	In Browser
	StumbleUpon
	del.icio.us
	Google
	Google Buzz
	reddit
	LinkedIn

	Facebook
	Twitter
	Linkedin
	E-Mail

Generative AI > AI Governance > AI Risk Register - Tracking and Mitigating LLM Risks

AI Risk Register - Tracking and Mitigating LLM Risks

Author: Venkata Sudhakar

ShopMax India's LLM systems handle product recommendations, customer support, pricing queries, and fraud detection. Each use case carries distinct risks - hallucinated product details, biased recommendations, data leakage, or regulatory non-compliance. An AI risk register is a structured inventory of these risks, rated by likelihood and impact, with assigned owners and mitigation actions. It is the cornerstone of a responsible AI governance programme.

Each risk entry captures the risk description, affected system, likelihood score (1-5), impact score (1-5), risk score (likelihood x impact), mitigation strategy, owner, and review date. The register is reviewed monthly. High-score risks trigger immediate mitigation sprints. ShopMax India integrates the risk register with its incident response system so production incidents automatically create or escalate risk entries.

The example below builds a lightweight AI risk register for ShopMax India using Python dataclasses with automatic priority scoring and CSV export for stakeholder reporting.

import csv
from dataclasses import dataclass
from typing import List

@dataclass
class AIRisk:
    risk_id: str
    system: str
    description: str
    likelihood: int  # 1-5
    impact: int      # 1-5
    mitigation: str
    owner: str

@property
    def score(self):
        return self.likelihood * self.impact

@property
    def priority(self):
        if self.score >= 20: return "CRITICAL"
        if self.score >= 10: return "HIGH"
        if self.score >= 5:  return "MEDIUM"
        return "LOW"

risks = [
    AIRisk("R-001", "Product Recommender", "LLM hallucinates product specs", 3, 4,
           "Validate specs against product DB", "ML Team"),
    AIRisk("R-002", "Support Chatbot", "PII leakage via prompt injection", 2, 5,
           "Input scanning + output redaction", "Security Team"),
    AIRisk("R-003", "Pricing Bot", "Biased pricing for specific cities", 2, 3,
           "Monthly fairness audit on city-level outputs", "Data Team"),
    AIRisk("R-004", "RAG Pipeline", "Outdated documents returned to users", 4, 3,
           "Implement document freshness scoring", "Infra Team"),
]

risks_sorted = sorted(risks, key=lambda r: r.score, reverse=True)

print(f"{"ID":<8} {"System":<22} {"Score":<7} {"Priority":<10} {"Owner"}")
print("-" * 62)
for r in risks_sorted:
    print(f"{r.risk_id:<8} {r.system:<22} {r.score:<7} {r.priority:<10} {r.owner}")

with open("ai_risk_register.csv", "w", newline="") as f:
    writer = csv.writer(f)
    writer.writerow(["ID", "System", "Score", "Priority", "Mitigation", "Owner"])
    for r in risks_sorted:
        writer.writerow([r.risk_id, r.system, r.score, r.priority, r.mitigation, r.owner])
print("\nExported to ai_risk_register.csv")

It gives the following output,

ID       System                 Score   Priority   Owner
--------------------------------------------------------------
R-001    Product Recommender    12      HIGH       ML Team
R-004    RAG Pipeline           12      HIGH       Infra Team
R-002    Support Chatbot        10      HIGH       Security Team
R-003    Pricing Bot            6       MEDIUM     Data Team

Exported to ai_risk_register.csv

Review the risk register monthly with representatives from ML, security, legal, and product teams. Any production incident should trigger a risk register review to check whether the incident was a known risk that escalated or a new risk to add. Set automated alerts when a risk score rises above 15 - the owning team must submit a mitigation plan within 48 hours. Archive old risk entries rather than deleting them to maintain a complete audit trail for regulators.

Send your comments, suggestions or queries regarding this site to [email protected].