Every board has a risk committee. Every large company has an insurance policy. Every executive team has thought about what could go wrong. The categories are settled: financial risk, operational risk, legal and regulatory risk, cyber risk, reputational risk. A century of business practice has trained us to think in these bins.
AI doesn't fit the bins. An AI system can create financial risk (a trading model goes haywire), operational risk (a customer-service bot melts down), legal risk (a hiring AI violates discrimination law), cyber risk (a prompt injection exfiltrates data), and reputational risk (an AI says something unforgivable) β sometimes all in the same incident. The existing frameworks were built for risks with known probability distributions. AI risks are correlated, novel, and fast-moving.
This course is for the executives who are being asked, on no notice, to own AI risk for their companies. It covers the taxonomy of AI-specific risks, how they map onto existing enterprise risk frameworks, how to structure AI governance inside the business, how to communicate risk to a board, and the specific playbooks for incident response when an AI system you deployed causes a problem.
If you finish every module, here's who you become:
Amazon quietly shut down an internal AI recruiting tool in 2018 after discovering it had been systematically downgrading rΓ©sumΓ©s that contained the word "women's" β as in "women's chess club" β and penalising graduates of all-women's colleges. The system had been trained on a decade of historical hiring data. That data reflected human bias. The model learned it, amplified it, and applied it at scale for over a year before anyone noticed. The business risk was not a bug. It was the product working exactly as designed.
No single engineer chose to discriminate. The risk emerged from the interaction of data, objective function, and deployment context β a pattern that characterises nearly every major AI failure since.
Traditional software risk follows a familiar logic: a system either does what it was programmed to do or it does not. Bugs are deviations from specification. Fixes are deterministic. AI systems break this model entirely. A large language model, a credit-scoring algorithm, or a fraud-detection system can behave exactly as designed β passing every unit test β and still produce outcomes that are harmful, illegal, or reputationally catastrophic.
The field of AI risk encompasses a wide spectrum, from the mundane (model drift causing a recommendation engine to go stale) to the existential (autonomous systems taking consequential actions without human oversight). For business leaders in 2024 and beyond, the operative zone is the middle: operational AI risks that create legal liability, financial loss, reputational damage, or regulatory sanction.
The EU AI Act, which began enforcement in 2024, creates binding obligations tied directly to risk classification. In the US, the FTC, CFPB, EEOC, and DOJ have each issued guidance asserting that existing civil rights, consumer protection, and antitrust law applies to algorithmic decision-making. Ignorance of AI risk is no longer a viable defence.
Across documented AI failures β from the COMPAS recidivism algorithm's racial disparities (ProPublica, 2016) to the UK's A-Level grading algorithm that downgraded students from state schools in 2020 β four root causes recur.
AI risk is not solely a technical problem. The decisions that create risk β what data to collect, what problem to automate, how quickly to scale, whether to audit β are business decisions. They are made in strategy meetings, procurement processes, and product roadmap reviews. That is where business leaders sit.
The NIST AI Risk Management Framework (AI RMF, published January 2023) positions risk management as an organisational capability, not a data science capability. It calls for governance structures, accountability assignment, and ongoing monitoring β all functions of leadership, not engineering. The EU AI Act reinforces this by placing compliance obligations on "providers" and "deployers" β legal entities, not models.
Key Principle
Every AI system in your organisation is a decision-making process that carries your organisation's legal name. When the UK's algorithm downgraded 40% of teacher-predicted A-Level grades in August 2020 β disproportionately affecting students in poorer areas β the reputational harm fell on the government, not the algorithm. Accountability does not transfer to the model.
In this lab, you will work with an AI tutor to identify which of the four root causes of AI failure (flawed data, misaligned objectives, distribution shift, inadequate oversight) explain documented incidents β and then apply that thinking to AI systems in your own organisation.
The AI tutor will prompt you with scenarios, ask you to diagnose root causes, and challenge your reasoning. Complete at least three exchanges to mark this lab done.
A 2019 study published in Science revealed that a widely-deployed healthcare algorithm used by Optum β affecting an estimated 200 million people in the United States β systematically assigned lower risk scores to Black patients than to equally-ill white patients. The algorithm used healthcare cost as a proxy for healthcare need. Because structural inequities mean Black patients historically spent less on healthcare (due to barriers to access, not lower need), the model concluded they were healthier. The result: Black patients were significantly less likely to be enrolled in care management programmes.
This was not a rogue model. It was a commercially successful, widely adopted, certified tool β used by hospital systems that trusted the vendor. The risk was operational, reputational, and regulatory simultaneously. It required different responses from the CISO, the Chief Medical Officer, the General Counsel, and the Board.
When a business leader hears "AI risk," they need to instantly know three things: What type of risk is this? Who owns it? What is the required response time? Without a taxonomy, AI risk becomes an undifferentiated anxiety rather than a managed exposure. Taxonomy converts risk from a technical concern into a governance instrument.
