Risk Management across three AI frameworks

// theme · risk-management

Risk Management

Identifying, assessing, treating and monitoring AI risks across the lifecycle.

// Do once → satisfies all three

ONE AI risk register entry per system - likelihood × impact, treatment owner, status - re-run on every significant change.

ISO, NIST and the EU all converge on a continuous, documented risk-management loop. One register that records and re-runs satisfies all three.

ISO 42001

Cl.6.1.1 · Cl.6.1.2 · Cl.8.2

NIST AI RMF

MAP 5.1 · MANAGE 1.1

EU AI Act

Art.9

// Evidence auditors expect

✓ AI risk register with likelihood × impact and treatment owner
✓ Documented risk-assessment methodology and acceptance criteria
✓ Pre-deployment risk review sign-off
✓ Link from each risk to a mitigating control or accepted-risk record

// Common pitfalls

⚠ Conflating cyber risk with AI-specific risk (bias, drift, misuse, automation bias).
⚠ One-off risk assessment with no operational re-run on change (ISO 8.2 / EU Art.9 continuous).
⚠ Missing link between risks and concrete mitigating controls in the SoA.

ISO 42001

Cl.6.1 splits risk assessment, risk treatment and impact assessment, then re-runs them operationally in Cl.8 with a Statement of Applicability against Annex A.

Clause 4.1

Understanding the organization and its context

Identify internal/external issues relevant to the AI Management System (AIMS) and the intended outcomes.

Clause 6.1.1

Actions to address risks and opportunities

Plan actions to address AI risks and opportunities arising from context.

Clause 6.1.2

AI risk assessment

Define and apply a process to identify, analyse and evaluate AI risks.

Clause 6.1.3

AI risk treatment

Select and apply risk treatments; produce a Statement of Applicability against Annex A.

Clause 6.2

AI objectives and planning

Set measurable AI objectives consistent with the AI policy.

Clause 8.2

AI risk assessment (operational)

Perform risk assessments at planned intervals and on significant change.

Clause 8.3

AI risk treatment (operational)

Implement risk treatment plan and verify it is effective.

NIST AI RMF

MAP identifies context and risks; MEASURE quantifies them; MANAGE decides what to do. The cycle is continuous and risk-tier-agnostic.

GOVERN 1.4

Risk management processes documented

Risk management processes and outcomes are documented and reviewed.

MAP 1.1

Context established and understood

Intended purposes, settings and assumptions about the AI system are documented.

MAP 5.1

Likelihood & magnitude of impacts characterised

Impacts on individuals, groups, communities, society characterised.

MANAGE 1.1

Risks prioritised and acted on

Determined AI risks are managed based on impact and resources.

MANAGE 1.2

Treatment plans defined

Plans to mitigate or transfer AI risks are defined.

MANAGE 1.3

Risk responses documented

Responses to high-priority risks documented.

MANAGE 2.1

Resources to manage risks allocated

Resources allocated to manage identified risks regularly.

EU AI Act

Art.9 requires a documented risk-management system for high-risk AI throughout the lifecycle; Art.27 adds a fundamental-rights impact assessment for deployers.

Article 6

Classification rules for high-risk AI

Defines what counts as high-risk AI (Annex I product safety + Annex III use cases).

Article 8

Compliance with high-risk requirements

High-risk AI must comply with requirements in Section 2 (Art. 9–15).

Article 9

Risk management system

Continuous, iterative risk management process across the AI lifecycle.

Article 51

Classification of GPAI with systemic risk

Defines when a general-purpose AI model has systemic risk (compute threshold etc.).