Key facts

  • Four steps: describe the system, identify harms, assess likelihood and severity, document mitigations.
  • Consider bias, safety, security, privacy, transparency and accountability as harm categories.
  • Reassess whenever the system or its use changes materially, not just once at launch.
  • High-risk systems under the EU AI Act require this as a formal, documented, ongoing process.
  • Feed the results into your AI risk register.

Step 1: describe the system

What does the AI system do, what data does it use, and who does it affect — both the people using it directly and anyone whose outcomes it influences (a candidate being screened, a customer being scored, a patient being triaged)?

Step 2: identify harms

Work through the common harm categories systematically: bias and unfair outcomes, safety, security, privacy, lack of transparency, and unclear accountability. Not every category will apply to every system, but checking each one deliberately catches risks that an unstructured brainstorm tends to miss.

Step 3: assess likelihood and severity

For each identified harm, rate how likely it is to occur and how severe the consequences would be if it did, then combine the two into an overall risk level. Weight this by how many people are affected and how reversible the harm would be — a rare but catastrophic and irreversible harm often deserves more attention than a common but minor one.

Step 4: document mitigations

Record what controls already reduce the risk (human review, testing, monitoring) and what additional mitigations are planned. This is the step that turns an assessment into something actionable rather than just a description of the problem.

Making it repeatable

Use the same structure every time, feed the results into your risk register, and reassess whenever the system, its data, or its use changes materially — not only when it is first deployed.

Frequently asked questions

What are the steps in an AI risk assessment?

Describe the system, identify harms, assess likelihood and severity, and document mitigations.

What harm categories should an AI risk assessment consider?

Bias, safety, security, privacy, transparency and accountability, checked systematically rather than through unstructured brainstorming.

How do you score AI risk severity?

Typically likelihood times severity, weighted for how many people are affected and how reversible the harm would be.

When should an AI risk assessment be redone?

Whenever the system, its data, or its use changes materially — not just once at launch.

Is AI risk assessment mandatory under the EU AI Act?

For high-risk systems, yes — a documented, ongoing risk-management process is required across the system's lifecycle.

Related pages

Sources

Last updated 19 June 2026.