Home / Guides / AI Risk Assessment Template
AI Risk

The AI Risk Assessment Template

Before you put a consequential AI use into the world, you should assess what could go wrong. An AI risk assessment, sometimes called an impact assessment, is a short structured review of the harms a use could cause, how likely and severe they are, and what reduces them. This guide covers when to run one, what to include, and points you to a free template.

When you need one

You do not need a full assessment for every AI use. Reserve it for high-impact cases: anything customer-facing, anything touching sensitive or personal data, and anything that affects a decision about a person, such as hiring, credit, or eligibility. For low-risk internal uses, your acceptable use policy is enough.

What to assess

Keep it proportional

A risk assessment should match the stakes. A lightweight one page is fine for a limited internal tool. A customer-facing system that affects people warrants a thorough review with named mitigations and a recorded sign-off. The point is a deliberate, documented decision, not paperwork for its own sake.

The starting point

A ready-made impact assessment and risk register

The Extrasphere Complete Toolkit includes an AI impact assessment, a risk register, and a use-case approval form, all mapped to ISO 42001 and the EU AI Act. One-time $299, including 12 months of update re-issues. Start free with a policy and readiness checklist.

How it maps to frameworks

A good assessment does double duty. ISO 42001 expects impact assessments for consequential AI. The EU AI Act requires a fundamental rights and risk assessment for high-risk systems. The NIST AI RMF frames the same work as measuring and managing risk. Build the assessment once and it supports all three.

Frequently asked questions

What is an AI risk assessment?

A structured review of what could go wrong with a specific AI use, how likely and severe each harm is, and how you will reduce it before going live.

When should you run one?

For any high-impact use: customer-facing systems, uses involving sensitive data, or AI that affects decisions about people.

Who should carry it out?

The owner of the use case, reviewed by whoever owns governance, with legal input where people or sensitive data are involved.

Is it required?

Under the EU AI Act, high-risk systems require a fundamental rights and risk assessment, and ISO 42001 expects impact assessments for consequential uses.

The Governance Brief

Stay current in five minutes a month

One regulatory change that matters, one template to use. Free.