AI continues to be the most transformative and disruptive technology today, with organizations around the world accelerating their adoption and deployment of AI-based solutions. Alongside these new and exponential opportunities, AI solutions are also introducing severe financial and reputational risks that require evaluation and management to mitigate. Our step-by-step blueprint provides detailed guidance through the process of AI risk management, helping you to create a comprehensive roadmap and AI strategy aligned with organizational needs.

Risk is an unavoidable part of business that must be actively monitored, managed, and mitigated to avoid financial losses and reputational damage to your organization. Though their effects are just as impactful, AI risks are often addressed separately from organizational risks – causing inconsistencies in the approach and leaving AI leaders too accountable for impacts. Transform your ad hoc AI risk management processes into a formalized, ongoing program aligned with existing business risk management processes to take a proactive stance against AI threats and vulnerabilities.

1. Build off the back of existing standards.

The scale and scope of opportunities made possible by AI are limitless, but you do not have to start from scratch when shaping foundational principles for its use. Our blueprint leverages the NIST AI Risk Management Framework 1.0 as a starting point, to be refined by senior leadership and aligned with your organizational risk appetite and AI maturity.

2. Make risk measurable and manageable.

Identifying potential risks to your organization is an essential first step in your risk management approach, but not all risks are created equal. Establish an AI risk council with key players from across your organization to determine acceptable risk thresholds, create risk likelihood, severity level, and reputational assessments, and provide accessible documentation for all potential risks.

3. Don’t risk your reputation.

Once an organizational AI risk program has been agreed upon, communicated, and implemented, the greatest risk you face might be a false sense of security. AI is evolving exponentially, risking that your assessment will quickly become outdated. Perform regular health checks to keep your finger on the pulse of the key risks threatening the organization and your reputation.

Use our comprehensive blueprint to navigate the risks and take full advantage of the exponential capabilities of AI.

Build an AI risk management program and roadmap that can stand up to the current rapidly changing technical environment by leveraging our step-by-step methodology, tools, and templates to:

Transform your ad hoc AI risk management processes into a formalized, ongoing program and increase AI risk management success.
Take a proactive stance against AI threats and vulnerabilities by identifying and assessing the greatest AI risks before they occur.
Involve key stakeholders, including the organization’s senior management team, to gain buy-in and to focus on the AI risks most critical to the organization.

Build Your AI Risk Management Roadmap Research & Tools

1. Build Your AI Risk Management Roadmap Storyboard – Drive value for your existing and prospective AI investments by proactively managing and mitigating risk.

In this research, we will help you to:

Assess your current AI risk maturity and organizational buy-in.
Establish an AI risk council and determine AI risk management program goals.
Govern, identify, measure, and respond to AI risks.
Create a method to monitor priority AI risks, consider possible responses, and continuously communicate these to the organization to implement a suited risk management plan.

2. AI Risk Management Roadmap Presentation Template – Provide a clear, concise, and visual summary of your AI risk management roadmap.

Use this PowerPoint template to:

Communicate the importance of AI risk management to executive leadership and gain buy-in.
Define key stakeholders and executive leaders engaged in the AI risk management program.
Establish and document processes for AI risk governance, identification, measurement, and response.

3. AI Risk Management Maturity Assessment Tool – Analyze your organization’s current- and target-state maturity in AI capabilities and systematically develop a plan for your target AI practices.

In this assessment tool, we will help you to:

Assess your current risk management capabilities across risk governance, identification, measurement, and response.
Identify and collect essential data that will shape your maturity assessment.
Visualize the gaps between your current and target states to enable effective prioritization.

4. AI Risk Assessment Worksheet – Structure a comprehensive risk assessment for all current and potential AI risks in your organization.

Use this tool to:

Explore and evaluate common AI risks that may impact your organization.
Identify specific risks within your AI risk taxonomy and create a risk response with action items to mitigate or transfer the risk.
Reassess the impact and likelihood of the risk once action items are completed.

5. AI Risk Register Tool – Build a repository of all the AI risks identified in your environment with the responsible owner, category, and planned actions for each risk.

