Risk
Lack of Risk Assessment Process
Description
Inconsistent methodology, coverage, and severity scoring across teams; evidence may be incomplete or non-comparable.
Example
One team only tests bias; another only jailbreaks.
Assets Affected
No core AI components directly affected - relates to testing process
Mitigation
- Adopt a red-team playbook/checklist (e.g., MITRE ATLAS, OWASP)
- Maintain severity taxonomy; train red-team staff
Standards Mapping
- ISO 42001: A.5.2, A.6.2.4
- NIST AI RMF: MEASURE 1.1, GOVERN 1.3