Subodh KCSubodh KC/systems
let's talk →
AI Governance Resource

AI Risk Register
Template

A structured template for tracking AI system risks, likelihood, impact, controls, and remediation status across your AI portfolio.

July 15, 2026By Subodh KC

Educational notice: This template provides a starting framework for AI risk management. Production deployments should undergo organization-specific risk assessment with qualified security and compliance professionals. Risks and controls should be tailored to your specific architecture, data types, and regulatory environment.

Synopsis

A risk register is the foundation of AI governance. This template covers data and privacy risks, prompt injection vectors, tool and action security, infrastructure and supply chain threats, model behavior and output risks, organizational factors, and compliance gaps — aligned with the NIST AI RMF functions of Govern, Map, Measure, and Manage. Each risk includes likelihood, impact, recommended controls, an owner, and status tracking. Use it alongside the AI Security Tools, the Vendor Due-Diligence Checklist, the Incident Evidence Checklist, and the Streamlit architecture guide.

Risk Prioritization Framework

Not all risks are equal. Use this framework to decide what to fix first.

Fix immediately (Critical impact)

Any risk with Critical impact — regardless of likelihood — deserves immediate attention. A single occurrence could cause irreversible harm: PHI exposure, unauthorized fund transfers, or cross-tenant data breach.Action: Implement controls before the next release. Block deployment if the control is not in place.

Fix this quarter (High likelihood + High impact)

Risks that are both likely and impactful. These are not emergencies but will cause real incidents if left unaddressed. Direct prompt injection (R-04) and excessive tool permissions (R-07) typically fall here.Action: Assign owner, set target date within 90 days, track in weekly review.

Plan and monitor (Medium likelihood + Medium impact)

Risks that are possible but not immediately threatening. Session State misuse (R-12) and missing documentation (R-32) fall here. These can escalate if the architecture changes.Action: Add to roadmap, review quarterly, escalate if likelihood increases.

Accept and document (Low likelihood + Low impact)

Risks that are unlikely and low-impact. Document the decision to accept, the reasoning, and the conditions that would trigger re-evaluation.Action: Document acceptance rationale. Review annually or after architecture changes.

NIST AI RMF Mapping

This risk register aligns with the four functions of the NIST AI Risk Management Framework. Use this mapping to integrate the register into your broader AI governance program.

Govern — Policies, procedures, and accountability

Risks R-32 through R-34 (documentation, incident response, bias in consequential decisions). Establish who owns AI risk decisions, how risks are escalated, and what the organization's risk tolerance is. The risk register itself is a Govern artifact.

Map — Context and risk identification

Risks R-01 through R-03 (data and privacy), R-13 through R-16 (shadow AI), R-30 through R-31 (organizational factors). Understand where AI is used, what data it touches, who uses it, and what could go wrong. The blast radius calculator supports this function.

Measure — Assessment and testing

Risks R-04 through R-09 (prompt injection, tool abuse), R-17 through R-22 (hiring compliance), R-26 through R-27 (hallucination, drift). Quantify and track risks through testing, bias audits, and monitoring. The agent matrix and scenario library support this function.

Manage — Mitigation and response

Risks R-10 through R-12 (supply chain, vendor, session state), R-23 through R-25 (vendor changes), R-28 through R-29 (IP, provider outage). Implement controls, monitor effectiveness, and respond to incidents. The vendor checklist and incident evidence checklist support this function.

Scenario: From Risk Identification to Remediation

A financial services firm builds an internal AI assistant using Streamlit and RAG. The engineering lead runs through the risk register and identifies the following chain:

1
Identify: R-05 (Indirect injection via poisoned RAG documents) — Likelihood: Medium, Impact: Critical. The firm allows analysts to upload research notes to the RAG corpus. A malicious or compromised analyst could inject instructions into a document that the model retrieves and follows.
2
Assess: The blast radius is significant — the RAG corpus is shared across 200+ analysts, and the model has action tools (send email, create trade ticket). An injected instruction could cause the model to email restricted research to an external address.
3
Control: Implement document provenance tracking (each upload is attributed to a named user with timestamp), content scanning for injection patterns before indexing, and mandatory human approval for the send-email tool. Remove automatic execution for all action tools.
4
Verify: Run negative-access tests: upload a document containing hidden instructions and verify the model does not follow them. Confirm the send-email tool requires human approval. Update the risk register status from Open to Mitigated.
5
Monitor: Add alerting on documents matching injection patterns. Review the risk register entry quarterly. Re-assess if the user population expands, new tools are added, or the upload policy changes.

