AI risk management is the practice of identifying, measuring, and mitigating the risks an organization takes on when it uses AI. Digital Information Governance extends it from model risk to decision risk: the risk that an AI-influenced decision cannot be reconstructed, explained, or defended.
Most AI risk management programs are built around the model: is it biased, is it drifting, is it secure? Those are real risks, and the NIST AI Risk Management Framework organizes them well. But the risk an organization is actually held to account for is rarely the model in the abstract. It is the decision the model influenced.
Model risk, and where it stops
Model risk management asks whether the system behaves. It measures bias, monitors drift, tests robustness, and documents the model. This is necessary work, and it maps cleanly to the Measure and Manage functions of the NIST AI RMF.[1] It stops, though, at the boundary of the model. A perfectly governed model can still feed a decision that no one can later defend.
The decision-risk gap
Decision risk is the risk that, when an AI-influenced decision is questioned by a regulator, partner, or court, the organization cannot show what was decided, on what basis, and who was accountable. It is the gap model risk management leaves open, and it is widening as AI moves into hiring, lending, pricing, safety, and operations. DIG names this gap and closes it.
Mapping to the NIST AI RMF
DIG operationalizes the NIST functions at the decision level. Map corresponds to Information Provenance, knowing a decision's inputs and context. Govern and Manage correspond to Decision Traceability and Audit Readiness, the accountability and records that make a decision defensible. Measure tests whether those controls actually hold.
The four pillars as risk controls
| Pillar | Risk it controls |
|---|---|
| Information Provenance | Controls input risk: decisions built on untraceable or stale information. |
| Decision Traceability | Controls accountability risk: no record of who decided or why. |
| Representation Integrity | Controls misrepresentation risk: AI systems stating something false about the organization. |
| Audit Readiness | Controls evidence risk: being unable to prove oversight on demand. |
Frequently asked questions
What is AI risk management?
The practice of identifying, measuring, and mitigating the risks of using AI, traditionally focused on model risk (bias, drift, security). Digital Information Governance extends it to decision risk: the risk that an AI-influenced decision cannot be defended.
How does AI risk management relate to the NIST AI RMF?
The NIST AI Risk Management Framework (Govern, Map, Measure, Manage) is the leading standard for it. DIG operationalizes those functions at the decision level through its four pillars.
Is model risk management enough?
No. A well-governed model can still produce a decision no one can defend. Decision risk, the gap DIG closes, sits beyond the model.
References
- NIST AI Risk Management Framework (AI RMF 1.0): Govern, Map, Measure, Manage. National Institute of Standards and Technology, 2023. View source ↗
- Information governance: the records and data lifecycle discipline (storage, retention, disposition), distinct from AI decision governance. ARMA International, Generally Accepted Recordkeeping Principles; AIIM. View source ↗
- EU AI Act, Regulation (EU) 2024/1689 (Official Journal of the European Union); ISO/IEC 42001:2023; Texas Responsible AI Governance Act (TRAIGA). View source ↗
- USPTO Trademark Reg. No. 99559923, Digital Information Governance / DIG, owner Matthew Bertram. View source ↗