Risk assessment fields
| Field | What to record |
|---|---|
| Use case | What the AI system or tool is used for. |
| Business owner | The person accountable for the use case. |
| Vendor/tool/model | The AI product, model, platform or supplier involved. |
| Data involved | Public, internal, confidential, personal, customer or regulated data. |
| Human review | Whether a human checks outputs before use. |
| Customer impact | Whether the output affects customers, eligibility, advice, pricing or access. |
| Risk level | Low, moderate or high scrutiny. |
| Control notes | Rules, restrictions, monitoring, testing or review cadence. |
Simple classification rule
Low-risk uses are usually internal productivity aids with no sensitive data and no direct customer effect. Higher-scrutiny uses usually involve personal data, customer-facing decisions, automated actions, regulated contexts or weak human review.