30 Days Gen AI Risk Trial -Start Now
Book a demo
Free Template · Risk & Assessment

AI Impact Assessment TemplateKnow Who Your AI Affects Before You Deploy It

One document that covers the EU AI Act Article 27 fundamental rights impact assessment (FRIA), public-sector algorithmic impact assessments, and voluntary best-practice reviews. Screen whether an assessment is required, describe the system and the people it affects, rate the risks, record mitigations, and get sign-off, in a format a GRC team can use as-is.

When You Need an AI Impact Assessment

Some triggers are legal mandates; others are best practice that customers and auditors increasingly expect. One yes is enough to run the assessment.

Mandatory
Public bodies deploying high-risk AI (EU AI Act Art. 27)
Bodies governed by public law, and private entities providing public services, must complete a fundamental rights impact assessment before first use of most Annex III high-risk systems.
Mandatory
Credit scoring and life or health insurance pricing
Any deployer, including banks and insurers, using high-risk AI to evaluate creditworthiness or to assess risk and set prices in life and health insurance must complete a FRIA.
Mandatory
High-risk personal data processing (GDPR Art. 35)
Large-scale profiling or automated decisions with legal or similar effects require a DPIA. The FRIA complements it; this template covers the AI-specific ground alongside it.
Mandatory
Public-sector directives and procurement rules
Canada's Directive on Automated Decision-Making requires algorithmic impact assessments for federal automated decision systems, and procurement rules increasingly demand them from vendors.
Best practice
Consequential decisions about people
Hiring, lending, housing, healthcare, education, benefits: if the system makes or materially informs these decisions, assess it even where no law requires you to.
Best practice
Certification and framework alignment
ISO/IEC 42001 expects AI system impact assessments as part of the management system, and the NIST AI RMF places impact identification in its Map function.

Timing: following the EU digital omnibus adopted in June 2026, the AI Act's high-risk obligations, including the Article 27 FRIA duty, apply from December 2, 2027 for stand-alone Annex III systems and from August 2, 2028 for AI embedded in regulated products. Several US states moved the other way: Colorado's SB 189 (effective January 1, 2027) dropped impact assessment mandates in favor of transparency duties. Either way, a documented assessment remains your best evidence of reasonable conduct.

What the Template Covers

A screening questionnaire plus a nine-section assessment form, with worked example rows that show the quality bar for risk descriptions and mitigations.

1
Screening questionnaire
Six questions that tell you whether an assessment is legally required, contractually required, or recommended, with a screening outcome record.
2
System description and intended use
Provider, model version, actual use case, the business processes the system operates in, and how often it runs.
3
Affected persons and groups
Every group the system touches, how they are affected, at what scale, and which vulnerability factors apply.
4
Data and model inputs
Data categories, sensitive attributes, provenance, representativeness gaps, and proxies for protected attributes.
5
Risk register with ratings
Risks to fundamental rights and individuals: discrimination, privacy, economic harm, and procedural fairness, each rated for likelihood and severity.
6
Human oversight measures
Oversight model, who reviews which outputs, override authority, automation bias controls, and the kill switch.
7
Mitigation and residual risk
Mitigations with owners and due dates, re-rated residual risk, and complaint and redress arrangements.
8
Consultation record
Who you consulted, what they told you, and what changed in the deployment as a result.
9
Review triggers
The events that reopen the assessment, from model changes to drift, complaints, and regulatory change.
10
Approval sign-off
An explicit deploy, conditional, or stop decision with a sign-off table and the Article 27 notification record.

How It Fits Your Governance Stack

The impact assessment sits between classification and day-to-day monitoring. Three connections to get right:

Classify first
Run the EU AI Act risk classification first: the tier you land on determines whether Article 27 applies and how deep the assessment needs to go.
Pair with your DPIA
Under the AI Act, a FRIA complements a data protection impact assessment rather than replacing it. Run them together and cross-reference instead of duplicating.
Feed your risk register
Residual risks, review triggers, and sign-off conditions belong in your live risk register and incident response process, not in a drawer.
Get started

Know every AI system before you assess it

You cannot assess the impact of AI you cannot see. Aona discovers every AI tool in use across your organization, maps what data flows into them, and keeps the inventory your impact assessments depend on audit-ready.