EU AI Act Article 9 requires a risk management system across the entire lifecycle of every high-risk AI system. It does not tell you how to build one. NIST's AI RMF tells you what good looks like across 72 subcategories, but issues no certification and no scoring method. This is the working process that fills the gap — scope, score, register, treat, monitor.
Most security teams already know how to run a risk assessment. You inventory assets, identify threats, estimate likelihood and impact, score, prioritize, treat, and monitor. The methodology is decades old and it works. So the natural instinct when AI arrives is to point that same machinery at the new systems and call it done.
That instinct is half right. The structure of risk assessment transfers cleanly. What doesn't transfer is the threat model, the failure modes, or the unit of analysis. A traditional assessment asks whether an attacker can compromise a system. An AI risk assessment has to also ask what happens when the system behaves exactly as designed and still causes harm — when a model confabulates a citation, when an agent takes an action nobody authorized because a webpage told it to, when a RAG pipeline surfaces a document to someone who was never entitled to see it. None of those are compromises. All of them are risks. This guide is the practical process for assessing them: how to scope, how to score without inventing fake precision, what belongs in the register, how to decide treatment, and where most assessments quietly fail.
Before you build the register, get the number. Polygraf's AI Risk Calculator models your organization's exposure across breach, regulatory, litigation, and reputational risk — and maps which obligations apply to your systems, from the EU AI Act to HIPAA, PCI DSS, and GLBA.
NIST frames AI risk as fundamentally socio-technical — harms flow not just from code, but from data, deployment context, and human oversight. And it treats AI risk as continuous: systems drift, contexts change, and new risks surface across the lifecycle. Those two properties break several assumptions built into conventional assessments.
The single most common scoping error is assessing the model when the risk lives in the system around it. A well-behaved model wired to an over-permissioned tool, fed by an unfiltered retrieval corpus, with no human checkpoint before it acts, is a high-risk system containing a low-risk model. Assess the whole assembly: the model, its prompts and configuration, its data sources and entitlements, the tools it can invoke, the actions it can take, the humans in the loop, and the population it affects.
Scoring is where assessments go wrong in both directions — either everything is "medium," or a spreadsheet produces a 7.42 that nobody can defend. The workable middle is a coarse likelihood × impact scale, adjusted by a small number of AI-specific amplifiers that genuinely change blast radius. Try it below.
The heat map's job isn't to look impressive in a board deck. It's to make prioritization arguments explicit — and to show, at a glance, how many risks sit above the line your organization said it wouldn't cross.
Note where two of the most common risks sit. Prompt injection scores high on likelihood because it needs no malware and no credentials — a sentence in a retrieved document suffices — and high on impact because it inherits whatever permissions the agent holds. Sensitive data in prompts scores even higher on likelihood, because it isn't an attack at all: it's an employee doing their job with the wrong tool. That's the uncomfortable insight of most AI assessments — your top-scoring risks are often the ones with no adversary in them.
Stage 3 goes faster when you work from an authoritative taxonomy. NIST's Generative AI Profile (AI 600-1, published July 2024) identifies twelve risk categories unique to or amplified by generative AI, each mapped to suggested actions across the four AI RMF functions. Walk the list against your system; most teams find at least three they hadn't considered.
The register is the assessment's durable output. Anything not in it is not being managed. Every row needs a named owner and a review date — a risk owned by "the AI team" is owned by nobody.
