Many organisations create an AI risk register once, then stop using it. It becomes a spreadsheet that does not reflect reality. A useful risk register is an operational tool: it tracks use cases, control coverage, evidence and residual risk decisions as the system changes.
Make the unit of record a use case
Risk registers fail when they treat "AI" as one thing. Instead, track risks per use case and workflow. Each entry should include:
- Intended users and stakes (internal support vs customer decisions).
- Data classification and residency constraints (see data classification).
- Automation level: draft-only vs tool actions (see safe tooling).
Tier risks and map controls to tiers
Risk tiering makes the register usable. Define a small number of tiers and link each to required controls (see risk appetite and risk and controls).
Controls might include: citations, output scanning, approvals, human review, or stronger telemetry retention rules.
Attach evidence, not just claims
Registers become credible when evidence is attached:
- Evaluation results and regression suites (see regression testing).
- Red team findings and remediation status (see red teaming).
- Telemetry and decision logs that show controls were applied (see decision logging).
Where possible, automate evidence pack generation so the register stays current (see evidence pack automation).
Track residual risk explicitly
Some risk cannot be eliminated. Record residual risk decisions: what is accepted, by whom, and under what conditions. This is where governance councils help: they provide decision rights and cadence (see governance councils).
Keep the register alive
A register is only useful if it stays current. Update it when:
- Model routes change or vendors change.
- New data sources are ingested or permissions change.
- Tools are enabled or autonomy increases.
- Incidents occur and new failure modes are discovered (see incident response).
A practical register turns AI governance into a living system: clear use cases, clear controls, and clear residual risk ownership.