Key facts
- Start from your AI inventory — every system should have at least one linked risk entry.
- Score risk as impact × likelihood, weighted for affected individuals and reversibility.
- Review continuously, with a formal review at least quarterly.
- High-risk systems under the EU AI Act require a documented risk-management system across the whole lifecycle.
- Use the free risk register template to get started.
Outcome summary
A living register of AI risks, each with an owner, a score and a set of controls, that feeds your governance reporting and demonstrates a documented risk-management process for high-risk systems.
Prerequisites
A completed or in-progress AI inventory. Without it, you are guessing at what risks exist rather than working from a real list of systems.
The steps
Step 1: List AI uses. Pull every system from your inventory.
Step 2: Identify risks per system. Consider bias, safety, security, privacy, transparency, accountability and reputational risk for each.
Step 3: Score. Rate impact and likelihood, then multiply for an overall score.
Step 4: Assign owners and controls. Every risk needs a named owner and existing or planned mitigations.
Step 5: Review regularly. Continuous monitoring, formal review at least quarterly and after any material change.
Common mistakes
Building the register once and never updating it, scoring inconsistently across different reviewers, and not linking risks back to the specific AI system in the inventory that caused them.
Frequently asked questions
How do you build an AI risk register?
List your AI uses, identify risks per system, score impact times likelihood, assign owners and controls, then review regularly.
What is an AI risk register?
A living record of identified AI risks with owners, scores, controls and review dates.
How do you score AI risk?
Typically impact times likelihood, often weighted for affected individuals and reversibility.
How often should AI risk be reviewed?
Continuously monitored, formally reviewed quarterly and on any material change.
How does AI risk management link to the EU AI Act?
High-risk systems require a documented risk-management system maintained throughout the system's lifecycle.
Related pages
Sources
Last updated 19 June 2026.