The NIST AI RMF organises AI risk across four functions β Govern, Map, Measure, Manage β and explicitly acknowledges that risk categories have different organisational owners. The EU AI Act uses a four-tier risk classification (Unacceptable, High, Limited, Minimal) that determines legal requirements. Neither framework maps perfectly to operational business structure, so leaders need a practical taxonomy that bridges the two.
The following five layers represent the spectrum from immediate operational problems to slow-moving existential concerns. Most organisations face risks in layers one through three on a weekly basis.
One underappreciated dimension of AI risk is velocity β how quickly a failure propagates before it can be detected and contained. Knight Capital's $440M loss occurred in 45 minutes. A hallucinating customer-service chatbot can generate thousands of harmful interactions before a human reviewer sees the first complaint. Deepfake video can be viewed by millions before a platform's trust-and-safety team acts.
Business leaders must configure AI risk governance around velocity, not just severity. High-velocity risks require automated detection and pre-authorised shutdown authority. Low-velocity risks (like gradual model drift in a credit model) require monitoring cadences and periodic human review. The mistake most organisations make is applying slow governance processes to fast-moving risks.
Leadership Principle
Before deploying any AI system, assign an owner to each risk layer it touches. If no one is accountable for the legal and compliance risk of a new AI tool, that tool will create legal and compliance risk β because accountability gaps always get filled by the regulator.
A critical insight from the Optum case: risks do not stay in their lanes. An operational model (healthcare risk scoring) produced a legal risk (disparate impact under US civil rights law), a financial risk (potential class action liability), and a reputational risk (front-page coverage in Science and major media). The Board-level implication is that AI risks are correlated β a single failure can cascade across all five layers within days.
This compounding effect is why AI governance must be cross-functional. No single department can hold all the exposure. The NIST AI RMF explicitly calls for "cross-functional teams" in its Govern function for precisely this reason.
In this lab, you will work through real AI failure scenarios and classify each across the five-layer taxonomy (Operational, Financial, Legal, Reputational, Systemic). You will also identify which organisational function should own each layer of response and what governance mechanism would have helped prevent or contain the failure.
Complete at least three exchanges β presenting a scenario, classifying it, and receiving challenge or confirmation from the tutor.
In December 2023, the US Federal Trade Commission banned Rite Aid from using AI-powered facial recognition systems for five years after finding that its technology had falsely flagged shoppers as likely shoplifters β with a disproportionate rate of false positives against Black, Latino, Asian, and women customers. Rite Aid had deployed the system in stores across low-income and minority neighbourhoods. The FTC found that Rite Aid failed to implement reasonable safeguards, did not adequately train staff, and did not have meaningful review processes when customers were incorrectly flagged.
The enforcement action required no new AI-specific law. The FTC acted under Section 5 of the FTC Act β the general prohibition on unfair or deceptive practices. This is the critical lesson: existing law already reaches AI. The regulatory risk is not only from new AI legislation, but from every existing framework that touches the outputs AI produces.
AI regulation in 2024 and beyond is not a single law β it is a stack of overlapping frameworks at international, national, and sector-specific levels. Business leaders need to understand at minimum four distinct regulatory layers.
The EU AI Act's "high-risk" classification is not intuitive. It covers AI systems used in: biometric identification, critical infrastructure management, educational assessment, employment and worker management, access to essential services (credit, insurance, benefits), law enforcement, border management, and administration of justice.
If your company uses AI in hiring, performance management, customer credit scoring, insurance underwriting, or access control β you are likely operating in high-risk territory under the EU AI Act if any of your users are in the EU. High-risk obligations include: maintaining technical documentation, implementing risk management systems, logging decisions for post-market monitoring, and ensuring meaningful human oversight.
The Act's prohibited AI uses β which became enforceable in February 2025 β include social scoring by governments, real-time remote biometric identification in public spaces (with narrow exceptions), and AI that manipulates people through subliminal techniques. Violations in the prohibited category carry fines of up to β¬35 million or 7% of global annual turnover.
The Compliance Gap
A 2023 survey by the KPMG Global AI in Financial Services Survey found that 78% of financial services executives believed their organisation's AI governance was insufficient given emerging regulation. The gap between AI deployment pace and governance maturity is the primary source of near-term regulatory risk for most organisations.
Regulatory compliance in AI is not primarily a legal department problem. It requires four organisational capabilities that leadership must actively build:
1. AI Inventory: You cannot govern what you cannot see. Organisations must maintain a current register of all AI systems in use β including third-party tools embedded in vendor software. This is a prerequisite for every other compliance obligation.
2. Risk Classification: Each system in the inventory must be classified against applicable regulatory frameworks β particularly EU AI Act risk tiers and relevant sector-specific rules. This determines what governance obligations apply.
