1
AI risk register
Seeded with audit findings, structured for ongoing additions and triage.
Risk & Controls is delivered as a grouped workstream because controls depend on risk tiering — together they form a complete unit. You get a standing process to identify, assess, own, and track AI risk, plus the controls that make higher-risk AI use safe: human review, guardrails, filters, logging, and vendor terms, proportionate to each use's risk.
The audit identifies the risks; this workstream builds the process that keeps managing them as AI use changes.
Seeded with audit findings, structured for ongoing additions and triage.
A likelihood-by-impact model that produces comparable ratings across very different risks.
Each risk has an owner accountable for its mitigation and status.
Thresholds at which a use requires committee review, additional controls, or escalation before it proceeds.
New AI uses are risk-assessed at registration, not after an incident.
A standing view of the AI risk posture the committee and board can track over time.
Controls are where governance starts changing behavior. Guardrails and filters are first-class asset types in Governance 1st, applied to use cases, agents, and prompts according to risk and ownership tier.
Which controls apply to low-, moderate-, and high-risk uses, so control effort matches risk.
Documented human review required for AI-influenced consequential decisions, with clear accountability for the final decision.
Prevent confidential, personal, or regulated data from entering tools that should not receive it.
Verification requirements and output filters for uses where inaccurate or inappropriate output carries real consequence.
Route AI use toward sanctioned, governed tools and away from prohibited ones.
Confidentiality- and data-appropriate vendor terms, plus the logs needed to reconstruct an AI-assisted decision.
A scoping conversation about which uses warrant which controls, how risk would be tracked, and how Governance 1st operationalizes both.