PolicifyAI
Back to Blog

PolicifyAI

Published April 2026 · 9 min read

Compliance

How to Build an AI Model Risk Register

The EU AI Act and NIST AI RMF both require documented risk assessments for AI systems.

What a Model Risk Register Is and Why You Need One

A model risk register is a structured inventory of every AI and machine learning model your organisation develops, deploys, or procures — along with a documented assessment of the risks each model presents. It is the operational backbone of AI governance.

EU AI Act Article 9: The Legal Baseline

Article 9 requires providers of high-risk AI systems to establish, implement, document, and maintain a risk management system throughout the entire lifecycle. The register must identify and analyse known and foreseeable risks, estimate risks from unintended use, and record measures adopted to manage each risk.

Alignment with the NIST AI Risk Management Framework

The NIST AI RMF's four core functions — Govern, Map, Measure, and Manage — translate directly into register design. Govern covers policies and accountability. Map covers risk identification. Measure covers evaluation metrics. Manage covers treatment decisions and monitoring.

Risk Categories Every Register Must Cover

  • Bias and fairness risk: Does the model produce discriminatory outcomes across demographic groups?
  • Safety risk: What is the potential for harm? What failure modes have been tested?
  • Security risk: Is the model vulnerable to adversarial inputs, model inversion, or data poisoning?
  • Privacy risk: Does the model memorise or leak training data?
  • Operational risk: What is the business impact of model failure? What is the fallback procedure?
  • Regulatory risk: Does the use case trigger sector-specific regulation beyond the AI Act?

Documentation Requirements Per Model Entry

Each entry should capture: model name and version, intended use case, risk classification, training data and known dataset limitations, performance benchmarks, identified risks with likelihood and impact ratings, controls applied, residual risk decisions with named owners, and the next scheduled review date.

Governance Structure and Ongoing Monitoring

Assign a named owner to each model entry. Establish a review cadence: quarterly for high-risk models, semi-annually for others, and triggered reviews after any significant update, incident, or regulatory change. Route material risk decisions through a cross-functional AI governance committee.

Need a policy for your business?

Generate a legally-formatted, AI-reviewed policy in under 60 seconds.

Generate your policy →
All articles