How to use: Copy this structure into a spreadsheet or governance tool. Assign owners, set target dates, and update status as controls are implemented. Review quarterly or after significant architecture changes.

Data & Privacy

IDRiskLikelihoodImpactControlsOwnerStatus
R-01Unauthorized data access through RAG retrieval without RLSMediumHighTenant filters before retrieval, metadata-based access controlData EngineeringOpen
R-02Sensitive data leakage through global cachingMediumHighSession-scoped cache keys, no global cache for sensitive dataPlatform TeamOpen
R-03PHI exposure in model prompts sent to external APILowCriticalDLP scanning, data minimization in prompts, on-premise model optionSecurityOpen

Prompt Injection & Manipulation

IDRiskLikelihoodImpactControlsOwnerStatus
R-04Direct prompt injection overriding system instructionsHighHighServer-side authorization, structured output validation, pattern detectionApplication SecurityOpen
R-05Indirect injection via poisoned RAG documentsMediumCriticalContent sanitization, document provenance, human approval for actionsData EngineeringOpen
R-06Injection via MCP tool descriptionsLowHighTool description review, trusted MCP servers only, tool allow-listPlatform TeamOpen

Tool & Action Security

IDRiskLikelihoodImpactControlsOwnerStatus
R-07Excessive tool permissions (principle of least privilege violation)HighHighTool allow-list per use case, regular permission auditEngineeringOpen
R-08Automatic action execution without human approvalMediumCriticalHuman approval for action/admin tools, server-side approval workflowEngineeringOpen
R-09Model output trusted as authorization decisionMediumCriticalServer-side authorization independent of model, identity provider verificationSecurityOpen

Infrastructure & Supply Chain

IDRiskLikelihoodImpactControlsOwnerStatus
R-10Compromised MCP server exfiltrating dataLowCriticalTrusted publishers, network egress restrictions, sandbox MCP serversSecurityOpen
R-11Model vendor retaining sensitive promptsMediumHighDPA with vendor, DLP scanning, on-premise fallback for sensitive dataLegal & SecurityOpen
R-12Session State used as authoritative storageMediumMediumDurable storage for all consequential state, external database for auditEngineeringOpen

Shadow AI & Unauthorized Usage

IDRiskLikelihoodImpactControlsOwnerStatus
R-13Employees using personal ChatGPT/Claude/Gemini with company confidential dataHighHighAcceptable use policy, DLP on egress traffic, sanctioned AI tool provision, employee training, monitoring for unsanctioned AI usageSecurity & HROpen
R-14Teams adopting unsanctioned SaaS AI tools without security or legal reviewHighMediumProcurement policy requiring security review for AI tools, SaaS discovery scanning, quarterly AI tool inventory audit, credit card expense review for AI subscriptionsIT & SecurityOpen
R-15Employees pasting source code, financial data, or PII into public AI chatbotsHighCriticalData classification policy, DLP scanning for AI chatbot domains, employee training with real examples, sanctioned enterprise AI with no-training-on-data clauseSecurityOpen
R-16Shadow AI usage creating undocumented data flows to unvetted third partiesMediumHighNetwork egress monitoring for AI API endpoints, data flow mapping, vendor due diligence on discovered tools, remediation plan for unauthorized toolsSecurityOpen

AI in Hiring & Employment Decisions

IDRiskLikelihoodImpactControlsOwnerStatus
R-17AI hiring tool used without independent bias audit (NYC LL 144 violation)MediumCriticalAnnual independent bias audit by qualified third party, public posting of audit summary, candidate notice 10 business days before use, audit retention per NYC DCWP requirementsHR & LegalOpen
R-18Candidates not notified of AI use in hiring decisions (multi-state violation)MediumHighCandidate notification template covering NYC LL 144, Illinois AIVIA, California FEHA, Colorado SB 189, EU AI Act Article 50; notification in job posting and before assessment; consent for video interview AI analysisHR & LegalOpen
R-19Algorithmic discrimination through biased training data or model behaviorMediumCriticalDisparate impact testing (four-fifths rule), demographic data collection where legally permitted, human review for all adverse decisions, appeal process for rejected candidates, California FEHA 4-year record retentionHR & ComplianceOpen
R-20Unauthorized biometric analysis (facial expression, voice emotion) in video interviewsLowCriticalProhibit emotion recognition AI in hiring (EU AI Act Article 5 ban), verify vendor does not use biometric categorization, Illinois BIPA compliance, Maryland HB 1202 consent requirements, documented vendor attestationHR & LegalOpen
R-21AI employment decisions made without human oversight or appeal mechanismMediumHighHuman-in-the-loop for all hiring decisions, documented override authority, candidate appeal process, EU AI Act Article 26-27 compliance (human oversight + fundamental rights impact assessment), GDPR Article 22 right to human reviewHR & LegalOpen
R-22AI vendor changes model or training data without bias re-audit notificationMediumHighContract clause requiring vendor notification on model updates, right to re-audit on model change, version pinning where possible, annual re-evaluation regardless of vendor notificationsHR & ProcurementOpen