Use this register tool to:

Record your organization’s likelihood and impact scales as determined by the IT risk council.
Leverage industry definitions for AI risk categories and AI risks that may occur.
Create an accessible centralized repository for identifying and mitigating AI risks.

6. AI Risk Action Plan – Establish and track accountability within your department to determine next steps for managing AI risk.

Use this Word-based template to:

Document key information about identified high-priority risks that need resolution.
Define related risk accountabilities and key risk indicators for individual risks.
Communicate the appropriate risk response decided by the AI risk council to gain support from executive leadership.

7. AI Risk Report – Communicate the results of recent risk assessments to the senior leadership team and provide a summary of important AI risk management developments.

Use this comprehensive report template to:

Document the results of the AI risk council’s annual review, the risk response mitigation actions for each risk event, and recommendations to mitigate identified risk.
Communicate the outcomes of risk severity assessments to executive leadership.
Establish, define, and cost out multiple risk response opportunities.

8. AI Risk Management Program Manual – Document all the major activities in your holistic risk management process in a single source of truth.

Use this template to:

Provide a thorough overview of your organization’s risk management program.
Document current maturity levels, goals, and metrics for successful implementation.
Record the responsibilities and members of the AI risk council.
Document and collect all risk management templates, reports, and plans in this one document.

9. AI Initiatives Prioritization and Roadmap Planning Tool – Prioritize AI risk initiatives by evaluating the value and feasibility for each initiative.

This tool will help you:

Prioritize and shortlist your AI risk management initiatives.
Visualize AI risk management initiatives on a prioritization map.
Build a Gantt chart initiative roadmap.

10. Build Your AI Risk Management Roadmap Deck – Develop your AI risk management framework to mitigate risk and drive value for your AI investments.

AI solutions introduce transformative potential, as well as financial and reputational risks that must be mitigated. Take a proactive stance against AI threats by transforming ad hoc AI risk management processes into a formalized, ongoing program aligned with organizational needs.

Learn more in this Info-Tech LIVE 2025 presentation.

Build Your AI Risk Management Roadmap

Develop your AI risk management framework to mitigate risk and drive value for your AI investments.

Analyst perspective

Transform the organization with AI.

AI continues to be the most transformative and disruptive technology today. Around the world, organizations are accelerating their adoption and deployment of AI-based solutions. AI solutions are also introducing new risks, and organizations are being challenged on how best to plan for and mitigate these risks.

A successful business-driven AI risk management program requires:

Building an AI strategy that is driven by and aligned with the organizational strategy.

Establishing foundational AI principles as a key component of an organization's AI strategy to mitigate the risks that are introduced with the deployment of AI-based solutions.

Implementing AI governance throughout the organization to promote AI initiatives and align them to foundational AI principles.

Building and delivering an AI risk management roadmap to operationalize the mitigation of AI risks and deliver value to the organization.

Bill Wong AI Research Fellow Info-Tech Research Group

Bill Wong
AI Research Fellow
Info-Tech Research Group

Executive summary

Your Challenge

Risk is unavoidable. Without a formal program to manage AI risk, you may be unaware of your severest AI risks.
The business could be making decisions that are not informed by AI risk.
Reacting to AI risks after they occur can be costly, yet it is one of the most common tactics used by organizations.

Common Obstacles

Without a proper AI strategy and foundational AI principles, the risks of deploying AI technology/solutions could negatively impact business outcomes.
AI risks and business risks are often addressed separately, causing inconsistencies in the approach.
Failing to include the business in AI risk management leaves AI leaders too accountable; the business must have accountability as well.

Info-Tech's Approach

Transform your ad hoc AI risk management processes into a formalized, ongoing program and increase AI risk management success.
Take a proactive stance against AI threats and vulnerabilities by identifying and assessing the greatest AI risks before they occur.
Involve key stakeholders, including the business senior management team, to gain buy-in and to focus on the AI risks most critical to the organization.

Info-Tech Insight

AI risk is business risk. Every AI risk has business implications. Create an AI risk management program that shares accountability with the business.

