What is AI Risk Management?

Definition

AI risk management is an ongoing program that identifies, ranks, and treats risks from AI systems. It borrows from privacy and security programs but focuses on model behavior, oversight, and vendor reliance rather than only data breach scenarios.

See also our AI compliance glossary for short definitions of common terms.

Which regulations require this

• Executive Order 14281: Restoring Equality of Opportunity and Meritocracy

  Directs federal agencies to deprioritize disparate-impact enforcement across civil rights statutes (Title VII, Title...

  FEDERALFederalHighIn effect
• California Transparency in Frontier AI Act (SB 53)

  Requires developers of frontier AI models trained above the statutory compute threshold (10^26 FLOPs) to publish safe...

  CAAI-specificHighIn effect
• New York Responsible AI Safety and Education Act (RAISE Act, S6953B/A6453B)

  New York's RAISE Act regulates frontier AI model developers. Requires publication of a frontier AI framework, quarter...

  NYAI-specificMediumUpcoming
• New York AI Companion Models Law (A3008, Article 47)

  Requires AI companion operators to disclose AI nature, provide reminders every 3 hours of use, and implement protocol...

  NYAI-specificMediumIn effect
• DOJ AI Litigation Task Force

  Coordinates federal civil litigation strategy on AI-related matters across the Department of Justice. Executive order...

  FEDERALFederalMediumIn effect
• FDA AI/ML Medical Device Framework

  FDA requires pre-market review (510(k), De Novo, PMA) for AI/ML-based software that meets the definition of a medical...

  FEDERALFederal guidanceMediumIn effect
• Washington AI Chatbot Safety for Minors (HB 2225)

  First-in-nation law requiring AI chatbot operators to disclose AI nature at regular intervals (every 3 hours for adul...

  WAAI-specificMediumEnacted (pending)
• Montana Right to Compute Act (SB 212)

  Requires deployers of critical infrastructure facilities controlled by AI to develop a risk management policy based o...

  MTAI-specificLowIn effect
• NIST AI Risk Management Framework (AI RMF 1.0)

  NIST AI RMF is a voluntary framework used as a practical benchmark by regulators and lawmakers. NIST released AI RMF...

  FEDERALFrameworkLowIn effect
• California Insurance AI Disclosures (SB 1120)

  Requires AI disclosure in insurance sector contexts. Sector-specific regulation for insurers using AI in underwriting...

  CASector-specificLowIn effect
• Executive Order 14110 on AI (Revoked)

  Established federal policy priorities for AI safety, security, and rights protections across agencies. Directed agenc...

  FEDERALFederalLowRevoked
• Connecticut Government AI Procurement and Oversight (SB 1103)

  First-in-nation state government AI procurement law. Requires state agencies to inventory AI systems, conduct impact...

  CTAI-specificLowIn effect
• Maryland AI Governance Act of 2024 (SB 818)

  Requires Maryland state agencies to inventory AI systems, conduct impact assessments, and follow DoIT policies for AI...

  MDAI-specificLowIn effect
• California Government AI Accountability Act (SB 896)

  Requires California state agencies to disclose use of generative AI in communications with individuals about governme...

  CAAI-specificLowIn effect
• Texas Government AI Ethics and Oversight (SB 1964)

  Requires Texas state agencies and local governments to inventory AI systems, adopt an AI code of ethics aligned with...

  TXAI-specificLowIn effect

Which states reference this obligation

What you should do next

• Maintain a living register of models, owners, data classes, and deployment regions.
• Score each system for legal, safety, and reputational impact.
• Assign mitigations with dates, such as extra testing, human review, or vendor terms.
• Review the register quarterly or when acquisitions and launches shift your footprint.
• Tie executive reporting to the same metrics you would show a board audit committee.