AI Risk Domains

AI Risk Domains

A practical taxonomy for classifying AI risk, identifying evidence gaps, and routing each domain to controls, owners, escalation paths, review records, and audit-ready artifacts.

Domain Register View

Evidence Gap Scan
Domain
Risk Signal
Owner
Status
Vendor AI Third-party AI capability
Evidence cannot verify vendor claims. Documentation, testing, change notice, or contract terms are incomplete.
Vendor Risk Supplier evidence owner
Gap Open Review needed
Human Oversight Review workflow
Reviewer authority is unclear. Escalation, override, and rationale evidence are incomplete.
Compliance Review standard owner
Partial Evidence exists
LLM / RAG Prompt and retrieval system
Retrieval and output controls are unmapped. Prompt logs, access review, and source testing need evidence.
Security / GRC Control owner
Open Control map needed
AML AI Alert triage support
Disposition rationale must be reconstructable. Reviewer notes and escalation records need retention.
Operations Case review owner
Logged Record retained

Page purpose

Use this page as the AI risk routing layer.

AI Risk Domains is the hub page for classifying AI assurance problems before moving into dedicated pages such as Vendor AI Risk, Human Oversight, LLM/RAG Risk, and Financial Services AI Risk.

The purpose is not to list every possible AI harm. The purpose is to separate risk domains into evidence questions that can be mapped to controls, owners, review workflows, and artifacts.

What domain does the risk belong to?
What can fail or become opaque?
Who owns review?
Which control applies?
What evidence is needed?
Where should the user go next?

Risk taxonomy

AI Risk Domain Matrix

This matrix separates AI risk domains from the evidence needed to govern them. Each domain should route to a dedicated artifact, checklist, questionnaire, crosswalk, or GridLock GRC object.

Risk Domain What Can Go Wrong Control Implication Evidence Needed
Vendor
Vendor AI Risk
Vendor claims cannot be verified, model limitations are unclear, shared responsibility is vague, or change notices are incomplete. Require documentation, testing evidence, contractual controls, audit rights, monitoring, change notice, incident terms, and periodic review. Vendor questionnaire, contract checklist, SOC report, model documentation, testing summary, issue log, change record.
Oversight
Human Oversight Risk
Human review exists on paper but reviewers lack authority, context, escalation paths, override ability, or decision records. Define reviewer authority, escalation triggers, override conditions, review evidence, and decision documentation standards. Reviewer notes, decision rationale, escalation log, override record, approval trail, oversight checklist.
LLM / RAG
LLM / RAG Risk
Outputs fabricate, leak data, retrieve unsupported content, bypass access boundaries, or create unreviewed advice. Apply access controls, retrieval testing, prompt/output monitoring, human review, logging, incident handling, and content boundaries. Prompt logs, retrieval tests, access review, output review notes, red-team notes, incident record.
Financial Crimes
Financial Services / AML AI
Alerts lack explainability, escalation logic is inconsistent, or reviewer disposition cannot be reconstructed. Require reviewable rationale, case handling standards, escalation rules, quality review, exception records, and retained evidence. Alert disposition, case notes, escalation rationale, quality review, exception record, audit trail.
Model Risk
Model Risk Support
Limitations, monitoring, assumptions, performance changes, validation dependencies, or change approvals are not documented. Prepare validation-readiness artifacts, monitoring records, limitation registers, issue tracking, approvals, and change evidence. Limitation register, monitoring summary, issue log, test evidence, approval record, change review notes.
Data
Data and Input Risk
Data lineage, quality, permission, sensitivity, access, retention, or drift is not controlled or documented. Map data governance controls to AI use, access boundaries, lineage, retention, sensitivity, and quality checks. Data lineage record, access review, quality checks, sensitivity review, retention evidence, drift monitoring.

Evidence gap severity

Risk Signals

InfoSecured.ai treats weak evidence as a risk signal. A control that cannot be evidenced is not ready for audit, governance review, or serious challenge.

Low Evidence Risk
  • Policy exists and is mapped to the AI use case.
  • Control owner is assigned.
  • Review records are retained.
  • Escalation path is documented.
Moderate Evidence Risk
  • Control exists but review records are incomplete.
  • Vendor documentation is partial.
  • Human review criteria are unclear.
  • Exceptions are tracked inconsistently.
High Evidence Risk
  • No accountable owner is assigned.
  • No retained evidence proves the control operated.
  • Human review cannot be reconstructed.
  • Vendor claims cannot be verified.

Control mapping logic

From domain to evidence.

AI Use Case Identify the workflow, decision-support function, user group, business process, and operating context.
Risk Domain Classify the risk: vendor, oversight, LLM/RAG, financial crimes, model risk support, data, security, audit readiness, or governance ownership.
Failure Mode Describe what can fail, who may be affected, and how the failure would appear in operation.
Control Obligation Map the risk to a policy, procedure, technical control, review step, vendor obligation, or governance requirement.
Owner Assign accountability for control operation, review, escalation, exception handling, evidence updates, and risk acceptance.
Evidence Artifact Define the record that proves the control, review, vendor response, or escalation activity occurred.
Review Status Track whether evidence is complete, partial, missing, accepted, expired, remediated, or escalated.

Practical artifact

AI Risk Register Starter Kit

A template set for documenting AI risk in a way that supports governance review, vendor diligence, control mapping, human oversight, LLM/RAG assurance, and audit-readiness.

  • AI Use Case Inventory
  • Risk Domain Taxonomy
  • Risk-to-Control Map
  • Control Owner Register
  • Vendor AI Risk Questionnaire
  • Human Oversight Checklist
  • LLM/RAG Control Matrix
  • Evidence Register Fields
  • Escalation and Exception Log
  • Audit-Readiness Gap List

Domain pages

Dedicated pages should go deeper than this hub.

This page classifies the domain. Dedicated pages should provide the evidence questions, artifact structure, control mapping, and GridLock GRC object model for that specific domain.

Vendor AI Risk

Third-party AI claims, documentation, data use, contract risk, change notice, audit rights, and shared responsibility.

Open Vendor AI Risk

Human Oversight

Reviewer authority, escalation, rationale, overrides, interventions, and audit-ready human review records.

Open Human Oversight

LLM / RAG Risk

Prompt controls, retrieval governance, access boundaries, output review, monitoring, incidents, and logs.

Open LLM / RAG Risk

GridLock GRC

Risk domains become structured evidence objects.

In GridLock GRC, each risk domain should connect to an AI system, use case, failure mode, control, owner, evidence item, exception, remediation action, and audit-readiness status.

AI System → Use Case → Risk Domain → Failure Mode → Control → Owner → Evidence → Review Status

The purpose is to make broad AI risk language reviewable. A risk domain becomes a traceable record that can be inspected, challenged, updated, and mapped to governance workflows.

GridLock GRC is not production software, a certified compliance platform, legal guidance, formal audit guidance, or a model-validation system. It is a public proof-of-work project for AI assurance evidence mapping.

View GridLock GRC

Use notice

Independent research and portfolio artifacts.

InfoSecured.ai publishes independent AI assurance research, templates, and public proof-of-work artifacts for education, review, adaptation, and validation by qualified internal teams.

Materials are not legal advice, audit advice, certification advice, regulatory advice, model-validation advice, or a substitute for organization-specific professional review.

Read Editorial Standards

Classify the AI risk before building the evidence record.

Use the domain matrix to route AI risks into controls, owners, evidence records, vendor documentation, human oversight notes, LLM/RAG controls, exceptions, and audit-ready review status.