While an emerging technology that includes complexities not seen in previous IT solutions, artificial intelligence (AI)-related risk can and should be managed using the AI risk life cycle. AI risk needs to be identified, assessed, treated, and monitored, and the state of AI risk needs to be measured and reported on. The risk practitioner will need to consider nontechnical risk areas, such as accountability, ethics, and environmental, societal, and governance (ESG), when managing AI risk.
Additionally, the rapid adoption of AI has increased the complexity of supply chains and vendor management, where vendors “silently” add AI-enabled features or leverage suppliers of suppliers to deliver services. This is further magnified with the use of cloud services, where the organization outsources the provision and maintenance of infrastructure and applications and benefits from innovative use of technology, with the disadvantage of losing deep insight into the vendor’s security practices. This also impacts business continuity, disaster recovery, and incident response.
However, AI also enables risk practitioners to automate some tasks of risk management to address the challenges created by AI itself, such as threat modeling and detection. Risk practitioners should evaluate potential AI use cases to see if and how they can better manage AI risk.
This domain represents 42% (approximately 38 questions) of the exam.
Domain 3: Exam Content Outline
A: AI Risk Scenario Identification and Assessment
B: AI Risk Treatment Strategies
C: AI Controls Management
D: AI Risk Metrics, Monitoring, and Reporting
E: AI Supply Chain Risk Management
F: AI Incident Response, BIA, Business Continuity, and Disaster Recovery
Learning Objectives/Task Statements
Evaluate risk related to AI models/solutions including design, suitability, algorithms, training, drift, and AI life cycle.
Facilitate the integration of AI risk management into an enterprise risk management framework and risk programs.
Develop and implement an AI risk management framework, including roles and accountability, AI risk policies and procedures, and acceptable risk tolerance levels.
Conduct risk assessments to identify and classify risks associated with AI.
Develop and recommend risk treatment strategies for identified AI risks.
Assess compliance with applicable AI-related regulations, laws, frameworks, standards, and guidelines.
Integrate AI risk considerations into existing governance programs.
Integrate AI risk considerations into existing risk register and control taxonomies.
Evaluate AI use cases based on the organization’s risk appetite.
Monitor and test organizational processes to identify AI risks.
Collaborate with stakeholders to develop and integrate AI risk concepts into enterprise-wide awareness training.
Capture AI risk considerations in enterprise risk metrics and reporting (e.g., board, management, operations).
Conduct and/or evaluate threat and vulnerability assessments on AI projects/programs.
Collaborate with stakeholders to integrate AI risk scenarios into the enterprise incident management program.
Continuously assess and monitor the risk landscape for emerging AI risk.
Evaluate controls to manage AI-related risk within the organization’s risk tolerance.
Advise on AI-related risk within contracts and service agreements, including data usage and intellectual property.
Evaluate AI risk as part of supply chain risk management.
Collaborate with stakeholders to address AI trustworthiness and impacts including ethics, bias, privacy, safety, and environmental, social, and governance (ESG) implications.
Leverage AI to support the risk management program (e.g., risk profile, reporting, evaluation, risk models, and analysis).
Integrate AI-related risk considerations into the change management process.
Incorporate AI-related risk considerations into incident response, BIAs, the BCP, and DRP.
Assess human oversight controls at critical decision points for risk and AI impact.
Suggested Resources for Further Study
Chan, A.; “Can AI Be Used for Risk Assessments,” 28 April 2023, link
EU AI Act, “Annex III: High-Risk AI Systems Referred to in Article 6(2),” link
Factor Analysis of Information Risk (FAIR) Institute, FAIR-AIR Approach Playbook: Using a FAIR-based Risk Approach to Expedite AI Adoption at Your Organization, link
Giudici, P.; Centurelli, M.; et al.; “Artificial Intelligence Risk Measurement,” Expert Systems with Applications, vol. 235, 2024, link
ISACA, Artificial Intelligence Audit Toolkit, link
ISACA, CRISC Official Review Manual, 8th Edition, USA, 2025
ISACA, Keeping Pace with the Rise of AI: Your Guide to Policies, Ethics, and Risk, 1 November 2024, link
Massachusetts Institute of Technology (MIT), “The MIT AI Risk Repository,” link