Risk
Undefined Risk Tolerance & Categorization
Description
Lack of clear criteria for AI risk tolerance and classifying AI systems by risk level (regular/high/critical).
Example
Critical healthcare AI system classified as "regular," missing required safety controls.
Assets Affected
Framework
AI inventory
Impact assessments
Mitigation
- Define risk tolerance thresholds
- Establish risk categories with clear criteria
- Impact assessment process
- Classification guidelines
Standards Mapping
- ISO 42001: 6.1.1, A.5.2
- NIST AI RMF: GOVERN 1.3, MAP 1.5