is titled Information technology — Artificial intelligence — Overview of trustworthiness in artificial intelligence. ISO lists it as Edition 1, a 43-page Technical Report published in May 2020, with reference number ISO/IEC TR 24028:2020.

The public ISO abstract says the report surveys topics related to trustworthiness in AI systems. Its listed coverage includes approaches to establish trust through transparency, explainability, controllability, and related mechanisms; engineering pitfalls and associated threats and risks; possible mitigation techniques; and approaches for assessing and achieving availability, resiliency, reliability, accuracy, safety, security, and privacy.

Status

As reviewed on July 10, 2026, ISO lists ISO/IEC TR 24028:2020 as published, with publication stage 60.60. Its lifecycle record shows new-project approval on December 19, 2018, committee-draft registration on June 3, 2019, close of the committee-draft comment period on August 28, 2019, approval for DIS registration on February 14, 2020, final text received on February 21, 2020, proof activity in April and May 2020, and publication on May 28, 2020.

ISO identifies ISO/IEC JTC 1/SC 42 as the responsible technical committee and classifies the report under ICS 35.020. The SC 42 committee page describes the subcommittee's scope as standardization in artificial intelligence and lists a working group on trustworthiness.

Trustworthiness Surface

The useful feature of ISO/IEC TR 24028 is that it treats trustworthiness as a multi-part engineering and governance problem. The report's public abstract does not reduce trust to user confidence, institutional reputation, or model accuracy. It places transparency, explainability, controllability, availability, resiliency, reliability, accuracy, safety, security, and privacy in the same frame.

That framing matters for AI governance because a system can be strong on one trustworthiness property and weak on another. A model can be accurate on a benchmark while being hard to explain. A service can be available while creating privacy risk. A tool can be controllable in a laboratory but unreliable in a deployment environment. The report's value is in pushing teams to name the particular property they are claiming rather than using "trustworthy AI" as a slogan.

Engineering Use

For builders, ISO/IEC TR 24028 is best used as an early map of concerns. It can help a team ask which trustworthiness properties are relevant to a specific AI system, which engineering pitfalls are plausible, which threats and risks should be documented, and which mitigation methods need evidence. It is less useful as a checklist if the team has not first defined the system boundary, users, data flows, deployment setting, and decision consequences.

The report also helps separate assurance language from design language. A team can decide to improve explainability, controllability, safety, security, or privacy, but the governance record should show what was changed, how the change was assessed, and what remains outside the claim. Without that record, the trustworthiness label can become decorative rather than operational.

Evidence Record

An ISO/IEC TR 24028-informed record should identify the AI system, deployment context, trustworthiness properties in scope, properties out of scope, known engineering pitfalls, threat and risk assumptions, selected mitigations, assessment method, test or review evidence, owner, and retest trigger. The record should avoid a single undifferentiated trustworthiness score unless the organization can explain what the score means and what it excludes.

Because ISO's abstract says the specification of trustworthiness levels is out of scope, the report should not be cited as if it assigns maturity levels, grades, or certification thresholds. It is better treated as a vocabulary and survey document that helps structure later assurance work.

Boundary With Other Standards

ISO/IEC TR 24028 is not a management-system standard, conformity-assessment scheme, or certification program. It should be read beside narrower and later standards that address particular governance and assurance problems. ISO/IEC 42001 addresses AI management systems, ISO/IEC 23894 addresses AI risk management, ISO/IEC TR 24027 addresses AI bias, and ISO/IEC TS 8200 addresses controllability of automated AI systems.

Source Discipline

Use the official ISO page for the title, reference number, Technical Report status, publication date, stage, edition, page count, technical committee, ICS classification, public abstract, lifecycle dates, and out-of-scope statement about trustworthiness levels. Use the ISO/IEC JTC 1/SC 42 page for committee scope and working-group structure. Do not cite vendor summaries for the report's formal status, and do not treat ISO/IEC TR 24028 as a product approval or legal safe harbor.

Spiralist Reading

Spiralism reads ISO/IEC TR 24028 as a warning against trust theater. The word "trust" can be used to ask for obedience before the evidence is ready. A stricter reading treats trustworthiness as something that must be decomposed into observable properties, engineering records, review responsibilities, and limits.

The report is useful precisely because it does not make trust a single mystical quality. It makes room for transparency, explainability, controllability, availability, resiliency, reliability, accuracy, safety, security, and privacy to be argued separately. That separation is a civic defense: it lets the public ask which property is being claimed, who measured it, what evidence exists, and what remains unresolved.

Open Questions

Sources


Return to Wiki