Sign in Subscribe
By Ernesto Custodio, PhD, Editor in AI for Project Managers

How do I build an AI risk register for a project?

An AI risk register extends your standard risk register with AI-specific categories: vendor dependency, model drift, data privacy violations, bias in outputs, and regulatory non-compliance. Assign likelihood and impact scores, and define mitigations.

How do I build an AI risk register for a project?

Most project risk registers were designed before AI tools were part of the delivery environment. They cover schedule risk, scope risk, resource risk, and stakeholder risk. They do not cover what happens when the AI tool your team depends on changes its model, leaks training data, or gets acquired mid-project.

An AI risk register extends your standard format with categories specific to AI-related failure modes. It does not replace your existing risk register -- it adds to it.

Why AI Risks Need Their Own Categories

Traditional project risks are largely predictable in type, even if not in timing. A key resource leaves. A dependency slips. A stakeholder changes requirements.

AI risks have additional characteristics:

Opacity. AI systems can fail in ways that are not immediately visible. A model producing subtly biased outputs, degrading gradually over time, or behaving differently in production than in testing may not trigger obvious alarms.

Vendor dependency. You are not just depending on the software -- you are depending on a model, a training dataset, and a company's ongoing investment decisions. Any of those can change.

Regulatory exposure. Compliance risk for AI tools is still being defined. Rules that do not apply today may apply next year.

The Five AI Risk Categories

Add these to your project risk register as a dedicated section:

1. Vendor dependency risk. The vendor stops operating, pivots away from your use case, or significantly changes the product. Mitigation: evaluate exit clauses and data portability before adoption; maintain manual fallback processes for critical AI-assisted tasks.

2. Model drift risk. The AI system's outputs degrade over time as the model is updated or as the input data distribution shifts. Mitigation: establish baseline quality benchmarks at adoption; review AI outputs periodically against those benchmarks.

3. Data privacy risk. Project data enters the AI system and is used in ways not authorised -- shared with third parties, used for model training, or exposed in a breach. Mitigation: review the vendor's data handling policy; configure privacy settings; exclude sensitive categories of data from AI tool inputs.

4. Output bias risk. AI-generated recommendations or analyses reflect biases in training data that result in unfair, inaccurate, or discriminatory outputs. Mitigation: establish human review for AI outputs that influence consequential decisions; document the review process.

5. Regulatory non-compliance risk. The AI tool is used in a way that violates applicable regulations (EU AI Act, GDPR, sector-specific rules). Mitigation: complete a regulatory classification review before adoption; consult legal for high-risk applications.

How to Structure the Entries

Use the same format as your standard risk register. For each AI risk:

  • Risk ID: label in sequence (AI-001, AI-002, etc.)
  • Description: what could go wrong and why
  • Category: one of the five above
  • Likelihood: low / medium / high
  • Impact: low / medium / high
  • Risk score: likelihood x impact (1-9 or traffic light)
  • Mitigation: what the team will do to reduce likelihood or impact
  • Owner: who monitors this risk and escalates if it materialises
  • Review date: when this entry will be reassessed

What to Do with It

Treat the AI risk register the same way you treat the main project risk register: review it at each sprint or monthly, update statuses, and escalate when likelihood or impact changes.

The act of building it has two benefits beyond the document itself. It forces the team to discuss AI tool dependencies explicitly, and it creates a record that shows stakeholders and governance functions that AI adoption was managed deliberately. Before building your risk register, use the AI governance checklist for project managers to confirm the governance foundation is in place.

Free tool: The AI Tool Risk Evaluator walks your team through a structured 5-minute risk evaluation before adopting any AI tool. Free, no login required.

Subscribe to AI for Project Managers at Indigo.pub for practical AI governance guidance delivered to your inbox.

Previous

How do I govern AI use across a project team?
Share
Next

How to Assess AI Tool Risk Before Your Project Depends on It

You might also like...