Model Behavior & Output Risks

IDRiskLikelihoodImpactControlsOwnerStatus
R-26AI hallucination causing real-world harm (fabricated citations, invented medical advice, false financial data)MediumHighOutput validation against source data, grounding requirements, human review for consequential outputs, citation verification, disclaimer on AI-generated content, user training on hallucination risksEngineering & LegalOpen
R-27Model drift or performance degradation over time without detectionMediumMediumContinuous model performance monitoring, drift detection alerts, scheduled re-evaluation, vendor notification on model updates, A/B testing against baseline outputsEngineeringOpen
R-28AI-generated content infringing third-party copyright or IPMediumHighOutput similarity scanning, vendor indemnification for IP claims, training data provenance disclosure, opt-out from training on copyrighted data, content attribution where possibleLegal & EngineeringOpen
R-29Third-party model provider outage or degradation with no fallbackLowHighMulti-provider architecture, cached response capability, degraded mode operation, SLA with provider, incident response playbook for provider outageEngineeringOpen

Organizational & Human Factors

IDRiskLikelihoodImpactControlsOwnerStatus
R-30Lack of AI literacy and training for end users (blind trust in AI outputs)HighMediumMandatory AI literacy training, documented AI limitations, output review checkpoints, feedback mechanism for incorrect outputs, role-based training on when to trust vs. verify AI outputsHR & SecurityOpen
R-31Cross-jurisdictional regulatory misalignment (compliant in one state/country but non-compliant in another)MediumHighJurisdictional compliance matrix, multi-state regulatory tracking, per-jurisdiction notification templates, legal review for cross-border deployments, modular compliance controls by regionLegal & ComplianceOpen

Compliance & Governance

IDRiskLikelihoodImpactControlsOwnerStatus
R-32Missing AI system documentation for regulatory disclosureMediumHighAI system registry, disclosure review process, automated documentationComplianceOpen
R-33No incident response plan for AI security eventsMediumHighAI incident response playbook, evidence preservation checklist, tabletop exercisesSecurityOpen
R-34Bias or discrimination in consequential AI decisions (non-hiring: lending, insurance, healthcare)LowHighBias testing, human review for consequential decisions, appeal process, NIST AI RMF alignment, ECOA/Regulation B compliance for lending, CFPB guidance adherenceComplianceOpen

Download the AI Risk Register Spreadsheet

Get the complete risk register as a structured spreadsheet with formulas, dropdowns, and conditional formatting — ready to import into your governance tool.

No spam. Unsubscribe anytime.

FAQ

How is an AI risk register different from a traditional IT risk register?

Traditional IT risk registers focus on infrastructure, access control, and data breaches. An AI risk register must additionally cover prompt injection (where the attack vector is natural language), RAG poisoning (where the data source itself is the attack vector), tool abuse (where the model is manipulated into taking actions), model-driven authorization bypass (where the application trusts model output for access decisions), and supply-chain risks from MCP servers and model vendors. These risks do not exist in traditional software.

Should every AI application have its own risk register?

Small, low-risk applications (e.g., a single-user summarization tool with no sensitive data) can share a portfolio-level register. Any application with access to confidential data, more than 10 users, or action/admin tools should have its own register entry with application-specific risks, controls, and owners.

How do I know when to add a new risk to the register?

Add a new risk whenever: (1) a new data source is connected, (2) a new tool or MCP server is integrated, (3) the user population expands significantly, (4) the deployment model changes, (5) a security incident occurs (even if caught before impact), or (6) a new regulatory requirement applies. Review the register quarterly and after any architecture change.

What is the difference between likelihood and impact?

Likelihood is the probability that the risk will materialize given your current controls and architecture. Impact is the severity of consequences if it does materialize — considering data sensitivity, number of users affected, financial cost, regulatory exposure, and reputational damage. A risk with Low likelihood but Critical impact (e.g., PHI exposure) still demands immediate attention.

Need Help Building Your AI Risk Register?

Get a tailored AI risk assessment and governance framework — from Subodh KC, co-founder of the HAIEC AI security and compliance engine.

Let's Talk →