| ID | Risk | Inherent | Treatment | Control | Residual | Owner |
|---|---|---|---|---|---|---|
| AIR-01 | Employees paste customer PII into an ungoverned AI tool | 20 · Critical | Mitigate | Inline prompt inspection + redaction; enforced AUP; detection logging | 4 · Low | CISO |
| AIR-02 | Indirect prompt injection redirects the support agent | 16 · Critical | Mitigate | Least-privilege tool scoping; input filtering; human checkpoint on writes | 6 · Moderate | Head of AI Eng. |
| AIR-03 | Model confabulates a figure in a client-facing summary | 15 · High | Mitigate | Grounded retrieval with citations; human review before external send | 6 · Moderate | Product Lead |
| AIR-04 | RAG index surfaces documents beyond the user's entitlement | 12 · High | Mitigate | Entitlement-aware retrieval; index ACL review each quarter | 4 · Low | Data Platform |
| AIR-05 | Third-party model provider changes retention terms | 9 · Moderate | Transfer | Contractual no-training clause; on-prem fallback path; vendor review | 6 · Moderate | Procurement |
| AIR-06 | Model performance drifts on a minority subgroup | 12 · High | Mitigate | Subgroup performance monitoring with alert thresholds; scheduled re-eval | 6 · Moderate | ML Lead |
Article 9(5) of the EU AI Act sets an explicit bar: the residual risk associated with each individual hazard, and the overall residual risk of the high-risk AI system, must be judged to be acceptable. That word "judged" implies a documented judgment by someone with authority to make it. Article 9(3) also scopes the exercise — the risk management system addresses risks that can reasonably be mitigated or eliminated through the system's development and design, or through the provision of adequate technical information.
The practical translation: an assessment that lists inherent risks and stops is incomplete. You need the control, the resulting residual score, and a person who put their name to accepting it. "Accepted" with no signatory is just an unowned risk with better formatting.
"A risk assessment isn't a document you produce — it's a claim you have to be able to defend. Every score should trace to a test, every control to a log line, and every accepted risk to a person who signed for it. Anything else is a spreadsheet with good intentions."
— Polygraf AI, on operationalizing AI risk assessmentDone properly, a single assessment produces evidence for multiple regimes at once — which is the entire economic argument for doing it well. NIST's AI RMF is voluntary and offers no certification, but it's the most widely used internal method for generating exactly the evidence that binding regimes demand. ISO/IEC 42001 turns that work into a certifiable management system. ISO/IEC 23894 provides the ISO 31000-aligned risk-management companion. And the EU AI Act binds you to outcomes it doesn't prescribe a method for.
A risk management policy written once can serve NIST's GOVERN function and EU AI Act Article 9. A red-team and accuracy evaluation report can serve MEASURE, Article 15's accuracy and robustness requirements, and an ISO 42001 audit. The mistake is running three programs; the move is running one and tagging each artifact against every framework it satisfies. Worth noting for planning: NIST states that AI RMF 1.0 is being revised, and in April 2026 it issued a concept note for a forthcoming profile on trustworthy AI in critical infrastructure — so build your mapping to be updatable rather than hard-coded.
A risk assessment is only as good as the evidence underneath it, and most of that evidence has to be generated at runtime. Polygraf AI's Behavioral Control Plane sits inline at the AI boundary and supplies three of the stages directly. For inventory (stage 2), it discovers shadow AI and surfaces which tools are actually in use and what data reaches them. For treatment (stage 6), it is the control on the highest-scoring rows of most registers — inline detection and redaction of PII, PHI, cardholder data, secrets, and source code before a prompt leaves your environment, which is what moves a risk like AIR-01 from Critical to Low. For monitoring (stage 7), every policy decision — allow, redact, block, which rules matched, who the authenticated actor was — is logged immutably, which is precisely the telemetry that turns a static register into a live one.
Because it runs on-premise with zero data egress and sub-100ms latency, the control layer doesn't add a new risk row of its own. Your residual-risk claim rests on evidence you generated and hold, not on a vendor's assertion that a control was working.
Polygraf AI enforces policy inline on every prompt and output, and logs every decision immutably — supplying the inventory, the control, and the evidence your assessment depends on. On-premise, sub-100ms, zero data egress.
At Polygraf, we envision a future where AI augments human capabilities without compromising safety, privacy, or ethical standards. Trust in our commitment to building this future with you.
© 2026 Polygraf AI. All rights reserved.
Your download will start now.
Please provide information below and we will send you a link to download the white paper.