The AI risk register, explained
An AI risk register is the single source of truth for every AI system in your business — what it does, who owns it, what could go wrong, and how you'd know.
Why it matters
Regulators, enterprise buyers and your own board will all ask the same question in 2026: which AI systems do you run, and how do you control their risk? A written register is the cheapest answer. Without one, every audit, security review and vendor questionnaire becomes a multi-week scramble.
The nine fields every register needs
System ID & name
Unique identifier for every AI system — internal or third-party.
Owner
Named human accountable for the system, not a team alias.
Purpose & use case
What the system does, in one plain sentence.
Model & vendor
Provider, model version, hosting region, fallback model.
Data inputs
What data the system sees, including PII categories and lawful basis.
Risk classification
EU AI Act tier, NIST AI RMF rating, internal severity.
Mitigations
Human review, rate limiting, output filters, rollback plan.
Review cadence
When this entry was last reviewed and when it's due again.
Incidents & changes
Log of model upgrades, vendor changes and any reportable incidents.
Spreadsheet vs automated
A spreadsheet works for the first ten systems. Past that, entries go stale, vendor changes get missed, and shadow AI usage by junior staff stays invisible. An automated AI risk register discovers new systems, watches vendor posture and flags entries that haven't been reviewed in the agreed cadence.
- Auto-discovery of AI tools across your domain and stack
- Vendor risk score that updates when the vendor changes
- Linked evidence (DPAs, model cards, incident logs)
- Audit log of every edit, with reviewer and timestamp