The artifact an auditor asks for first

An AI risk register thatgrades its own defensibility.

Every AI-governance framework demands a living risk register — ISO 42001 Cl. 6 & 8, NIST AI RMF, EU AI Act Art. 9. Most teams keep a spreadsheet that looks complete and is quietly indefensible. This one scores each entry on the governance basics and catches the one hole an auditor finds first: a severe risk you accepted that nobody owns.

Get the System — $99one-time · instant download · yours to keep

A working aid, not legal advice. This grades whether each risk entry is governed — not whether a risk is acceptable, which is your judgment. It is not a risk assessment, a certification, or an audit opinion, and it scores no person. Effective dates are planning context only. Confirm your risk criteria and obligations with a qualified auditor or counsel.

Five deliverables · runnable
Risk register workbook (.xlsx)
core
Runnable Python engine
runnable
Governance-field config
editable
Build & Governance Playbook
docx
Treatment & Gap-Closure Runbook
docx
Works alongside
ISO 42001 Diagnostic · EU AI Act Kit · Data-Flow Register
01The Problem

A full-looking register isn't a defensible one.

Cl. 6 & 8

ISO 42001 wants a maintained risk register with treatment, owners, and residual ratings. NIST and the EU Act want the same.

78 → UNGOVERNED

the worked sample: a high-scoring entry, still indefensible, because a severe accepted risk has no owner.

First ask

the risk register is the first artifact an auditor requests — and the easiest to fail quietly.

A register where every row is filled in can still be indefensible. The failure an auditor looks for is specific: a severe risk that has been accepted, but that nobody owns or has reviewed recently. This kit grades for exactly that — and refuses to call the register defensible while it stands.

02See It Work

Edit a risk. Watch the gate decide the register.

Risk register — score each entry 0–2
R-01LLM hallucination in answers
100GOVERNED
Likelihood
Impact
Treatment set
Owner
Residual rated
Review
R-02Vendor model change breaks pipeline
100GOVERNED
Likelihood
Impact
Treatment set
Owner
Residual rated
Review
R-03Accepted bias risk in screening aid
78UNGOVERNED
Likelihood
Impact
Treatment set
Owner
Residual rated
Review
accepted-high-residual gate fired
R-04Prompt-injection via uploaded docs
92GOVERNED
Likelihood
Impact
Treatment set
Owner
Residual rated
Review
R-05Training-data licensing exposure
62GAP
Likelihood
Impact
Treatment set
Owner
Residual rated
Review
NOT DEFENSIBLE
3/5 governed · 60% coverage
An accepted risk with high residual severity has no owner or an overdue review — indefensible on its own, so the register is NOT DEFENSIBLE regardless of how clean the rest reads.
Fix first: R-03 Accepted bias risk in screening aid (78/100, UNGOVERNED)

The register is NOT DEFENSIBLE if any in-scope entry is UNGOVERNED or trips the gate. It grades whether each risk is governed, not whether a risk is acceptable. Evaluation date 2026-06-29 is planning context only. It scores no person. Not legal advice.

03The Runnable Engine

The same verdict, reproducible from the command line.

A zero-dependency Python engine reproduces every number in the workbook and the demo. Point it at a CSV export of your register and it returns the per-entry verdict, the register verdict, and the entry to fix first.

