One document that covers the EU AI Act Article 27 fundamental rights impact assessment (FRIA), public-sector algorithmic impact assessments, and voluntary best-practice reviews. Screen whether an assessment is required, describe the system and the people it affects, rate the risks, record mitigations, and get sign-off, in a format a GRC team can use as-is.
Some triggers are legal mandates; others are best practice that customers and auditors increasingly expect. One yes is enough to run the assessment.
Timing: following the EU digital omnibus adopted in June 2026, the AI Act's high-risk obligations, including the Article 27 FRIA duty, apply from December 2, 2027 for stand-alone Annex III systems and from August 2, 2028 for AI embedded in regulated products. Several US states moved the other way: Colorado's SB 189 (effective January 1, 2027) dropped impact assessment mandates in favor of transparency duties. Either way, a documented assessment remains your best evidence of reasonable conduct.
A screening questionnaire plus a nine-section assessment form, with worked example rows that show the quality bar for risk descriptions and mitigations.
The impact assessment sits between classification and day-to-day monitoring. Three connections to get right:
You cannot assess the impact of AI you cannot see. Aona discovers every AI tool in use across your organization, maps what data flows into them, and keeps the inventory your impact assessments depend on audit-ready.