Not sure where your AI use stands?
Run the free AI compliance checkup to get a practical readiness score, likely risk bucket, missing controls and next actions.
AI Risk Assessment Template
Use this table before adopting or launching an AI system. Copy it into a spreadsheet and add evidence, owners, deadlines, and review dates.
| Area | Question | Evidence to collect | Owner |
|---|---|---|---|
| Purpose | What decision, recommendation, or output does the AI system support? | Use-case description, user group, business owner | Product / business owner |
| Risk classification | Could the system be prohibited, high-risk, transparency-risk, or minimal risk? | AI Act mapping, use-case category, legal notes | Compliance / legal |
| Data | What data is used, and could it create privacy, security, or bias risk? | Data inventory, DPIA notes, source documentation | Privacy / security |
| Human oversight | Who can review, override, or stop the AI system? | Escalation path, role descriptions, training records | Operations / product |
| Transparency | Do users need to know they are interacting with AI or viewing AI-generated content? | Notices, chatbot labels, content labelling design | UX / legal |
| Monitoring | How will incidents, drift, misuse, and performance failures be tracked? | Monitoring plan, incident process, audit logs | Engineering / risk |
When to run an AI risk assessment
Run an AI risk assessment before launching a new AI system, approving a new vendor, using AI in a sensitive workflow, changing the model or data, or expanding AI use to a new group of people. For high-impact areas such as employment, education, credit, essential services, biometric systems, and safety components, the assessment should be more formal and evidence-based.
The six-part assessment
- Use case: what the AI system does and who is affected.
- Risk category: whether the use case may be prohibited, high-risk, transparency-risk, GPAI-related, or lower risk.
- Data: data sources, personal data, quality, bias, confidentiality and security.
- Controls: human oversight, access controls, logging, user notices and testing.
- Impact: possible harm to individuals, customers, workers, the business, and society.
- Monitoring: post-launch review, incidents, complaints and model/vendor changes.
Scoring risk without false precision
Avoid pretending that AI risk can be reduced to a perfect score. Use simple levels: low, medium, high and critical. Explain why the level was chosen, what controls reduce risk, and what residual risk remains. The evidence and reasoning matter more than the number.
FAQ
Is an AI risk assessment the same as a DPIA?
No. A DPIA focuses on data protection risk. An AI risk assessment may include privacy but also covers safety, bias, transparency, human oversight, security and regulatory classification.
How often should assessments be reviewed?
Review before launch, after major changes, after incidents, and on a regular schedule for important systems.
Who should sign off?
At minimum the business owner, technical owner, privacy/security owner and compliance/legal reviewer where relevant.
Sources and review method
This page is written as general business guidance, not legal advice. It is maintained from official AI Act materials, European Commission / AI Office updates, the NIST AI Risk Management Framework and practical AI governance controls.