Risk Governance
Create an AI risk governance loop with ownership, scoring, approval, and review.
Key takeaways
- Risk governance turns AI uncertainty into decisions about which systems can ship, which controls are mandatory, and which residual risks leadership accepts.
- Maintain governance artifacts: AI system register, risk register, control catalog, approval record, and a review cadence.
- Score risk across data sensitivity, user impact, autonomy, external exposure, and reversibility.
- No high-risk AI feature should ship without a named owner, documented controls, residual risk decision, monitoring plan, and incident contact.
Risk governance turns AI uncertainty into decisions. It gives teams a way to decide which systems can ship, which controls are mandatory, and which residual risks leadership accepts.
Governance Artifacts
| Artifact | Purpose |
|---|---|
| AI system register | Inventory AI features, models, tools, and owners |
| Risk register | Track risk, likelihood, impact, owner, and status |
| Control catalog | Define required controls for each risk class |
| Approval record | Show who accepted risk and under what condition |
| Review cadence | Reassess risk after incidents, changes, or quarterly review |
Risk Scoring
| Dimension | Question |
|---|---|
| Data sensitivity | What data can the system access or infer? |
| User impact | Can output affect rights, money, safety, or employment? |
| Autonomy | Can the system take actions without human approval? |
| External exposure | Can untrusted users influence prompts or inputs? |
| Reversibility | Can wrong actions be undone quickly? |
Operating Rule
No high-risk AI feature should ship without a named owner, documented controls, residual risk decision, monitoring plan, and incident contact.