By Nizar Hneini and Ashok Kaul
The rapid adoption of artificial intelligence (AI) technology has exposed organizations to a wide spectrum of risks, from privacy breaches to operational failures. Recent global cases have highlighted the dire consequences of poor AI governance, leading to financial and reputational damage. For example, the AI assistant Claude, developed by US-based AI company Anthropic in 2021, was exploited by cybercriminal group GTG5004 to execute automated attacks – including vulnerability scanning, ransomware creation and psychological ransom notes. This had a major negative impact on organizations across healthcare, government, emergency services and religious sectors. Such high-profile cases illustrate how unmanaged AI can harm not just organizations but also society at large.
Any effective AI risk management framework must be built on the backbone of a robust artificial intelligence management system (AIMS). As defined in ISO/IEC 42001, an AIMS is a structured system that helps organizations manage AI responsibly and strategically. It establishes the necessary governance, policies and processes to ensure that AI is developed and deployed in a way that is transparent, ethical, reliable and aligned with both business objectives and regulatory expectations.
"Every sector that adopts AI inherits its power and its peril. Risk mitigation isn’t a cost of innovation - it’s the foundation that allows innovation to endure."
From a risk management perspective, AIMS provide a foundation for identifying and mitigating risk across the entire AI lifecycle, from data sourcing and model development through deployment, monitoring and retirement. By doing so, they safeguard organizations against potential harm and enable them to unlock sustainable value from AI while maintaining trust with regulators, stakeholders and customers. Importantly, effective AIMS cut across all stages of the lifecycle.
Building on the AIMS governance foundation, the following section introduces the AI Risk Mitigation Framework – a cyclical, iterative process for identifying, assessing and treating AI-related risks. Managing AI risk means balancing innovation with accountability. By establishing an AIMS, organizations do three things: they build trust with stakeholders, they ensure that they meet regulatory requirements and, crucially, they make sure their AI initiatives are both successful and safe.
The recommended risk management process is cyclical, meaning it is a continuous loop rather than a one-time event. This ensures that an organization’s approach to AI risks evolves alongside the technology itself. The process should be based on established international standards such as ISO/IEC 42001 and ISO 31000, adapted to address the unique challenges of AI.
The development of the AI Risk Mitigation Framework involves a series of interconnected steps, from setting the scope, context and criteria for the system to recording and reporting on the process. We examine each of these steps below.
Once the foundation for the framework is established, the next step is to conduct a thorough risk assessment. This comprises three distinct phases:
Risk identification: The company proactively pinpoints potential risks across the entire AI lifecycle, from data sourcing to model deployment. Risks can be of four types: data risks, such as bias or privacy breaches; model risks, such as overfitting or a lack of robustness; operational risks, including deployment errors and adversarial attacks; and societal or ethical risks, such as discrimination or misuse of generative AI.
Risk analysis: The company then assesses each of these risks along two dimensions: their severity and their likelihood. Here, we recommend using the Human Rights, Democracy and Rule of Law Assurance Framework (HUDERAF), which combines these two dimensions to calculate a Risk Index Number (RIN). The HUDERAF not only makes it easier to prioritize risks, it also encourages organizations to look more closely at the potential impact on human dignity and the number of people who could be affected.
Risk evaluation: Finally, the organization must make strategic decisions, comparing the calculated risk levels against the established criteria – and on that basis classifying each risk as acceptable, tolerable or unacceptable. This classification guides the subsequent prioritization and resource allocation.
Ready to take your AI governance to the next level?
Download the full AI Risk Mitigation Framework report to access actionable insights, proven strategies, and practical tools for identifying, assessing, and managing AI-related risks. Discover how leading organizations are building trust, ensuring compliance, and turning AI risk into a competitive advantage.
We would like to extend our sincere thanks to Rizwanur Rahman for his extensive contribution to the writing of this report.
A comprehensive framework for identifying, assessing, and managing AI risks. Learn how AIMS and ISO/IEC 42001 support ethical, compliant and secure AI governance.
