AI Risk Register Template: Columns, Filled Examples, and How to Keep It Alive
Updated: July 2026
Skip the blank spreadsheet: auto-generate a risk register from your own Jira, Azure DevOps, or CSV export — free governance preview first, no card required. Or copy the template below into Excel/Jira and fill it by hand.
Every AI governance conversation eventually lands on the same question: "where is your risk register?" This page gives you a working AI risk register template — the columns that matter, five filled example rows you can pattern-match against, and the workflow that keeps it from going stale.
The columns that matter (and why)
- Risk ID — stable reference (e.g. AIR-001) so audits can trace decisions over time.
- AI system / work item — link to the actual initiative (Jira key, repo, vendor tool). A register detached from real work goes stale in a month.
- Risk description — one falsifiable sentence: what could happen, to whom.
- Category — data exposure · model behavior · automated-decision harm · regulatory · vendor/supply-chain · security.
- Likelihood & Impact — 1–5 each; keep the scale small enough that two reviewers agree.
- Risk band — High / Medium / Low, derived from likelihood × impact (not vibes).
- Owner — a named person, never a team. Unowned risks are unmanaged risks.
- Mitigation & status — the current control and whether it's planned, active, or verified.
- Next review date — the column that makes it a register instead of a document.
Filled example rows
Five realistic entries showing the level of specificity that survives an audit:
- AIR-001 · Support chatbot (GPT-4) · Data exposure · High. Customer PII may be included in prompts sent to a third-party model. Owner: Head of Support Eng. Mitigation: PII redaction layer before API calls (active); DPA with provider (verified). Review: quarterly.
- AIR-002 · Invoice OCR pipeline · Model behavior · Medium. Extraction errors on non-standard invoices could trigger wrong payments. Owner: Finance Ops lead. Mitigation: human approval above ₹50k; monthly accuracy sampling (active). Review: monthly.
- AIR-003 · Résumé screening assistant · Automated-decision harm · High. Ranking model may encode bias against protected groups; EU AI Act high-risk class. Owner: Head of TA. Mitigation: human-in-the-loop on all rejections (active); bias audit (planned, Q3). Review: monthly until audit.
- AIR-004 · Copilot rollout (engineering) · Vendor/supply-chain · Medium. Proprietary code in prompts subject to vendor retention policy. Owner: Eng Director. Mitigation: business tier with zero-retention; secrets-scanning pre-commit (active). Review: quarterly.
- AIR-005 · Sales-forecast model · Model behavior · Low. Drift after territory changes could misallocate targets. Owner: RevOps manager. Mitigation: quarterly back-test against actuals (active). Review: quarterly.
Run it in Jira (or Azure DevOps)
The register that survives is the one that lives where work happens: label AI-related issues (ai, genai, llm), add risk-band labels (high-risk / medium-risk / low-risk), assign owners on the items themselves, and review via a saved JQL filter instead of a standalone spreadsheet. Jira teams can automate the whole loop — detection, risk banding, review workflows, and evidence — with the AI Governance Hub app for Jira Cloud (runs entirely inside your tenant).
Or generate the register instead of typing it
AI Governance Hub builds the risk register for you from a project export: it detects AI-related work items, scores risk signals (PII, customer data, deployment type, model), assigns bands with reasons, and delivers the register inside a board-ready governance report (PDF, Word, PowerPoint, HTML). Free preview on your data; founding launch pricing from ₹199. Start here · download CSV templates.
Frequently asked
What is an AI risk register? A living record of AI-related risks — each with an owner, likelihood/impact, band, mitigation, and review date. It's the first artifact auditors ask for.
How is it different from a normal risk register? AI adds categories most registers miss: model behavior (hallucination, drift), prompt data exposure, automated-decision harm, EU AI Act obligations, and model supply-chain risk.
Is a generated register a compliance certification? No — it's governance evidence supporting review and readiness, not legal certification.
Next: see the full report a register ships inside · generate yours — free preview · frameworks: EU AI Act · ISO 42001 · NIST AI RMF