Risk Register — Living Documentation of AI Risk Management
Definition
An AI risk register is a structured, maintained document that captures the identified risks associated with an organization’s AI systems: their nature, likelihood, potential impact, current controls, residual risk level, risk owner, and remediation status. It is the operational artifact through which AI risk management transitions from a process description to a living governance record — providing the documented evidence that risks are known, assessed, and actively managed.
A comprehensive AI risk register entries cover: risk description and category (technical, ethical, legal, operational, reputational); likelihood and impact ratings; inherent risk score; existing controls and their effectiveness; residual risk score after controls; risk owner; treatment strategy (accept, mitigate, transfer, avoid); specific actions and deadlines; and review dates. The register should be reviewed and updated at defined intervals and whenever a material change occurs to the AI system, its deployment context, or the regulatory environment.
ISO/IEC 23894 and ISO/IEC 42001 both require risk management documentation that functions as a risk register. The EU AI Act’s risk management system requirement for high-risk AI systems is satisfied in part through documented risk registers that are maintained as part of the technical file.
Why it matters operationally
The risk register is where AI risk management either materializes or fails. An organization can have a documented risk management process and still fail at risk governance if the risk register is incomplete, outdated, or disconnected from operational reality. The failure pattern is consistent: risks are identified at project inception, entered in a spreadsheet, and never reviewed again as the model evolves, deployment expands, or regulatory requirements change.
For high-risk AI systems under the EU AI Act, the risk register is not just a governance artifact — it is part of the technical file that must be maintained and updated throughout the system’s operational life. An auditor or regulator reviewing the technical file will examine whether the risk register reflects current risks, whether mitigations have been implemented, and whether residual risks are within the organization’s stated risk appetite.
Regulatory framework
| Framework | Risk register requirements |
|---|---|
| EU AI Act | The risk management system for high-risk systems must document identified risks and mitigation measures adopted, be kept updated throughout the system’s life, and form part of the technical file. |
| ISO/IEC 23894 | AI risk management requires documentation of identified risks, their assessment, and treatment decisions. |
| ISO/IEC 42001 | Annex A controls include maintaining a documented AI risk register as a management system component. |
| NIST AI RMF — Map | The Map function includes documenting identified risks in inventories and registers that feed the Measure and Manage functions. |
How Zertia evaluates it
Zertia evaluates the AI risk register as part of both the ISO/IEC 23894 Risk Assessment and ISO/IEC 42001 certification. The assessment examines whether the register covers all relevant risk categories, whether likelihood and impact ratings are calibrated to the specific deployment context, whether risk owners are assigned and accountable, whether treatment actions have been implemented and verified, and whether the register is being actively maintained or has become stale.
[ISO 23894 Assessment] · ISO 42001 Certification
Definitions that hold up under audit.
Does this term apply to your certification project? Let's talk 30 minutes, no commercial pressure.
