AgentSkillsCN

ai-risk-register-maintainer

在持续追踪投资组合中的AI专项风险时使用。建议在日常工作中持续使用。该技能可生成风险登记册、风险评分、缓解措施追踪,以及用于治理决策的报告。

SKILL.md
--- frontmatter
name: ai-risk-register-maintainer
description: Use when tracking AI-specific risks across the portfolio. Use continuously. Produces risk registry, risk scoring, mitigation tracking, and reporting for governance.

AI Risk Register Maintainer

Overview

Track AI-specific risks across the organization's AI portfolio. Maintain a living registry of risks, assess their likelihood and impact, track mitigations, and report to governance.

Core principle: AI introduces novel risks that traditional IT risk frameworks miss. Maintain dedicated visibility into AI-specific concerns.

When to Use

  • Setting up AI governance
  • Onboarding new AI systems
  • Quarterly risk reviews
  • Incident post-mortems
  • Regulatory reporting

Output Format

yaml
ai_risk_register:
  version: "[Version]"
  last_updated: "[YYYY-MM-DD]"
  owner: "[Risk owner]"
  
  risk_categories:
    - category: "[Category name]"
      description: "[What risks this covers]"
  
  risks:
    - id: "[RISK-001]"
      title: "[Risk title]"
      category: "[Category]"
      
      description:
        risk_statement: "[If X, then Y, resulting in Z]"
        affected_systems: ["[System 1]", "[System 2]"]
        affected_stakeholders: ["[Stakeholder]"]
      
      assessment:
        likelihood: "[1-5]"
        impact: "[1-5]"
        risk_score: "[Calculated]"
        risk_level: "[Critical | High | Medium | Low]"
        velocity: "[How fast could it materialize]"
        
      current_state:
        status: "[Open | Mitigating | Accepted | Closed]"
        trend: "[Increasing | Stable | Decreasing]"
        last_reviewed: "[YYYY-MM-DD]"
        
      controls:
        existing:
          - control: "[Current control]"
            effectiveness: "[High | Medium | Low]"
        
        planned:
          - control: "[Planned mitigation]"
            owner: "[Who]"
            due_date: "[When]"
            status: "[Not started | In progress | Complete]"
      
      residual_risk:
        after_controls: "[1-5]"
        acceptable: [true | false]
        acceptance_authority: "[If accepted, by whom]"
      
      monitoring:
        indicators: ["[KRI/early warning sign]"]
        frequency: "[How often checked]"
      
      related_incidents: ["[INC-XXX]"]
  
  summary:
    total_risks: "[N]"
    by_level:
      critical: "[N]"
      high: "[N]"
      medium: "[N]"
      low: "[N]"
    
    trend: "[Overall risk posture trend]"
    top_risks: ["[RISK-001]", "[RISK-002]", "[RISK-003]"]
    
  governance:
    review_schedule: "[Frequency]"
    escalation_path: "[Who to escalate to]"
    reporting_to: ["[Committee/Board]"]

AI-Specific Risk Categories

Model Risks

RiskDescriptionExample
Accuracy degradationModel performance declines over timeDrift causes 20% accuracy drop
HallucinationLLM generates false informationChatbot invents policy
Adversarial attackMalicious inputs cause failurePrompt injection
OverfittingModel fails on new dataWorks in test, fails in prod

Data Risks

RiskDescriptionExample
Training data biasBiased data leads to biased outcomesHiring tool discriminates
Data poisoningMalicious data corrupts modelAttacker injects bad labels
Data leakagePII exposed through modelModel memorizes SSNs
Data qualityPoor data quality degrades performanceCorrupted input causes errors

Operational Risks

RiskDescriptionExample
Model unavailabilityAI service is downInference API outage
Scaling failureCan't handle loadBlack Friday traffic spikes
Integration failureAI breaks downstream systemsBad output corrupts database
Vendor dependencyOver-reliance on AI providerOpenAI API changes break app

Ethical & Compliance Risks

RiskDescriptionExample
Unfair outcomesDisparate impact on groupsLoan denial rate disparity
Lack of explainabilityCan't explain decisionsRegulatory requires explanation
Consent violationUsing data without consentTraining on private data
Regulatory non-complianceViolating AI regulationsEU AI Act violation

Strategic Risks

RiskDescriptionExample
Misalignment with businessAI doesn't serve business goalsOptimizing wrong metric
Competitive exposureCompetitors gain advantageSlow AI adoption
Reputation damageAI incident harms brandViral AI failure screenshot
Skills shortageCan't hire/retain AI talentProjects stall

Risk Scoring

Likelihood Scale

ScoreDescriptionFrequency
5Almost certain>90% in next year
4Likely60-90%
3Possible30-60%
2Unlikely10-30%
1Rare<10%

Impact Scale

ScoreDescriptionExample
5CatastrophicRegulatory action, major financial loss, safety incident
4MajorSignificant financial loss, extended outage, legal action
3ModerateMaterial financial impact, degraded service, reputation hit
2MinorLimited impact, quickly recoverable
1NegligibleMinimal impact, no lasting effect

Risk Matrix

code
          │ Impact
Likelihood│  1    2    3    4    5
──────────┼──────────────────────────
    5     │  M    M    H    C    C
    4     │  L    M    H    H    C
    3     │  L    M    M    H    H
    2     │  L    L    M    M    H
    1     │  L    L    L    M    M

L=Low, M=Medium, H=High, C=Critical

Risk Monitoring

Key Risk Indicators (KRIs)

yaml
kri_examples:
  accuracy_degradation:
    indicator: "Model accuracy vs baseline"
    threshold: ">5% drop triggers review"
    frequency: "Daily"
  
  bias_drift:
    indicator: "Fairness metrics by group"
    threshold: "DI ratio <0.8 triggers alert"
    frequency: "Weekly"
  
  incident_rate:
    indicator: "AI-related incidents per month"
    threshold: ">3 per month triggers review"
    frequency: "Monthly"

Governance Reporting

Executive Summary Template

markdown
## AI Risk Summary - [Quarter]

**Overall Risk Posture:** [Green/Amber/Red]

### Top Risks
1. [Risk] - [Level] - [Trend]
2. [Risk] - [Level] - [Trend]
3. [Risk] - [Level] - [Trend]

### Key Changes
- [New risk added]
- [Risk level changed]
- [Mitigation completed]

### Actions Required
- [Decision needed from leadership]

Register Maintenance

Review Cadence

ActivityFrequencyParticipants
Risk identificationOngoingAll teams
Risk assessment reviewMonthlyRisk owners
Full register reviewQuarterlyRisk committee
Board reportingQuarterly/AnnualLeadership

Triggers for Update

  • New AI system deployed
  • Significant model change
  • Incident occurred
  • Regulatory change
  • External threat identified

Checklist

  • All AI systems covered
  • Risk categories comprehensive
  • Scoring consistent
  • Controls documented
  • Owners assigned
  • Monitoring in place
  • Review scheduled
  • Governance reporting current