AI Risk Management Framework

DEFINITIONS

	AI strategy is aligned with the firm's organizational strategy, and foundational AI principles are established.
	AI governance is aligned with the firm's enterprise governance and identifies the AI risks associated with each foundational AI principle.
	AI risk management is aligned with the firm's enterprise risk management system and operationalizes the management of the AI risks.

Top AI risk actions

What is your organization currently doing to actively manage the risks around your Generative AI implementations?

A bar graph for Top AI risk action management by percentage

Source: Deloitte, 2024; N=2,770

Building your AI risk management roadmap

Blueprint deliverables

AI Risk Management Maturity Assessment Tool	Assess the organization's current maturity for AI risk management.
AI Risk Register Tool	Fill out a repository for the AI risks that have been identified within your environment.
AI Risk Assessment Tool	Assess potential AI risks for your organization.
AI Risk Report & AI Risk Action Plan	Report AI risk severity and hold risk owners accountable for chosen method of responding.
AI Risk Management Program Manual	Develop a customized program manual for the ongoing management of AI risk.
AI Risk Management Roadmap Presentation Template	Present your AI risk management roadmap in a prepopulated document that summarizes all the key findings of this blueprint and provides your C-suite with a view of the AI risk challenges and your plan of action to meet it.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is 6 to 8 calls over the course of 3 to 6 months.

An image of the guided implementation for this Blueprint. A series of 7 calls across 6 sections.

Workshop Overview

Contact your account representative for more information.
[email protected] 1-888-670-8889

	Day 1	Day 2	Day 3	Day 4	Day 5
Activities	AI Risk Fundamentals	Govern AI Risks, Identify AI Risks	Identify AI Risks (cont'd), Measure AI Risk	Respond to AI Risks	Develop the Roadmap, Next Steps and Wrap-Up (offsite)
Activities	1.1 Assess current AI risk management maturity. 1.2 Identify challenges and pain points. 1.3 Develop goals for the AI risk management program.	2.1 Create the AI risk council. 2.2 Align your AI risk taxonomy. 2.3 Determine the risk culture of your organization. 2.4 Define the organization's risk appetite and tolerance. 2.5 Complete the RACI chart. 3.1 Identify relevant AI risks. 3.2 Identify risk events.	3.3 Determine the threshold for (un)acceptable risk. 3.4 Select a technique to measure reputational cost. 3.5 Perform root cause analysis. 3.6 Create a likelihood scale. 3.7 Assess risk severity level. 4.1 Develop key risk indicators. 4.2 Identify metrics and targets to meet objectives. 4.3 Establish the reporting schedule.	5.1 Develop risk responses to positive and negative AI risks 5.2 Identify current AI risk controls 5.3 Assign a risk owner for each risk event 5.4 Identify factors that contribute to the severity of the AI risk 5.5 Identify, analyze, and select risk responses 5.6 Obtain executive approval for risk action plans 5.7 Socialize the Risk Report 5.8 Finalize the Risk Management Program Manual	6.1 Develop the AI risk management roadmap 6.2 Determine next steps and communication approach Complete in-progress deliverables from previous four days Set up review time for workshop deliverables and to discuss next steps
Deliverables	AI Risk Management Maturity Assessment AI Risk Management Program Manual	List of AI risks AI Risk Register AI Risk Management Program Manual	AI Risk Register AI Risk Action Plans AI Risk Management Program Manual	AI Risk Report AI Risk Management Program Manual	Workshop report AI Risk Management Program Manual AI Risk Management Roadmap Presentation Template

Section 1

Frame AI Risks and Review AI Risk Fundamentals and Frameworks

Sections

Frame AI Risks
AI Risk Governance
AI Risk Identification
AI Risk Measurement
AI Risk Response
AI Risk Management Roadmap

Build Your AI Risk Management Roadmap

This section will walk you through the following:

Overview of AI risk management, foundational AI principles, and AI risks and frameworks
Define foundational AI principles
AI risk management vs. enterprise risk management programs
Risk management frameworks for AI
Activity: Assess current AI risk management maturity
Activity: Identify challenges and pain points
Activity: Develop goals for the AI risk management program

This section involves the following participants:

AI initiative lead
CIO
Other AI and risk leadership

AI risk management program objectives

Ensure foundational AI principles are adopted for the development, deployment, and operation of AI systems

Ensure foundational AI principles govern the entire AI system lifecycle.

