AI Risk Assessment Must Be Structured, Traceable, and Decision-Oriented
Effective AI risk management requires a structured model that connects:
Resource → Risk Scenario → Controls → Evaluation → Residual Risk → Decision → Evidence
Without this linkage:
- Risks remain theoretical
- Controls are not measurable
- Governance decisions lack basis
- Audit readiness is not achieved
End-to-End AI Risk Assessment Model
1.. Resource Identification
Define all components of the AI system:
- Data (training, inference, RAG sources)
- Models (ML, GenAI, APIs)
- Retrieval layer
- Orchestration and prompt logic
- Tools and action interfaces
- Vendor and external dependencies
- Monitoring and runtime environment
Each resource must be:
- Clearly defined
- Uniquely identifiable
- Mapped to system architecture
2. Standardised Risk Scenario Library
For each resource, map predefined risk scenarios such as:
- Data leakage
- Model hallucination
- Prompt injection and jailbreak
- RAG poisoning
- Unauthorized tool execution
- Model drift
- Vendor transparency limitations
Each scenario must include:
- Scenario ID (e.g., SCN-001)
- Risk category (data, model, retrieval, orchestration, etc.)
- Applicable architecture (ML, RAG, GenAI, Agentic)
3. Control Mapping Framework
Each scenario must map to four categories of controls:
Preventive Controls
- Access control
- Data validation
- Prompt filtering
- Retrieval constraints
Detective Controls
- Monitoring and logging
- Drift detection
- Output validation
- Anomaly detection
Corrective Controls
- Rollback mechanisms
- Incident response
- Model retraining
- Process correction
Governance Controls (Critical)
- Risk acceptance criteria
- Human oversight requirements
- Escalation thresholds
- AI use-case approval
- Control ownership definition
- Periodic review and revalidation
Each control must include:
- Control ID (CTRL-001)
- Control type (Preventive / Detective / Corrective / Governance)
- Control owner (Enterprise / Vendor / Shared)
- Evidence requirement
4. AISIA Evaluation Model
Each scenario is evaluated using:
- Severity – impact on individuals, organisation, operations
- Scale – number of users or processes affected
- Reversibility – ability to recover from impact
This enables:
- Structured impact scoring
- Consistent and comparable prioritisation
5. Control Effectiveness and Residual Risk
Risk assessment must evaluate:
- Control implementation vs effectiveness
- Residual risk after control application
This ensures:
- Realistic risk visibility
- Identification of control gaps
- Alignment between risk and actual system behaviour
6. Decision Framework
Each scenario must result in a clear governance decision:
- Approve – risk acceptable with existing controls
- Conditional – additional controls required
- Restrict / Pause – unacceptable risk
- Escalate – requires senior governance review
This converts assessment into actionable outcomes.
7. Evidence and Traceability Layer
For each scenario, maintain:
- Input → processing → output trace
- Logs and monitoring data
- Guardrail testing and red teaming results
- Validation and review evidence
This ensures:
- Audit readiness
- Regulatory defensibility
- Verification of control effectiveness
Illustrative Integrated Structure
| Resource | Scenario ID | Risk | Control ID | Control Type | AISIA Score | Residual Risk | Decision | Evidence |
|---|---|---|---|---|---|---|---|---|
| Retrieval | SCN-003 | RAG poisoning | CTRL-010 | Preventive | High | Medium | Escalate | Logs, test results |
| Model | SCN-004 | Hallucination | CTRL-015 | Detective | Medium | Low | Conditional | Output validation |
| Tool | SCN-005 | Unauthorized action | CTRL-020 | Governance | High | High | Restrict | Execution logs |
Key Design Principles
- Risk must be resource-specific, not generic
- Scenarios must be standardised and reusable
- Controls must be mapped, owned, and testable
- Governance controls must drive decision-making
- Evidence must support audit and assurance
Outcome
This model enables:
- Consistent AI risk assessment across systems
- Clear linkage between risks, controls, and decisions
- Measurable control effectiveness
- Audit-ready governance aligned to ISO/IEC 42001