Operational guide
How to Assess Generative AI Risk
A generative AI risk assessment evaluates a defined workflow—not a model in isolation. It maps users, prompts, enterprise and retrieved data, the model and provider, tools, integrations, outputs, human review, downstream actions, and business dependency; then tests plausible failure and misuse scenarios against evidence and proportionate controls.
Direct answer
Assess the deployed workflow, not the model label
The same foundation model can support low-impact brainstorming, production code generation, customer advice, or automated action. Risk changes with the intended purpose, data, retrieval sources, account and tenant configuration, users, output destination, human involvement, permissions, scale, and consequences of error. A supplier's model card or assurance report is an input, not the use-case conclusion.
A broader AI risk assessment tests how this practice fits the organization's wider ownership, control, and evidence baseline.
This guide focuses on scenario identification, evaluation, and control decisions for generative AI. The parent AI risk assessment covers the general discipline. Agent risk and third-party risk are linked but separate: autonomy and tool authority need agent analysis, while supplier capability and contractual dependency need vendor analysis.
Assessment scope
Trace information and authority from input to action
Begin with a simple system map: user or upstream system, input and system prompts, retrieved sources, model and version, provider, tenant settings, plugins or tools, output, reviewer, destination, and downstream action. Include logs, memory, feedback, and fallback. This exposes risks that disappear when the assessment records only “uses a large language model.”
When the workflow can select tools or execute actions, continue with the AI agent risk assessment because permission, delegation, compounding error, and recovery become central.
Risk analysis
Write scenarios around business consequence
Useful scenarios connect a technical or human cause to an operational event and consequence. Relevant themes may include fabricated or omitted facts, biased treatment, disclosure of confidential or personal data, prompt injection, insecure generated code, harmful content, intellectual-property uncertainty, manipulated retrieval, over-reliance, unauthorised tool use, supplier change, service failure, and weak provenance. Select the scenarios that can materially affect the defined workflow.
Generative AI, predictive AI, and agents require different emphasis
| System pattern | Primary behaviour | Assessment emphasis |
|---|---|---|
| Predictive or classification model | Scores, predicts, ranks, or classifies from structured inputs | Data representativeness, performance by segment, thresholds, drift, explainability, and decision integration |
| Generative AI workflow | Creates or transforms text, code, images, audio, or other content | Grounding, fabrication, prompt and retrieval security, data disclosure, provenance, output review, and supplier dependency |
| AI agent | Plans, selects tools, maintains state, and takes multi-step actions | Goals, permissions, delegation, compounding error, action limits, observability, intervention, and recovery |
These patterns can coexist. A generative assistant becomes agent-like when it receives tool authority; the assessment should expand when the capability expands.
Evaluation
Test the cases that would change the deployment decision
Evaluation should reflect real users, languages, data, prompts, retrieval sources, and consequences. Begin with normal tasks, then add edge cases, adversarial prompts, conflicting sources, missing context, sensitive inputs, and high-consequence outputs. Define acceptance criteria before reviewing results. A high average score can conceal one failure mode that makes the use unacceptable.
Design the evaluation set as a controlled asset. Record where cases came from, which populations they represent, who reviewed them, how sensitive data was handled, and which version of the workflow was tested. Separate benchmark construction from final evaluation where practical so prompt tuning does not quietly optimise against the test. Preserve failed cases because they are often more useful for monitoring than the aggregate score.
Red teaming complements evaluation by looking for unexpected or adversarial paths; it does not replace representative performance testing. Model cards, system cards, provider evaluations, security tests, and external benchmarks can inform the assessment, but their scope and configuration must match the deployed workflow before management relies on them.
Set thresholds by consequence and segment rather than demanding one universal accuracy number. A drafting assistant may tolerate errors that a benefits, safety, legal, or customer-remedy workflow cannot. Define which failure types block deployment, which require a warning or human check, and which can be monitored after launch. Record the rationale before results are known so delivery pressure does not quietly move the acceptance line.