$ python3 engine.py sample.csv

========================================================================
AI RISK REGISTER & TREATMENT-TRACKING — GOVERNANCE READ
Evaluation date: 2026-06-29
========================================================================
Register verdict: NOT DEFENSIBLE [accepted-high-residual gate fired]
Governed: 4/6 in-scope (67%)   |   Mean governance score (context only): 87/100
------------------------------------------------------------------------
Risk     Score  Verdict     Treat     Resid   Title
R-01       100  GOVERNED    mitigate  medium  LLM hallucination in customer 
R-02       100  GOVERNED    transfer  low     Vendor model change breaks pip
R-03        78  UNGOVERNED  accept    high    Accepted bias risk in screenin *GATE
         GATE: Accepted risk with HIGH residual severity and no named owner — accepting a severe risk nobody owns or has reviewed is indefensible on its own.
R-04        92  GOVERNED    mitigate  medium  Prompt-injection via uploaded 
R-05        62  GAP         undecide  medium  Training-data licensing exposu
R-06        89  GOVERNED    accept    low     Accepted minor logging gap
R-07        12  UNGOVERNED  undecide  low     Deprecated pilot chatbot (reti  (out of scope)
------------------------------------------------------------------------
FIX FIRST: R-03 (78/100, UNGOVERNED) — Accepted bias risk in screening aid
========================================================================
A working aid for grading an AI risk register, not a risk assessment,
certification, or audit. It grades whether each entry is governed, not
whether a risk is acceptable, and scores no person. Dates are planning
context only. Not legal advice.
04The Six Governance Fields

What makes a risk entry defensible.

Owner named
22

A specific human is accountable — not a team, not a blank.

Treatment decided
20

Mitigate, accept, transfer, or avoid — 'undecided' is not a treatment.

Residual rated
18

The exposure that remains after the treatment is rated.

Review current
16

A next-review date is set and not overdue as of the evaluation date.

Likelihood rated
12

Assessed on a defined scale, not guessed or blank.

Impact rated
12

Severity assessed on a defined scale.

The accepted-high-residual gate

If a risk is accepted and its residual severity is high, a missing owner or an overdue review forces that entry to UNGOVERNED and the whole register to NOT DEFENSIBLE — regardless of the score. The sample's R-03 scores 78 and still gates. Name an owner and bring the review current to release it — both are required.

05What This Is — And Isn't

A register that keeps you honest, not a verdict on your risks.

What it is
  • A living register that grades whether each risk is governed.
  • A gate that catches the accepted severe risk nobody owns.
  • A reproducible workbook + engine + demo, all giving the same verdict.
  • The record ISO 42001, NIST AI RMF, and EU AI Act Art. 9 contemplate.
What it isn't
  • Not the risk assessment itself — you bring the risks and the ratings.
  • Not a judgment on whether a risk is acceptable; that is yours to make.
  • Not a certification or an audit opinion.
  • Not a tool that scores or ranks any person, and not legal advice.

A working aid, not legal advice. This grades whether each risk entry is governed — not whether a risk is acceptable, which is your judgment. It is not a risk assessment, a certification, or an audit opinion, and it scores no person. Effective dates are planning context only. Confirm your risk criteria and obligations with a qualified auditor or counsel.

06Who It's For

Anyone who has to keep an AI risk register current.

Compliance and security leads standing up an AIMS risk register for the first time.
Founders whose enterprise buyers or auditors ask to see the register.
Consultants running AI-governance engagements who need a defensible register spine.
Teams that already track risks in a spreadsheet but can't prove it's defensible.
08Common Questions

Straight answers before you buy.

A living AI risk register that grades its own defensibility. You keep your risks in the workbook — one row each — and record the governance basics: likelihood, impact, treatment decision, a named owner, the residual rating, and a current review date. It returns GOVERNED / GAP / UNGOVERNED per entry and DEFENSIBLE / GAPS TO CLOSE / NOT DEFENSIBLE for the register. It is the record ISO 42001 Clauses 6 & 8, NIST AI RMF, and EU AI Act Article 9 contemplate.

Find the indefensible entry
before the auditor does.

One purchase, lifetime access, 12 months of updates. $99, once.

A working aid, not legal advice. This grades whether each risk entry is governed — not whether a risk is acceptable, which is your judgment. It is not a risk assessment, a certification, or an audit opinion, and it scores no person. Effective dates are planning context only. Confirm your risk criteria and obligations with a qualified auditor or counsel.

Sold by RedHub AI LLC · Secured by Stripe · redhub.ai