Skip to main content
IT KORR
IT KORRKeeping Organizations Reliable & Resilient
AI Governance & Secure AI for Business · Download

AI Risk Assessment Worksheet

A worksheet for scoring the risk of a specific AI use case by data sensitivity, tool trust level, and risk category before approval.

IT KORR Knowledge Center

AI Risk Assessment Worksheet

A worksheet for scoring the risk of a specific AI use case by data sensitivity, tool trust level, and risk category before approval.

Use Case & Data Sensitivity

Score each proposed AI use case individually — the same tool can carry very different risk depending on what data and decision it touches. Do not approve a tool in the abstract; approve specific use cases against it.

  • Use case description — what task the AI tool will perform and who will use it.
  • Data involved — describe the specific data type(s) that will be submitted, not just a general category.
  • Data sensitivity tier — Public, Internal, Confidential/Regulated (per the AI Governance Policy classification).
  • AI tool/provider — name, and whether it is already on the approved tools list.

Tool Trust Level

  • Contractual terms confirm data submitted is not used for model training — Yes / No / Unclear.
  • Vendor has a documented security posture (e.g., SOC 2, ISO 27001, or equivalent) — Yes / No / Unclear.
  • Data residency and retention terms are known and acceptable — Yes / No / Unclear.
  • Any "Unclear" answer should be resolved before the use case proceeds past pilot.

Risk Category Scoring

  • Data leakage — likelihood sensitive data is exposed to the vendor, retained, or surfaced to other users. Score Low/Medium/High.
  • Hallucination/accuracy — likelihood the AI produces plausible but incorrect output relevant to this use case. Score Low/Medium/High.
  • Bias — likelihood output reflects unfair or discriminatory patterns relevant to this use case (especially for people-related decisions). Score Low/Medium/High.
  • Over-reliance — likelihood users treat AI output as authoritative without independent verification. Score Low/Medium/High.

Likelihood, Impact & Required Mitigations

  • Overall likelihood (Low/Medium/High) and overall impact if a risk materializes (Low/Medium/High), combined into a risk rating.
  • For Medium or High ratings, document the specific mitigation required before approval — e.g., data redaction, mandatory human review, restricted user group, or additional contractual terms.
  • Record the approval decision, approver, and date, and set a re-assessment date if the use case or tool changes materially.

Related Resources

  • AI Risk Management — /knowledge-center/artificial-intelligence/ai-governance-secure-ai/ai-risk-management
  • Private AI vs. Public AI — /knowledge-center/artificial-intelligence/ai-governance-secure-ai/private-ai-vs-public-ai

This document is a starting-point resource, not legal or compliance advice. Review it against your organization's actual systems before adoption — see the full AI Governance & Secure AI for Business Hub for the reasoning behind each recommendation.

Build: add8299 | Built: Jul 9, 2026 9:26 PM EDT