An AI Impact Audit is an independent, systematic, and evidence-based evaluation of an AI system’s design, development, deployment, or outcomes, conducted to assess its actual or potential effects on individuals, society, and fundamental rights, and to verify its alignment with legal, ethical, and organizational standards.

This process moves beyond internal self-assessment to provide an objective, external validation of an organization's AI governance claims. Unlike a pre-deployment Algorithmic Impact Assessment (AIA), an impact audit is typically conducted ex-post, examining a system already in use to see if its real-world impacts match its intended design and compliance assertions. It scrutinizes the entire AI lifecycle, from data provenance and model training to deployment practices and outcome monitoring, offering a holistic verdict on the system's fairness, transparency, safety, and accountability. Audits can be conducted by internal audit teams with sufficient independence, specialized consultancies, or civil society organizations.

A comprehensive AI impact audit generally examines several interconnected layers:

Process Audit: Reviewing the adequacy and implementation of the organization’s AI governance policies, risk management procedures, documentation practices, and oversight mechanisms (the "AI Management System").

Technical/Algorithmic Audit: Analyzing the system's code, training data, model architecture, and performance metrics to detect biases, assess robustness, and evaluate explainability.

Impact & Outcome Audit: Empirically investigating the system's real-world effects by analyzing output data across demographic groups, reviewing incident logs, and gathering feedback from affected stakeholders to identify disparate impacts or harms.

Legal & Compliance Audit: Verifying conformity with specific regulatory frameworks like the EU AI Act and GDPR, including checking for proper conformity assessment, CE marking, and adherence to data governance mandates.

Regulatory Context: While not universally mandated by law, the concept of AI auditing is strongly encouraged by the EU AI Act's emphasis on market surveillance and conformity assessment. The Act's requirement for notified bodies to assess high-risk systems is a form of regulatory audit. Furthermore, the Act's call for codes of conduct (Article 95) suggests voluntary, independent auditing as a means of verification. Standards like ISO/IEC 42001 also include audit requirements for an AI Management System.

Accountability & Legitimacy Mechanism: Commissioning a credible impact audit is a powerful demonstration of accountability and transparency. It provides assurance to regulators, builds public and customer trust, and offers invaluable insights for internal improvement. As litigation and regulatory scrutiny around AI increase, audit reports will likely become critical evidence in demonstrating due diligence.