IT KORR Knowledge Center
AI Risk Assessment Worksheet
A worksheet for scoring the risk of a specific AI use case by data sensitivity, tool trust level, and risk category before approval.
Use Case & Data Sensitivity
Score each proposed AI use case individually — the same tool can carry very different risk depending on what data and decision it touches. Do not approve a tool in the abstract; approve specific use cases against it.
- Use case description — what task the AI tool will perform and who will use it.
- Data involved — describe the specific data type(s) that will be submitted, not just a general category.
- Data sensitivity tier — Public, Internal, Confidential/Regulated (per the AI Governance Policy classification).
- AI tool/provider — name, and whether it is already on the approved tools list.
Tool Trust Level
- Contractual terms confirm data submitted is not used for model training — Yes / No / Unclear.
- Vendor has a documented security posture (e.g., SOC 2, ISO 27001, or equivalent) — Yes / No / Unclear.
- Data residency and retention terms are known and acceptable — Yes / No / Unclear.
- Any "Unclear" answer should be resolved before the use case proceeds past pilot.
Risk Category Scoring
- Data leakage — likelihood sensitive data is exposed to the vendor, retained, or surfaced to other users. Score Low/Medium/High.
- Hallucination/accuracy — likelihood the AI produces plausible but incorrect output relevant to this use case. Score Low/Medium/High.
- Bias — likelihood output reflects unfair or discriminatory patterns relevant to this use case (especially for people-related decisions). Score Low/Medium/High.
- Over-reliance — likelihood users treat AI output as authoritative without independent verification. Score Low/Medium/High.
Likelihood, Impact & Required Mitigations
- Overall likelihood (Low/Medium/High) and overall impact if a risk materializes (Low/Medium/High), combined into a risk rating.
- For Medium or High ratings, document the specific mitigation required before approval — e.g., data redaction, mandatory human review, restricted user group, or additional contractual terms.
- Record the approval decision, approver, and date, and set a re-assessment date if the use case or tool changes materially.
Related Resources
- AI Risk Management — /knowledge-center/artificial-intelligence/ai-governance-secure-ai/ai-risk-management
- Private AI vs. Public AI — /knowledge-center/artificial-intelligence/ai-governance-secure-ai/private-ai-vs-public-ai