Adopt structured oversight and approval approaches that scale with the risk level of AI systems. This practice goes beyond individual assessments. It introduces a system-wide, scalable governance model that uses risk level to guide what actions, controls, and approvals are required.
Building on your existing AI risk assessment efforts, this practice helps embed risk-informed decision-making into broader governance processes. It improves the consistency and speed of sign-offs, reduces the chance of delay or misalignment, and helps focus limited resources where they are most needed.
You don’t need complex tools to get started. Many organisations begin with a simple matrix or screening tool and adapt it over time. You can also build on existing technologies your organisation already uses, e.g. risk registers, governance platforms, or workflow tools, to embed tiering, approvals, or alerts directly into existing processes.
Risk-based governance relies on trustworthy data. Make sure risk categories consider the quality, origin, and sensitivity of data used by AI systems. Coordinate with data governance teams to ensure data classifications and ownership are clear.
Why it matters
Not all AI use cases carry the same level of risk. A tool suggesting internal training content is not the same as a model influencing service delivery or legal decisions. Without a structured approach, teams may overgovern lower risk systems or miss hidden risks in higher impact ones.
Risk-based governance helps scale your AI use with confidence by ensuring oversight efforts are proportionate and defensible. It also supports clearer communication and accountability when risks are escalated for further review.
Implementation tips
- Define your organisation’s AI risk categories (e.g., impact on rights, legal exposure, human autonomy, scale of use).
- Create a matrix or tiering system to classify AI systems by risk level.
- Link each risk level to governance requirements such as documentation, human review, or executive approval.
- Use example scenarios or past use cases to help teams apply the framework consistently.
- Review how well the approach is working and adjust criteria as needed.
- Ensure governance forums are trained on how risk levels guide decision-making.
Support materials
Advai Case Study: Implementing a Risk-Driven AI Regulatory Compliance Framework
A practical example of building proportionate AI governance and assurance controls based on system risk.
CSET – A Matrix for Selecting Responsible AI Frameworks
A comparison tool to help you select governance frameworks based on your role and focus area, great for tailoring your risk-based approach.
Ethos AI – Choosing the right controls for AI Risk
A guide to selecting proportionate AI controls based on risk severity and likelihood.
ISO/IEC 23894:2023 – Guidance on AI Risk Management
Supports more formal implementations of risk-based governance and complements ISO 31000 but tailored to AI context.
Business.govt.nz – Risk Management Plan Worksheet
A practical worksheet that guides teams through identifying, assessing, and responding to risks.