Implement an AI risk management framework to manage and mitigate AI risks

AI Risk Governance: Establish and maintain a culture of AI risk management.
AI Risk Identification: Identify and categorize AI systems.
AI Risk Measurement: Establish AI risk metrics and targets.
AI Risk Response: Develop response plans, implement controls, and continuously improve the AI systems.

Leverage tools to accelerate building the AI risk management program

Use the AI Risk Management Maturity Assessment and AI Risk Assessment tools to assess risk and your risk management maturity.
Use the AI Risk Register, AI Risk Report, AI Risk Action Plan, and AI Risk Management Program Manual to document and report on activities.

Develop an AI risk management roadmap

Propose AI risk initiatives that deliver value and enhance the organization's risk management maturity and capabilities.

What are foundational AI principles?

To mitigate risks to the corporation and staff, organizations need a responsible approach to developing, implementing, and using AI systems.

OECD developed the first intergovernmental standard on AI, with AI principles that "promote use of AI that is innovative and trustworthy and that respects human rights and democratic values" (OECD). OECD's Recommendation on AI is followed by 47 countries, enabling international cooperation.
AI principles like these are the foundation of the practice of responsible action to mitigate harm to people, corporations, and society.
The terms responsible, ethical, and trustworthy are often used interchangeably, and people who use the terms often have similar goals and objectives.

Info-Tech's Foundational AI Principles

Info-Tech recommends six core AI guiding principles that were distilled from industry frameworks and practitioner insights. This research will help you use our core six as a jumping-off point in defining the right principles for the unique needs of your organization.

Benefits of an AI risk management program

Users of the AI Risk Management Framework are expected to benefit from:

Operational Excellence

Structured framework for an organization's risk management activities.
Improved awareness of the relationships and tradeoffs among foundational AI characteristics, sociotechnical approaches, and AI risks.

Growth

Explicit processes for making go/no-go system commissioning and deployment decisions.
Enhanced organizational culture which prioritizes the identification and management of AI system risks and potential impacts to individuals, communities, organizations, and society.

Risk Mitigation

Established policies, processes, practices, and procedures for improving organizational accountability efforts related to AI system risks.
Better information sharing within and across organizations about risks, decision making processes, responsibilities, common pitfalls, Test and Evaluation, Verification and Validation (TEVV) practices, and approaches for continuous improvement.
Greater contextual knowledge for increased awareness of downstream risks.

Source: The content on this slide is from NIST AI RMF 1.0. For more information see slide 17 (Alignment to NIST AI RMF 1.0).

AI risk management is possible without an enterprise risk management program

Building an effective AI risk management program for the organization is possible even without an enterprise risk management program.

An image showing how AI risk management is possible without enterprise risk management program

Risk management frameworks for AI systems

	NIST AI RMF	ISO/IEC 23894:2023	ISO 31000	COSO ERM	Info-Tech AI Risk Management Framework
Focus	Specifically designed for AI risk management	Specifically designed for AI risk management	Enterprise risk management framework that can be adapted for AI	Enterprise risk management framework that can be adapted for AI	Specifically designed for AI risk management
Regulatory Nature	Non-regulatory, voluntary guidance	International standard	International standard	Non-regulatory, voluntary guidance	Non-regulatory, voluntary guidance
AI Principles	Focus on trustworthiness	Focus on international AI ethics and human rights principles	Outlines eight principles for effective risk management	Principles focus on effective risk management and can be adapted to focus on AI risks	Focus on foundational AI principles
Risk Categories	Wide range of AI risks, focus on trustworthiness	Risks based on potential impact and likelihood of occurrence	Emphasizes process to identify and categorize risks based on context	Enterprise risks, including those related to AI	Wide range of AI risks, focus on alignment to foundational AI principles
Framework Adaptability	Highly adaptable	Flexible framework that can be adapted	Flexible framework that can be adapted	Highly adaptable	Highly adaptable
Implementation Approach	Structured and adaptable process	Structured and systematic approach	Structured and systematic approach	Structured and will require adaptation to address AI-specific risks	Structured and adaptable process

