AI Risk Domains
AI Risk Domains
A practical taxonomy for classifying AI risk, identifying evidence gaps, and routing each domain to controls, owners, escalation paths, review records, and audit-ready artifacts.
Domain Register View
Evidence Gap ScanPage purpose
Use this page as the AI risk routing layer.
AI Risk Domains is the hub page for classifying AI assurance problems before moving into dedicated pages such as Vendor AI Risk, Human Oversight, LLM/RAG Risk, and Financial Services AI Risk.
The purpose is not to list every possible AI harm. The purpose is to separate risk domains into evidence questions that can be mapped to controls, owners, review workflows, and artifacts.
Risk taxonomy
AI Risk Domain Matrix
This matrix separates AI risk domains from the evidence needed to govern them. Each domain should route to a dedicated artifact, checklist, questionnaire, crosswalk, or GridLock GRC object.
| Risk Domain | What Can Go Wrong | Control Implication | Evidence Needed |
|---|---|---|---|
|
Vendor Vendor AI Risk |
Vendor claims cannot be verified, model limitations are unclear, shared responsibility is vague, or change notices are incomplete. | Require documentation, testing evidence, contractual controls, audit rights, monitoring, change notice, incident terms, and periodic review. | Vendor questionnaire, contract checklist, SOC report, model documentation, testing summary, issue log, change record. |
|
Oversight Human Oversight Risk |
Human review exists on paper but reviewers lack authority, context, escalation paths, override ability, or decision records. | Define reviewer authority, escalation triggers, override conditions, review evidence, and decision documentation standards. | Reviewer notes, decision rationale, escalation log, override record, approval trail, oversight checklist. |
|
LLM / RAG LLM / RAG Risk |
Outputs fabricate, leak data, retrieve unsupported content, bypass access boundaries, or create unreviewed advice. | Apply access controls, retrieval testing, prompt/output monitoring, human review, logging, incident handling, and content boundaries. | Prompt logs, retrieval tests, access review, output review notes, red-team notes, incident record. |
|
Financial Crimes Financial Services / AML AI |
Alerts lack explainability, escalation logic is inconsistent, or reviewer disposition cannot be reconstructed. | Require reviewable rationale, case handling standards, escalation rules, quality review, exception records, and retained evidence. | Alert disposition, case notes, escalation rationale, quality review, exception record, audit trail. |
|
Model Risk Model Risk Support |
Limitations, monitoring, assumptions, performance changes, validation dependencies, or change approvals are not documented. | Prepare validation-readiness artifacts, monitoring records, limitation registers, issue tracking, approvals, and change evidence. | Limitation register, monitoring summary, issue log, test evidence, approval record, change review notes. |
|
Data Data and Input Risk |
Data lineage, quality, permission, sensitivity, access, retention, or drift is not controlled or documented. | Map data governance controls to AI use, access boundaries, lineage, retention, sensitivity, and quality checks. | Data lineage record, access review, quality checks, sensitivity review, retention evidence, drift monitoring. |
Vendor AI Risk
Third-party AI documentation, vendor opacity, shared responsibility, contract risk, change notice, and evidence requests.
Open Vendor AI RiskHuman Oversight
Reviewer authority, rationale, escalation, overrides, intervention records, and audit-ready oversight evidence.
Open Human OversightLLM / RAG Risk
Prompt risk, retrieval governance, access boundaries, output review, logging, monitoring, and incident evidence.
Open LLM / RAG RiskEvidence gap severity
Risk Signals
InfoSecured.ai treats weak evidence as a risk signal. A control that cannot be evidenced is not ready for audit, governance review, or serious challenge.
- Policy exists and is mapped to the AI use case.
- Control owner is assigned.
- Review records are retained.
- Escalation path is documented.
- Control exists but review records are incomplete.
- Vendor documentation is partial.
- Human review criteria are unclear.
- Exceptions are tracked inconsistently.
- No accountable owner is assigned.
- No retained evidence proves the control operated.
- Human review cannot be reconstructed.
- Vendor claims cannot be verified.
Control mapping logic
From domain to evidence.
Practical artifact
AI Risk Register Starter Kit
A template set for documenting AI risk in a way that supports governance review, vendor diligence, control mapping, human oversight, LLM/RAG assurance, and audit-readiness.
- AI Use Case Inventory
- Risk Domain Taxonomy
- Risk-to-Control Map
- Control Owner Register
- Vendor AI Risk Questionnaire
- Human Oversight Checklist
- LLM/RAG Control Matrix
- Evidence Register Fields
- Escalation and Exception Log
- Audit-Readiness Gap List
Domain pages
Dedicated pages should go deeper than this hub.
This page classifies the domain. Dedicated pages should provide the evidence questions, artifact structure, control mapping, and GridLock GRC object model for that specific domain.
Vendor AI Risk
Third-party AI claims, documentation, data use, contract risk, change notice, audit rights, and shared responsibility.
Open Vendor AI RiskHuman Oversight
Reviewer authority, escalation, rationale, overrides, interventions, and audit-ready human review records.
Open Human OversightLLM / RAG Risk
Prompt controls, retrieval governance, access boundaries, output review, monitoring, incidents, and logs.
Open LLM / RAG RiskGridLock GRC
Risk domains become structured evidence objects.
In GridLock GRC, each risk domain should connect to an AI system, use case, failure mode, control, owner, evidence item, exception, remediation action, and audit-readiness status.
The purpose is to make broad AI risk language reviewable. A risk domain becomes a traceable record that can be inspected, challenged, updated, and mapped to governance workflows.
GridLock GRC is not production software, a certified compliance platform, legal guidance, formal audit guidance, or a model-validation system. It is a public proof-of-work project for AI assurance evidence mapping.
Use notice
Independent research and portfolio artifacts.
InfoSecured.ai publishes independent AI assurance research, templates, and public proof-of-work artifacts for education, review, adaptation, and validation by qualified internal teams.
Materials are not legal advice, audit advice, certification advice, regulatory advice, model-validation advice, or a substitute for organization-specific professional review.
Classify the AI risk before building the evidence record.
Use the domain matrix to route AI risks into controls, owners, evidence records, vendor documentation, human oversight notes, LLM/RAG controls, exceptions, and audit-ready review status.