AIG-004 AI Risk Tolerance and Governance Objectives
Description
The organisation documents its AI risk tolerance — the types and levels of AI-related risk it is willing to accept — and derives measurable AI governance objectives from it. Risk tolerance statements address dimensions including safety, fairness, privacy, reliability, and regulatory compliance. Objectives are reviewed at least annually and inform resource allocation decisions for AI risk management activities.
Rationale
Risk tolerance provides the decision rule that determines when AI risks require treatment; without it, risk management is inconsistent and unauditable.
Framework Mappings (3)
| A.6.1.2 | Objectives for responsible development of AI system | partial |
| GOVERN 1.3 | Risk Management Activity Level Determination | full |
| MAP 1.5 | Organisational Risk Tolerance | full |
Evidence (2)
AI risk tolerance statement or risk appetite declaration documenting the types and levels of AI risk the organisation is willing to accept, covering safety, fairness, privacy, reliability, and regulatory compliance dimensions.
Example: AI Risk Appetite Statement v1.0 (Confluence), approved by Risk Committee 2025-09-30, specifying quantified thresholds for acceptable error rates, bias metrics, and prohibited risk categories
Test: Request the AI risk tolerance or risk appetite document. Verify: (1) risk dimensions include at minimum safety, fairness, privacy, and regulatory compliance, (2) tolerance levels are expressed in measurable terms (not only qualitative), (3) approval by an appropriate governance body is evidenced, (4) review date is within the last 12 months, (5) a mechanism connecting tolerance statements to AI governance objectives is documented.
AI governance objectives and associated metrics, demonstrating that risk tolerance has been translated into measurable, time-bound objectives that inform resource allocation.
Example: AI Governance OKRs 2025–2026 (Notion), including measurable objectives such as 'bias testing coverage 100% of Tier 2+ systems by Q3 2025' and 'all AI systems mapped to risk tier by Q1 2026'
Test: Request AI governance objectives documentation. Verify: (1) objectives are derived from stated risk tolerance dimensions, (2) each objective has a measurable target and due date, (3) progress against objectives is tracked, (4) objectives were reviewed within the last 12 months.
Questions (2)
Has your organisation documented its AI risk tolerance — the types and levels of AI risk it is willing to accept?
Risk tolerance is the decision rule that determines when AI risks require treatment. Without it, risk management decisions are inconsistent and cannot be audited. Look for explicit statements covering safety, fairness, privacy, reliability, and regulatory compliance.
How are your AI risk tolerance statements expressed?
Enterprise buyers should expect at minimum quantified thresholds for the risk dimensions relevant to your AI use cases. Qualitative-only statements cannot be verified or used to drive consistent risk treatment decisions.