3. Documentation and Logging: High-risk AI systems must maintain records of their training data, performance metrics, and decision logs. This is both a regulatory obligation and the primary evidentiary resource when a decision is challenged.
4. Human Oversight Mechanisms: Regulators in every jurisdiction are converging on the requirement for meaningful human oversight β particularly for consequential decisions. "Meaningful" means the human reviewer has the information, authority, and time to actually override the AI output. Rubber-stamp review does not satisfy this standard.
Personal Liability Note
The EU AI Act and emerging US state legislation increasingly contemplate personal liability for officers who knowingly deploy non-compliant high-risk AI. Directors and Officers insurance policies are not uniformly covering AI compliance failures. Legal counsel should be consulted on whether your D&O coverage includes AI regulatory risk.
In this lab, you will describe AI systems β either real or hypothetical β and work with an AI tutor to identify which regulatory frameworks apply, what classification those systems receive under the EU AI Act, and what minimum compliance obligations they trigger. The tutor will also help you identify gaps between current practice and regulatory requirements.
Try describing an AI system your organisation uses or is considering. Aim for at least three exchanges β describing the system, identifying applicable regulations, and discussing compliance gaps.
In May 2024, Microsoft announced Recall β a feature for Copilot+ PCs that continuously screenshots everything a user does, indexes it with AI, and makes it searchable. Within weeks, security researchers demonstrated that Recall stored data in an unencrypted SQLite database accessible to any malware with user-level access. The feature β which had passed Microsoft's internal review processes β represented a surveillance risk that Microsoft's own AI governance framework had not caught before public announcement.
Microsoft delayed Recall's rollout and redesigned its security architecture under public pressure. The episode illustrated that even organisations with sophisticated engineering capabilities and substantial AI governance investment can ship products with fundamental AI risk failures when governance processes are not deeply integrated into product development cycles β not added at the end.
Before building, it helps to understand the patterns that consistently produce AI governance failure. Across documented cases β from Rite Aid to Microsoft Recall to the UK A-Level algorithm β three governance failures recur:
Governance as Approval, Not Oversight: Many organisations build governance that approves AI systems for deployment but does not continuously monitor them post-deployment. The Amazon recruiting tool operated for over a year before its bias was discovered. Governance must be continuous, not episodic.
Governance Isolated in One Function: When AI governance lives exclusively in Legal, or exclusively in Data Science, it misses the cross-functional risks that propagate across layers. Effective governance is inherently cross-functional β requiring product, engineering, legal, compliance, communications, and executive leadership to each play defined roles.
Governance Without Teeth: A governance function that can flag risks but cannot stop deployment, require modification, or escalate to the Board is a compliance theatre exercise. Governance authority must be commensurate with the scale of risk the organisation is taking.
Drawing from the NIST AI RMF, the EU AI Act, and documented best practices from organisations including Google, Microsoft (post-Recall), and Salesforce, an effective AI risk governance framework requires six components:
The AI inventory is not a spreadsheet exercise β it is the foundation of every other governance function. Without knowing what AI systems are running, risk assessment is impossible. The 2023 KPMG survey found that fewer than 40% of large enterprises had a complete inventory of AI systems in use across all business units.
Shadow AI β AI tools adopted by individual employees or departments without central IT or governance awareness β is a growing source of unmanaged risk. Employees using consumer-grade AI tools to process customer data, draft contracts, or prepare financial models may be creating GDPR, HIPAA, and confidentiality exposures that the organisation does not know exist. The governance framework must explicitly address shadow AI discovery and bring it into the inventory process.
Starting Point for Leaders
If your organisation has no AI governance framework today, the highest-value first action is not hiring a Chief AI Officer β it is commissioning an AI inventory. Spend four weeks discovering what AI systems are actually running across every business unit, including all vendor products with AI components and all employee-adopted AI tools. That inventory will reveal the risk profile that every subsequent governance decision must address.
The NIST AI RMF describes four levels of governance maturity: Partial (ad hoc, reactive), Risk-Informed (risk awareness exists but processes are incomplete), Repeatable (documented processes applied consistently), and Adaptive (governance evolves continuously with AI capability). Most large enterprises operating AI systems in 2024 are at the Partial or Risk-Informed level β despite believing themselves to be further along.
The gap between perceived and actual maturity is itself a risk. Boards that believe their organisation has robust AI governance β but have not specifically verified the components β are making decisions under false assurance. The module test you are about to take is, in a small way, a diagnostic of your own AI risk literacy: one component of the governance maturity your organisation needs.
In this lab, you will work with an AI governance advisor to design specific components of an AI risk governance framework. You might design a risk assessment process for a new AI deployment, draft an accountability assignment matrix, create a monitoring cadence for an existing AI system, or develop a Board reporting template for AI risk.
The tutor will help you apply the six-component governance framework from Lesson 4 to a concrete organisational context. Aim for at least three substantive exchanges β presenting a scenario, drafting a component, and refining it with feedback.