An AI risk register thatgrades its own defensibility.
Every AI-governance framework demands a living risk register — ISO 42001 Cl. 6 & 8, NIST AI RMF, EU AI Act Art. 9. Most teams keep a spreadsheet that looks complete and is quietly indefensible. This one scores each entry on the governance basics and catches the one hole an auditor finds first: a severe risk you accepted that nobody owns.
A working aid, not legal advice. This grades whether each risk entry is governed — not whether a risk is acceptable, which is your judgment. It is not a risk assessment, a certification, or an audit opinion, and it scores no person. Effective dates are planning context only. Confirm your risk criteria and obligations with a qualified auditor or counsel.
A full-looking register isn't a defensible one.
ISO 42001 wants a maintained risk register with treatment, owners, and residual ratings. NIST and the EU Act want the same.
the worked sample: a high-scoring entry, still indefensible, because a severe accepted risk has no owner.
the risk register is the first artifact an auditor requests — and the easiest to fail quietly.
A register where every row is filled in can still be indefensible. The failure an auditor looks for is specific: a severe risk that has been accepted, but that nobody owns or has reviewed recently. This kit grades for exactly that — and refuses to call the register defensible while it stands.
Edit a risk. Watch the gate decide the register.
The register is NOT DEFENSIBLE if any in-scope entry is UNGOVERNED or trips the gate. It grades whether each risk is governed, not whether a risk is acceptable. Evaluation date 2026-06-29 is planning context only. It scores no person. Not legal advice.
The same verdict, reproducible from the command line.
A zero-dependency Python engine reproduces every number in the workbook and the demo. Point it at a CSV export of your register and it returns the per-entry verdict, the register verdict, and the entry to fix first.
$ python3 engine.py sample.csv
========================================================================
AI RISK REGISTER & TREATMENT-TRACKING — GOVERNANCE READ
Evaluation date: 2026-06-29
========================================================================
Register verdict: NOT DEFENSIBLE [accepted-high-residual gate fired]
Governed: 4/6 in-scope (67%) | Mean governance score (context only): 87/100
------------------------------------------------------------------------
Risk Score Verdict Treat Resid Title
R-01 100 GOVERNED mitigate medium LLM hallucination in customer
R-02 100 GOVERNED transfer low Vendor model change breaks pip
R-03 78 UNGOVERNED accept high Accepted bias risk in screenin *GATE
GATE: Accepted risk with HIGH residual severity and no named owner — accepting a severe risk nobody owns or has reviewed is indefensible on its own.
R-04 92 GOVERNED mitigate medium Prompt-injection via uploaded
R-05 62 GAP undecide medium Training-data licensing exposu
R-06 89 GOVERNED accept low Accepted minor logging gap
R-07 12 UNGOVERNED undecide low Deprecated pilot chatbot (reti (out of scope)
------------------------------------------------------------------------
FIX FIRST: R-03 (78/100, UNGOVERNED) — Accepted bias risk in screening aid
========================================================================
A working aid for grading an AI risk register, not a risk assessment,
certification, or audit. It grades whether each entry is governed, not
whether a risk is acceptable, and scores no person. Dates are planning
context only. Not legal advice.What makes a risk entry defensible.
A specific human is accountable — not a team, not a blank.
Mitigate, accept, transfer, or avoid — 'undecided' is not a treatment.
The exposure that remains after the treatment is rated.
A next-review date is set and not overdue as of the evaluation date.
Assessed on a defined scale, not guessed or blank.
Severity assessed on a defined scale.
If a risk is accepted and its residual severity is high, a missing owner or an overdue review forces that entry to UNGOVERNED and the whole register to NOT DEFENSIBLE — regardless of the score. The sample's R-03 scores 78 and still gates. Name an owner and bring the review current to release it — both are required.
A register that keeps you honest, not a verdict on your risks.
- A living register that grades whether each risk is governed.
- A gate that catches the accepted severe risk nobody owns.
- A reproducible workbook + engine + demo, all giving the same verdict.
- The record ISO 42001, NIST AI RMF, and EU AI Act Art. 9 contemplate.
- Not the risk assessment itself — you bring the risks and the ratings.
- Not a judgment on whether a risk is acceptable; that is yours to make.
- Not a certification or an audit opinion.
- Not a tool that scores or ranks any person, and not legal advice.
A working aid, not legal advice. This grades whether each risk entry is governed — not whether a risk is acceptable, which is your judgment. It is not a risk assessment, a certification, or an audit opinion, and it scores no person. Effective dates are planning context only. Confirm your risk criteria and obligations with a qualified auditor or counsel.
Anyone who has to keep an AI risk register current.
Where the register fits.
Scores your whole AIMS and routes a Risk & Impact gap straight to this register. Build it here; prove the clause there.
Classify AI systems by EU risk tier and produce FRIA / impact assessments — the per-system layer above the register.
Each high-impact risk this register flags deserves a per-system impact assessment. Build and grade it here.
Straight answers before you buy.
A living AI risk register that grades its own defensibility. You keep your risks in the workbook — one row each — and record the governance basics: likelihood, impact, treatment decision, a named owner, the residual rating, and a current review date. It returns GOVERNED / GAP / UNGOVERNED per entry and DEFENSIBLE / GAPS TO CLOSE / NOT DEFENSIBLE for the register. It is the record ISO 42001 Clauses 6 & 8, NIST AI RMF, and EU AI Act Article 9 contemplate.
Each entry is marked 0 / 1 / 2 on six governance fields weighted to 100: owner named (22) and treatment decided (20) carry the most, then residual rated (18), review current (16), and likelihood and impact rated (12 each). GOVERNED is 75+, GAP is 45–74, UNGOVERNED is below 45. The score grades whether the risk is governed — not whether the risk itself is acceptable, which is your judgment to make.
Because of the accepted-high-residual gate. If a risk is accepted and its residual severity is high, then a missing owner or an overdue review forces that entry to UNGOVERNED and the whole register to NOT DEFENSIBLE — regardless of the score. Accepting a severe risk that nobody owns, or that nobody has reviewed recently, is the indefensible hole an auditor finds first. The sample's R-03 scores 78 and still gates for exactly that reason. Name an owner and bring the review current — both — to release it.
The evaluation date is a fixed cell in the workbook (it never uses TODAY(), so the example reproduces forever). A next-review date earlier than the evaluation date is overdue, which caps 'review current' to at most 1. A blank or non-ISO date is treated the same way — it cannot be fully current. The engine, workbook, and on-page demo all pin to the same evaluation date so the numbers never drift.
No. It is a working aid for maintaining and grading a risk register. It does not perform the risk assessment for you, decide whether a risk is acceptable, or certify anything. ISO does not certify organizations; certification is performed by independent accredited bodies. This kit produces and grades the register that feeds that work — it is not the assessment and not the audit.
No. It is deterministic and offline. You enter your own marks in the workbook or run the Python engine locally; nothing uploads and no AI scores you. The same logic runs in the workbook, the engine, and the demo, so every number is reproducible. It grades whether each risk entry is governed — it scores no person.
Find the indefensible entry
before the auditor does.
One purchase, lifetime access, 12 months of updates. $99, once.
A working aid, not legal advice. This grades whether each risk entry is governed — not whether a risk is acceptable, which is your judgment. It is not a risk assessment, a certification, or an audit opinion, and it scores no person. Effective dates are planning context only. Confirm your risk criteria and obligations with a qualified auditor or counsel.
Sold by RedHub AI LLC · Secured by Stripe · redhub.ai