AI Ready Pathway

Implement AI Risk Assessments

Magnifying lens.

Conduct early AI risk assessments to understand where systems may create risk, cause harm, or need stronger safeguards. These assessments are a critical tool for making responsible decisions about AI use as they help surface legal, operational, and ethical risks before systems are procured, deployed, or used.

This can sometimes be a simple checklist or screening tool, but in cases involving complex or high-impact systems, it may require deeper analysis, structured engagement with decision-makers and ongoing assessment. Key factors typically considered include the system’s purpose, potential for bias, data sensitivity, and who might be affected.

The goal is to triage rather than block AI systems, and to focus closer attention on those with higher potential impact. Done well, these assessments enable smarter decisions, targeted mitigation, and clearer accountability for AI use.

This practice should apply to both AI systems developed in-house, where relevant, and those acquired from external vendors. Many organisations first encounter AI through third-party tools, such as software platforms with embedded AI or generative AI features, which can introduce risks even if they are not custom-built. Risk screening at the procurement stage, even if the vendor is already working with your organisation, helps ensure the AI tools or features are evaluated appropriately before adoption. Including third-party systems in your risk screening process ensures potential issues are surfaced and managed before these tools are adopted or scaled. As AI maturity grows, vendor risk assessments may involve deeper analysis, contract reviews, engagement with suppliers on risk mitigations, and tracking of ongoing performance. Refer to the Embed AI Governance in Procurement and Vendor Management practice under the AI Smart pathway for more details.

Some organisations may also need to consider environmental impacts as part of AI risk assessment, particularly where environmental regulation, certification requirements, or sustainability expectations affect operations, procurement, or market access. At the AI Ready stage, this typically involves identifying whether environmental factors are material to the AI system, rather than undertaking detailed environmental impact assessments.

Two question marks inside speech bubbles, overlapping.

Why it matters

By identifying higher-risk systems early, organisations can focus effort where it matters most, apply safeguards, and reduce the chance of unintended harm. This also helps meet regulatory expectations, which increasingly require proportionate controls and documentation for higher-risk uses of AI.

The EU AI Act offers a clear example of a risk-based classification system for AI. For a deep dive into how it defines “high-risk” and what that means for governance, visit the Library and check the Understanding EU AI Act resources.

Text "quick tips" inside a lightbulb icon, surrounded by funky, sparkly shapes.

Implementation tips

  1. Build on existing tools like Privacy Impact Assessments (PIAs).
  2. Develop or adopt an AI risk screening tool with defined risk indicators (e.g. level of autonomy, type of decision, affected groups).
  3. Define thresholds for when a system needs more oversight or human review.
  4. Integrate screening into project intake or procurement workflows.
  5. Train teams on how to apply the tool consistently.
  6. Ensure skilled staff are available to interpret results, identify appropriate mitigations, and escalate key findings to decision-makers. In smaller organisations, this may be supported by a central coordination point, such as a working group or lead person, even where responsibilities are otherwise decentralised.
  7. Review the tool regularly to reflect changing priorities or regulations.
  8. Where environmental factors are material, include basic environmental screening questions in your risk assessment (e.g., applicable regulations, use of high-resource AI models).
One hand passing a heart to another.

Support materials

Stats NZ – Algorithmic Impact Assessment Toolkit
A New Zealand-based toolkit to help assess the potential impact of AI systems.  Includes a threshold assessment to determine if a full impact assessment is needed, followed by a more detailed questionnaire for higher-risk cases.

Government of Canada – Algorithmic Impact Assessment Tool
A practical, scalable tool to assess risk and determine governance needs.

Ethos – AI Impact Checklist
A concise, accessible checklist to help teams surface and reflect on the social and ethical impacts of AI systems.

Ada Lovelace Institute – AI Impact Assessment Template
A practical template for documenting AI impact, risks, and mitigations.

Microsoft – Responsible AI Impact Assessment Template
A downloadable template designed to operationalise AI risk assessment.

printer icon