AI Risk Register Template

How to Use

Copy and adapt this register for your organization. Each risk should be scored, assigned an owner, and tracked through your existing GRC processes.

ID	Risk	Category	Likelihood	Impact	Inherent Risk	Control	Residual Risk	Owner	Status
AI-001	Prompt injection in customer chatbot	Technical	High	High	Critical	Input/output filtering, system prompt hardening	High	AppSec Lead	Open
AI-002	Training data contains PII	Privacy	Medium	High	High	Data scanning, anonymization pipeline	Medium	Data Privacy	Open
AI-003	Shadow AI adoption by employees	Operational	High	Medium	High	AI acceptable use policy, DLP, CASB	Medium	CISO	Open
AI-004	Third-party model API outage	Availability	Medium	Medium	Medium	Multi-provider fallback, caching	Low	Platform Eng	Open
AI-005	Model generates biased outputs	Compliance	Medium	High	High	Bias testing, human review, monitoring	Medium	AI Ethics	Open
AI-006	Poisoned open-source model deployment	Supply Chain	Low	Critical	High	Model provenance, hash verification, sandboxing	Medium	ML Eng	Open
AI-007	Model extraction via API	IP/Technical	Low	High	Medium	Rate limiting, output perturbation, monitoring	Low	API Security	Open
AI-008	Non-compliance with EU AI Act	Regulatory	Medium	High	High	Risk classification, documentation, audit trail	Medium	Legal/GRC	Open
AI-009	Hallucination in financial advisory tool	Integrity	High	High	Critical	Human-in-the-loop, output verification, disclaimers	High	Product	Open
AI-010	Employee uploads sensitive data to ChatGPT	Data Leakage	High	High	Critical	DLP, approved AI tool list, training, endpoint controls	Medium	Security Ops	Open

Likelihood: Low (unlikely) | Medium (possible) | High (probable)

Impact: Low (minor) | Medium (moderate disruption) | High (significant damage) | Critical (existential/regulatory)

Risk = Likelihood × Impact

This register should feed into your existing: