Skip to main content
COMPEL Body of Knowledge
Get Certified Platform

Calibrate Stage

AI Risk Appetite Framework

Risk appetite is the total amount of AI risk an organization is willing to accept in pursuit of its objectives. A formal appetite statement — agreed at the board level and broken down by risk category — becomes the reference point for every AI investment, deployment, and incident response decision.

4

Appetite Tiers

6

Risk Categories

6

Escalation Thresholds

6

Board Reporting Elements

What is AI risk appetite?

AI risk appetite is the organization-level declaration of how much uncertainty and potential harm the organization is prepared to accept in exchange for the value AI systems create. It sits one level above operational risk tolerance: appetite is strategic and stable, tolerance is tactical and may vary by system.

A complete risk appetite framework includes four components:

  • Tolerance tiers — a named scale (low, medium, high, very high) describing the posture the organization takes toward residual risk.
  • Risk categories — the dimensions across which appetite is expressed, because most organizations have different appetite for privacy risk than for experimental operational risk.
  • Escalation thresholds — the measurable conditions under which a breach must be raised, who owns the response, and how fast it must resolve.
  • Board reporting — the cadence and content of AI risk reporting so the board can verify that operation stays inside the declared appetite.

Risk appetite is defined during COMPEL's Calibrate stage and is a prerequisite for every downstream governance activity — without it, there is no objective standard against which to measure controls, escalations, or remediation decisions.

Tolerance Tiers

Four standard tiers of AI risk tolerance. Most organizations map each risk category to one of these levels to produce a full appetite profile. Higher tiers are reserved for sandboxed experimentation.

Low Appetite

Strict controls, near-zero tolerance for residual risk.

Control Posture

Mandatory human oversight on every decision, multi-party approval for deployment, preventive controls preferred over detective, comprehensive audit trail, and conservative change management.

Residual Risk Tolerance

No acceptance of material residual risk; any identified issue must be remediated before production use or during routine maintenance windows.

Example Use Cases

  • - AI in clinical diagnosis affecting patient care
  • - Credit decisioning in regulated lending
  • - Safety-critical control systems
  • - AI handling children's data or other highly protected populations

Medium Appetite

Standard controls, managed tolerance with documented acceptance.

Control Posture

Human-in-the-loop for material decisions, standard validation and monitoring, defined escalation paths, and change control aligned with enterprise governance.

Residual Risk Tolerance

Moderate residual risk acceptable when justified by documented business value and compensating controls; accepted risks tracked in the risk register with expiry dates.

Example Use Cases

  • - Internal productivity copilots with content review
  • - Marketing personalization within advertising standards
  • - AI-assisted HR screening with human final decisions
  • - Operational forecasting supporting human planners

High Appetite

Flexible controls, elevated tolerance for innovation.

Control Posture

Lightweight guardrails, automated monitoring, rapid iteration allowed within defined innovation sandboxes, periodic human review rather than per-decision oversight.

Residual Risk Tolerance

Elevated residual risk acceptable in exchange for speed of learning; bounded by pre-declared kill-switch criteria and maximum blast radius.

Example Use Cases

  • - Experimental AI features in controlled pilots
  • - Internal research and development workloads
  • - AI-assisted knowledge management inside trusted boundaries
  • - A/B testing of AI variants with opt-in users

Very High Appetite

Light controls, maximum tolerance reserved for sandbox conditions.

Control Posture

Minimal gating, full trust of the experimenting team, automated backstops only, full rollback capability, and clear scope containment preventing contact with production data or customers.

Residual Risk Tolerance

Willing to accept significant residual risk on the understanding that failures are contained, observable, and reversible. Not permitted outside sandbox or research environments.

Example Use Cases

  • - Red-team exercises and adversarial testing
  • - Synthetic-data research environments
  • - Internal hackathons with bounded scope
  • - Model evaluation against known edge cases

Risk Categories

AI risk is multi-dimensional. Declaring a single appetite across all risk is too coarse to be useful; organizations instead set a distinct appetite for each of the six categories below. The "typical appetite" shown is the most common posture — organizations should adjust based on their own strategy and regulatory context.

Data Privacy

Typical appetite: low Organize

Risks related to the collection, storage, processing, and disclosure of personal or sensitive data used to train, fine-tune, or run AI systems, including cross-border transfer and retention obligations.

Example Risks

  • - Training data contains personal information without lawful basis
  • - Model inversion or membership inference attacks recovering training records
  • - Unintentional disclosure of PII in model outputs
  • - Non-compliance with GDPR / CCPA / HIPAA / sector-specific privacy laws

Primary Controls

  • - Data minimization and purpose limitation in training pipelines
  • - De-identification and tokenization for PII
  • - Lawful-basis register tied to each training dataset
  • - Output filtering for sensitive disclosures
  • - Data Protection Impact Assessments (DPIAs)

Model Bias and Fairness

Typical appetite: low Evaluate

Risks that AI systems produce systematically different outcomes for protected groups or amplify historical inequities in training data, harming individuals and exposing the organization to discrimination liability.

Example Risks

  • - Disparate impact on protected classes in credit, hiring, or health decisions
  • - Feedback loops amplifying bias during model retraining
  • - Underperformance on minority dialects or low-resource languages
  • - Proxy variables encoding protected attributes

Primary Controls

  • - Pre-deployment bias testing across demographic subgroups
  • - Continuous fairness monitoring in production
  • - Feature-level proxy analysis
  • - Remediation workflow for confirmed disparities
  • - Representation audit of training data

Operational

Typical appetite: medium Produce

Risks to the availability, performance, and correct behavior of AI systems in production, including model drift, pipeline failures, vendor dependencies, and incident response readiness.

Example Risks

  • - Silent model drift degrading decision quality
  • - Upstream data schema changes breaking inference
  • - Vendor model deprecation without migration path
  • - Insufficient observability to detect or diagnose incidents

Primary Controls

  • - Drift detection and automatic alerting
  • - Canary deployment and rollback procedures
  • - Vendor risk register and exit strategies
  • - SRE-style golden-signal dashboards for AI services
  • - Tabletop exercises for AI incident response

Regulatory and Legal

Typical appetite: low Calibrate

Risks arising from non-compliance with the EU AI Act, sector regulation (HIPAA, SR 11-7, DORA, FCA, PCI-DSS), state AI laws, and emerging supervisory expectations, including enforcement, fines, and forced remediation.

Example Risks

  • - Deploying a high-risk AI system without conformity assessment
  • - Missing required registration in the EU AI Act database
  • - Failure to provide human oversight where mandated
  • - Audit findings from SR 11-7, DORA, or sector regulators

Primary Controls

  • - Regulatory requirements matrix mapped to AI systems
  • - Conformity assessment and documentation packages
  • - Regulatory change management workflow
  • - Legal sign-off gate before production release
  • - Examination-readiness evidence library

Reputational

Typical appetite: low Produce

Risks to brand, customer trust, and stakeholder confidence arising from visible AI failures, unfair outcomes, inappropriate model behavior, or misaligned public communications about AI use.

Example Risks

  • - Public incident involving AI-generated harmful content
  • - Customer backlash over undisclosed automated decisions
  • - AI-washing enforcement from regulators
  • - Employee or community resistance to AI deployment

Primary Controls

  • - Transparency and disclosure standards for customer-facing AI
  • - Content safety guardrails and escalation paths
  • - Proactive stakeholder engagement on AI initiatives
  • - Communications playbook for AI incidents
  • - Third-party ethics review for high-visibility systems

Security

Typical appetite: low Produce

Risks from adversarial attacks, prompt injection, data exfiltration, unauthorized model access, and supply-chain compromise across the AI development and deployment lifecycle.

Example Risks

  • - Prompt injection leaking system prompts or tool credentials
  • - Model weights exfiltration or theft
  • - Poisoned training data introducing backdoors
  • - Unauthorized access to inference endpoints
  • - Compromised upstream model or library dependency

Primary Controls

  • - Threat modeling for each AI system
  • - Input and output validation for LLM-based services
  • - Least-privilege tool and data access for agents
  • - Signed model and dataset provenance
  • - Red-team testing before production release

Escalation Thresholds

Appetite is only enforced if breaches are detected and escalated. Each threshold below defines the measurable trigger, the required response, the accountable role, and the target resolution window.

Trigger Condition Response Owner Target
Bias disparity exceeds threshold Subgroup performance gap exceeds the policy threshold (commonly 5 to 10 percentage points relative disparity) on any protected characteristic. Freeze new deployments of the affected model, open a remediation ticket, and notify the AI governance committee. Production use continues only with documented compensating controls. Model Owner + AI Governance Committee 10 business days to remediation plan; 45 days to fix or decommission.
Model drift breach Production accuracy or key calibration metric drops below the declared operating range for two consecutive monitoring windows. Automatic alert to the model owner, forced revalidation, and consideration of rollback to the last known good version. Model Owner + MLOps Lead 5 business days to root-cause; 15 days to remediation.
Regulatory finding External regulator or internal audit identifies an AI-specific gap, finding, or required action. Immediate notification to Legal and the Chief Risk Officer, creation of a tracked remediation plan, and inclusion in the next board risk report. CRO + Head of AI Governance Remediation timeline as agreed with the regulator.
Security incident Confirmed compromise of AI system, training data exfiltration, prompt injection causing credential leakage, or adversarial misuse. Invoke AI incident response playbook, isolate affected components, preserve forensic evidence, and escalate to CISO and CRO. Customer or regulator notification as required. CISO + Model Owner Containment within 4 hours; post-incident review within 10 business days.
Unauthorized use outside approved scope AI system used for a purpose or in a population outside its approved use-case boundary. Suspend access for the unauthorized scope, investigate root cause, and update access controls and documentation. AI Governance Committee Suspension immediate; investigation complete within 5 business days.
Third-party AI provider incident Critical vendor AI service experiences outage, breach, or model change with material impact on downstream services. Activate vendor incident procedures, assess blast radius, trigger contractual remedies, and consider exit strategy if incident is systemic. Vendor Risk Lead + Model Owner Impact assessment within 1 business day; remediation per contract.

Board Reporting

The board cannot own AI risk appetite if it does not see whether the organization is operating inside or outside that appetite. These reporting elements form a minimum viable AI risk report for the board and its risk committee.

Risk Appetite Statement Review

Annual

Review and reaffirm the organization's AI risk appetite statement, including any proposed changes to category-level tolerance or escalation thresholds.

Evidence: Risk appetite statement Change log Committee minutes

AI Portfolio Risk Heatmap

Quarterly

Summary of all production AI systems mapped to risk category and residual risk level, highlighting systems operating outside appetite.

Evidence: AI system inventory Residual risk heatmap Breach register

Escalation and Incident Summary

Quarterly

Report of escalations triggered, incidents occurred, root-cause analyses, and remediation status since the previous board report.

Evidence: Incident log Escalation register Remediation tracker

Regulatory Horizon Scan

Semi-Annual

Forward-looking view of emerging AI regulations, supervisory priorities, and required organizational responses.

Evidence: Regulatory intelligence report Gap analysis Compliance roadmap

Model Risk Aggregation

Quarterly

Aggregate model risk reporting including tier-weighted exposure, validation findings status, and models approaching revalidation deadlines.

Evidence: Model inventory Validation findings register Revalidation schedule

Fairness and Outcome Monitoring

Quarterly

Status of fairness monitoring across customer-impacting AI systems, including disparities detected and remediation outcomes.

Evidence: Fairness dashboard Disparity register Remediation log