Risk
Undefined Risk Tolerance & Categorization
Description
Lack of clear criteria for AI risk tolerance and classifying AI systems by risk level (regular/high/critical) and by agent autonomy level (supervised, semi-autonomous, fully autonomous).
Example
A fully autonomous procurement agent classified at the same tier as a supervised summarization assistant, missing required action-authorization controls.
Assets Affected
Risk framework
AI inventory
Impact assessments
AI Agent
Mitigation
- Define risk tolerance thresholds
- establish risk categories with clear criteria
- introduce agent autonomy tiers driving control intensity
- impact assessment process
- classification guidelines.
Standards Mapping
- ISO: Clause 6.1.2, A.5.2
- EU AI Act: Art. 6, Art. 9(2)
- DASF: Platform 12.6
- AIUC-1: C001