Treatment
Match controls to the scenario and consequence
Decision sequence for a generative AI workflow
- 01
Fix the approved use boundary
State users, purpose, data, retrieval, model, tools, outputs, destinations, scale, review, and prohibited uses.
- 02
Protect data and context
Apply approved accounts, tenant settings, access, input restrictions, retrieval permissions, secrets protection, retention, and source governance.
- 03
Evaluate material scenarios
Test representative, edge, adversarial, and high-consequence cases with versioned methods and pre-defined thresholds.
- 04
Design output and action controls
Use grounding, constraints, provenance, human verification, permission limits, sandboxing, logging, and fallback according to exposure.
- 05
Approve limitations and residual risk
Record failed cases, uncertainty, conditions, acceptance authority, monitoring, escalation, and stop criteria.
- 06
Monitor change and outcomes
Track model and prompt versions, retrieval changes, user behaviour, incidents, overrides, quality indicators, and control tests.
Human review is not a generic mitigation. Specify what the reviewer must detect, what information they receive, their competence and authority, and evidence that review occurred.
Reusable safeguards should map to the generative AI, copilot, and agent controls guide, while the risk register preserves scenario, control evidence, residual exposure, and acceptance.
Define fallback and continuity before deployment. If the provider is unavailable, the retrieval source is corrupted, monitoring cannot run, or quality falls below threshold, users need a safe alternative and a clear stop decision. For important processes, test manual fallback, queued work, customer communication, rollback, and recovery rather than assuming the AI service is an optional convenience.
Ongoing risk
Reassess when the workflow changes—even if the product name does not
A provider can change a model, safety system, retention setting, subprocessor, feature, or service boundary. Internal teams can change prompts, retrieval sources, plugins, users, integrations, output destinations, or automation. Version and change monitoring should identify which evaluations, risk scenarios, approvals, controls, and user communications must reopen.
Monitor outcomes that correspond to the original scenarios: grounded-answer rate, material error, reviewer override, sensitive-data event, blocked prompt injection, unsupported citation, user escalation, service interruption, and prohibited-use attempts where relevant. Choose a small set that can trigger action. Token counts and adoption may describe usage while saying little about whether residual risk remains acceptable.
Use the third-party AI risk assessment for provider governance, contractual rights, assurance scope, incidents, continuity, and exit. Keep supplier assurance and use-case acceptance linked but separately owned.
FAQ
Frequently asked questions
What should a generative AI risk assessment cover?
Cover purpose, users, prompts, enterprise and retrieved data, model and provider, tenant settings, tools, integrations, outputs, human review, downstream actions, business dependency, evaluations, controls, incidents, change, and residual acceptance.
How should hallucination risk be assessed?
Test representative and high-consequence tasks, segment results by scenario, define factual and citation criteria in advance, inspect confident failures, assess whether reviewers detect them, and connect findings to source, interface, workflow, and fallback controls.
Does RAG remove generative AI risk?
No. RAG can improve grounding but introduces source quality, permissions, stale content, conflicting documents, indexing, retrieval poisoning, prompt injection, citation, and access-synchronisation risks.
Can provider documentation replace internal evaluation?
No. Provider evidence may describe a model or service under specific conditions. The organisation still needs evidence relevant to its prompts, data, retrieval, configuration, users, outputs, integrations, and business consequences.
When is human review an effective control?
When reviewers know what to check, receive sufficient context, have competence, time, and authority to intervene, and the workflow records performance and exceptions. A nominal approval button is not meaningful oversight.
How often should generative AI risk be reassessed?
Use a risk-based cycle and reopen the assessment after material model, prompt, retrieval, data, tool, permission, user, integration, output, supplier, incident, or autonomy changes.
What is the difference between generative AI and agent risk?
Generative AI assessment emphasises content, grounding, data, provenance, and review. Agent assessment adds goals, planning, tool authority, identity, delegation, multi-step failure, action limits, intervention, and recovery.