ISO/IEC TS 42119-2:2025 — What It Means for Trustworthy AI Testing

Why this matters: AI assurance is moving from “does it work?” to “is it robust, fair, transparent, and auditable?” The new ISO/IEC TS 42119-2:2025 gives teams a shared, risk-based approach to testing AI systems across the full lifecycle—not just model accuracy.

What the new technical specification covers

ISO/IEC TS 42119-2 explains how to apply the established ISO/IEC/IEEE 29119 software testing family to AI. It aligns test planning, execution, evidence, and reporting with AI’s probabilistic behavior and data-driven updates. The document emphasizes traceability and audit-ready artifacts, enabling regulators, auditors, and engineering teams to speak the same language during reviews.

The specification connects to adjacent AI governance standards:

• ISO/IEC 22989 for AI concepts and terminology—useful for defining scope, system boundaries, and stakeholders.

• ISO/IEC 23894 for AI risk management—helpful for prioritizing test depth based on risk, including bias, drift, safety, and reliability.

Together, these standards let organizations map risks to test objectives, select fit-for-purpose techniques, and document evidence for assurance.

Practical gains for engineering and compliance

• Lifecycle coverage: embeds testing from business objectives and data design through deployment and re-evaluation.

• Risk-based depth: uses AI risk registers (per ISO/IEC 23894) to tune test scope and rigor.

• Reusable test assets: leverages the 29119 templates and processes, reducing reinvention across teams and models.

• Assurance-ready evidence: produces artifacts that stand up to internal audit and external scrutiny.

How OGUN Security Research and Strategic Consulting LLC (OSRS) can help

OSRS operationalizes AI assurance with a combined engineering + governance approach:

1. Readiness assessment: Gap-map your current MLOps and QA practices to ISO/IEC TS 42119-2 and 29119; align terminology with 22989.

2. Risk-to-tests mapping: Build an AI risk register per 23894, translate risks into measurable test objectives, and prioritize by business impact.

3. Test architecture & playbooks: Define test strategies for data quality, model robustness, bias, and explainability checks, adversarial stress, and concept-drift monitoring—linked to evidence templates from 29119.

4. Audit-ready documentation: Establish traceable artifacts, versioned datasets, and decision logs that satisfy compliance and stakeholder assurance.

5. Training & governance: Coach data scientists, product owners, and risk leaders to use a common vocabulary and cadence for AI release gates.

Getting started

• Identify one high-impact AI use case.

• Create or update your AI risk register.

• Select test goals that address the top risks (fairness, robustness, transparency).

• Implement 29119-based documentation to capture methods, results, and decisions. Then iterate with drift and post-deployment monitoring.

Bottom line: ISO/IEC TS 42119-2:2025 gives organizations a structured path to credible AI testing. Partner with OSRS to turn the standard into day-to-day practice—so your AI is not only performant, but provably trustworthy.