MISSION KI
Quality Standard for Low-Risk AI

The AI system is described precisely: What purpose does it fulfill? In which context is it deployed? Which technical components are part of it, and which are not? Specifically: application context, limits of the application domain, output format, mode of operation (local/cloud).

This description defines what the entire assessment refers to – and ensures that the quality statement is clearly bound to a defined area of application.

Not every quality criterion is equally important for every AI system. The protection needs analysis evaluates: What concrete harms could arise if requirements are not met? (e.g., health risks, discrimination, data protection breaches).

Result: Each criterion is classified as low, moderate, high – or as not applicable. This makes it clear where especially thorough assessment is required and where basic requirements are sufficient.

Which quality measures has the company actually implemented? The assessment follows the VCIO system, a four-level hierarchy from top (abstract) to bottom (concretely measurable):

• Quality dimensions (e.g., “Reliability,” “Transparency”)

• Criteria (e.g., “Performance and robustness”)

• Indicators (concrete actions: analyses, measures, evaluations)

• Observables (measurable evidence with assessment)

The classification: For each relevant indicator, it is determined which observable level the AI system meets:

A = best practice
B = advanced
C = basic
D = not fulfilled.

The principle is: The higher the protection need from Step 2, the higher the requirements. The selected classification must be supported by evidence – this takes place in Step 4

The selected classifications must be systematically substantiated. Depending on the level of protection need, different requirements apply:

• Level C (low): Basic documentation + test results

• Level B (moderate): Detailed documentation + tests with metadata (e.g., dataset versions, configurations)

• Level A (high): Reproducible tests + audit trail + full traceability

Possible evidence includes: Risk analyses, test reports, process descriptions, existing certifications (ISO 27001, GDPR).

The classifications and evidence are systematically reviewed. The requirements for the reviewing persons increase with the level of protection need:

• Low: Self-validation by the responsible team

• Moderate: Review by uninvolved internal experts

• High: Validation according to the four-eyes principle by internal reviewers who are hierarchically independent

Optional: External assessment bodies may be involved.
Objective: To ensure that the documented measures actually exist and are plausible.

Have the requirements been met? The achieved quality levels are summarized for each criterion and compared against the identified level of protection need.

The rule:

• High protection need → at least Level A required

• Moderate protection need → at least Level B required

• Low protection need → at least Level C required

Passed? Yes, if all relevant criteria reach the minimum level. Over-fulfillment is documented.

The assessment report summarizes:

• System information: application context, components, data use

• Protection needs: which criteria were critical, which were not applicable?

• Quality levels: achieved levels vs. required levels per criterion

• Measures & tests: which quality safeguards were implemented?

• Validation: which level of review was carried out?

• Statement: which criteria were met / not met / exceeded

The report follows a standard template and is signed by the responsible parties, with a formal declaration of correctness.

The assessment is point-in-time based: the quality statement applies only to the evaluated system version.

Validity ends when there is:

• A change in the intended purpose

• Significant technical changes (software/hardware)

• External changes (e.g., concept drift, data drift: changes in the input data)

Validity remains in case of: Organizational adjustments (e.g., new responsibilities), hardware updates without functional impact.

Objective: To ensure, through regular monitoring, that the quality statement remains up to date.

The assessment is done voluntarily and primarily driven by economic motivation. The EU AI Act primarily regulates high-risk AI — for most other AI applications, there are no comparable quality requirements. However, customers, investors, and partners increasingly expect resilient evidence of quality, safety, and fairness. The standard enables you to proactively build trust and differentiate yourself through demonstrable quality — especially valuable in tenders and investor pitches.

The standard was specifically designed for use in organizations with limited assessment resources, particularly start-ups and SMEs. The use-case-specific protection needs analysis focuses assessment efforts on truly critical areas. The digital assessment portal automates routine steps and provides context-specific guidance. This results in structured proof of quality with a reasonable level of effort. At the same time, the standard builds on established approaches such as VDE SPEC 90012 and the Fraunhofer IAIS Assessment Catalogue.

The standard was deliberately developed to be compatible with key regulations and standards. The six quality dimensions are based on the EU Ethics Guidelines for Trustworthy AI and are harmonized with the high-risk requirements of the EU AI Act. The processes and documentation produced as part of the assessment — for example on protection needs analysis, data quality, robustness, or human oversight and control — support you in preparing for regulatory requirements. Existing evidence from ISO 27001, GDPR compliance, or other standards is recognized and can be integrated.

Resilient proof of quality requires objective criteria and traceable procedures. The standard uses a four-level assessment system that defines clear requirements for each quality aspect — from minimum standard to best practice. Technical test methods are documented with reproducible parameters so that results remain verifiable. The test depth can be scaled: from self-assessment to internal validation according to the four-eyes principle, up to the optional involvement of external assessment bodies. The assessment report transparently documents which quality measures were implemented and to what extent.

The standard creates comparability through uniform assessment criteria. All assessments follow the same system: six quality dimensions are translated into concrete criteria and measurable requirements. The protection needs analysis ensures that different use contexts are taken into account — while the evaluation logic remains comparable. For procurement authorities, customers, and investors, this means that AI offerings can be assessed and compared in a structured way — regardless of industry, AI provider, or system type.

The standard was deliberately designed to have a low entry barrier in order to make it easier for start-ups and SMEs to get started with systematic AI quality management. The assessment portal guides users step by step through the evaluation process, integrated templates reduce documentation effort, and the Test Method Catalogue provides directly applicable procedures with concrete instructions. Assessment results are communicated in an understandable form — for internal governance as well as for customers, partners, and investors. This makes professional quality management possible even without a dedicated compliance department.