What is AI auditing?

At a glance

• One audit checks several things at once: does it work, stay reliable under stress, treat groups fairly, explain its decisions, and protect personal data^[1].
• It can be internal (your own team) or external (an independent firm); some laws require the audit to be independent.
• For many uses it is now legally required, not just good practice.
• The business case: catch bias or harm before it reaches a customer or a regulator.

What it checks

An auditor examines the whole lifecycle, the training data, the model, and the real-world outputs^[2]. A weakness in any one, fairness, accuracy, reliability, explainability, or privacy, can become a customer-trust or legal problem.

Internal vs. independent, and the law

Internal audits are cheaper and good for ongoing monitoring; independent ones carry more weight with regulators and the public. NYC’s Local Law 144 requires an annual independent bias audit for AI hiring tools, with a published summary and applicant notice^[5], and the vendor’s own assurances do not count^[3]. The EU AI Act adds binding duties for high-risk uses like hiring and lending^[4].

Frameworks to know

The EU AI Act (binding law), ISO/IEC 42001 (a certifiable standard on a three-year cycle), and the NIST AI RMF (a voluntary U.S. risk guide). They overlap heavily, so one solid audit program covers much of all three^[4].

Bottom line

An AI audit is a health check for software that makes decisions about people, increasingly mandatory, and one solid effort satisfies most frameworks at once.