Info-Tech AI Risk Management Roadmap alignment to NIST AI Risk Management Framework (RMF) 1.0

The Info-Tech AI Risk Management Roadmap provides a blueprint for organizations to implement NIST AI RMF 1.0. All of the NIST AI RMF definitions, core functions, categories, and subcategories are included in the Info-Tech AI Risk Management Roadmap. The following terms used by NIST been mapped to Info-Tech terms that align with Info-Tech's best practices and/or compliance initiatives.

an image of Info-Tech AI Risk Management Roadmap alignment to NIST AI Risk Management Framework (RMF) 1.0

When NIST is referenced as a source, the content was produced by NIST.

AI risk management interoperability framework

An image of the AI risk management interoperability framework

Source: The AI Lifecycle is from NIST AI RMF 1.0. For more information see slide 17 (Alignment to NIST AI RMF 1.0).

AI Risk Management Maturity Model

A principle-based approach is required to advance AI maturity

A graph showing A principle-based approach is required to advance AI maturity

AI Risk Management Dimensions

Risk Governance
Risk Identification
Risk Measurement
Risk Response

Technology-Centric

These maturity levels focus primarily on addressing the technical challenges of building a functional AI model.

Principle-Based

Beyond the technical challenges of building the AI model are human-based principles that guide development in a responsible manner to address consumer and government demands.

AI Risk Management Maturity Assessment

The purpose of the AI Risk Management Maturity Assessment is to assess the organization's current maturity and readiness for AI risk management.

AI Risk Management Maturity Assessment

A simple tool to understand if your organization is ready to embrace AI risk management by measuring maturity across four core capabilities: AI Risk Governance, AI Risk Identification, AI Risk Measurement and AI Risk Response.

AI Risk Management Maturity Assessment

Use the results from this AI risk management maturity assessment to determine the type of AI risk management program that can and should be adopted by your organization.

Some organizations will need to remain siloed and focused on AI risk management only, while others will be able to integrate risk-related information to start enabling automatic controls that respond to this data.

Build Your AI Risk Management Roadmap visualization

Develop your AI risk management framework to mitigate risk and drive value for your AI investments.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Table of Contents

You get:

Build Your AI Risk Management Roadmap Storyboard
AI Risk Management Roadmap Presentation Template
AI Risk Management Maturity Assessment Tool
AI Risk Assessment Tool
AI Risk Register Tool
AI Risk Action Plan
AI Risk Report
AI Risk Management Program Manual
AI Initiatives Prioritization and Roadmap Planning Tool

Need Extra Help?
Speak With An Analyst

Get the help you need in this 6-phase advisory process. You'll receive 7 touchpoints with our researchers, all included in your membership.

Guided Implementation 1: Frame AI Risks

Call 1: Assess current AI risk maturity and organizational buy-in.

Guided Implementation 2: AI Risk Governance

Call 1: Establish an AI risk council and determine AI risk management program goals.

Guided Implementation 3: AI Risk Identification

Call 1: Identify the AI risk categories used to organize risk events.
Call 2: Identify the threshold for risk the organization can withstand.

Guided Implementation 4: AI Risk Measurement

Call 1: Create a method to assess AI risk event severity.

Guided Implementation 5: AI Risk Measurement

Call 1: Establish a method to monitor priority AI risks and consider possible AI risk responses.

Guided Implementation 6: AI Risk Management Roadmap

Call 1: Communicate AI risk priorities to the business and implement AI risk management plan.

Author

Bill Wong

Contributors

Salvador Barragan, Global Data & AI Strategy and Governance Leader, Data Meaning
Jeremy Gill, Managing Director, Enterprise Applications and Data Platforms