Pillar
How AI risk differs from traditional model risk, the frameworks that apply, and the operational tooling that turns risk policy into evidence.
In short
AI risk management is the discipline of identifying, measuring, and mitigating risks introduced by AI systems — including LLMs, agents, and traditional ML models. It extends traditional model risk management to cover the failure modes unique to modern AI: hallucination, prompt injection, drift from silent vendor model updates, third-party AI tool use, and decisions whose reasoning is not directly inspectable.
Why it matters
AI is now in scope for the same risk frameworks that govern any other operational system: SR 11-7 for banks, NIST AI RMF for federal contractors and increasingly anyone seeking enterprise procurement, ISO 42001 for organizations seeking auditable governance, the EU AI Act for high-risk uses in the EU, and DORA for EU financial services. Each demands evidence the team is identifying risks before deployment, monitoring them after, and responding to incidents in defined windows.
The organizations that handle this well treat AI risk management as a continuous operational layer, not an annual policy review. The ones that don't end up explaining why a model approved a denial they cannot explain, leaked PII they didn't know was leaving, or drifted past tolerance for six months without anyone noticing.
What's covered
Hallucination — producing confident, plausible, false output. Prompt injection — adversarial input redirecting model behavior. Silent drift — quality regression after a vendor model update. Tool-call failure modes — agents calling the wrong tool with the wrong arguments. Data leakage — sensitive inputs reaching third-party model providers. Each needs its own measurement and mitigation.
NIST AI RMF (Govern, Map, Measure, Manage), SR 11-7 (Robust development, Effective challenge, Ongoing monitoring), ISO 42001 (Plan-Do-Check-Act applied to AI), EU AI Act (high-risk obligations), NAIC Model Bulletin (insurer-specific). Most enterprises pick one as their primary baseline and map the others into it.
SR 11-7 introduced "effective challenge" as a core pillar — the idea that models must be reviewed by someone independent of their development. For AI this typically means red-teaming, independent benchmark validation, and adversarial testing. Prism Red Teaming is built around this expectation.
The most common failure mode in AI risk management is treating it as pre-deployment-only. Models drift, vendors change behavior silently, and policies evolve. Continuous evaluation with documented thresholds is what turns risk management from a stamp into a living control. NIST AI RMF MEASURE-2.7 and SR 11-7's third pillar both demand it.
Most enterprises now have a third-party AI surface that didn't exist three years ago: employees using ChatGPT, Claude, Gemini, Copilot in their daily work. These tools handle customer data, internal source, financial figures, and PHI without going through procurement or security review. Prism X extends AI risk management to this surface.
How Prism helps
Model audits run against benchmarks; calibration, robustness, accuracy metrics archived.
Learn moreCurated adversarial test catalog with severity-tagged findings.
Learn moreFive-dimension quality scoring on every trace; week-over-week regression view.
Learn moreStep-by-step trajectory record for every agent decision.
Learn moreBrowser-side DLP and vendor AI tool registry.
Learn moreRelated
Model Risk Management for AI — SR 11-7 Revised Guidance
The interagency Revised Guidance on Model Risk Management supersedes SR 11-7 and SR 21-8. The three-pillar discipline carries forward, scaled to each bank's model risk profile. Prism produces the evidence at every tier.
NIST AI Risk Management Framework: Prism Compliance Mapping
Each NIST AI RMF function has subcategories that demand evidence. Prism produces it: from MEASURE-2.7 trace logs to MANAGE-2.1 adversarial test results.
NAIC AI Model Governance
The NAIC Model Bulletin sets expectations for insurer use of AI. Prism produces the documentation, monitoring, and audit artifacts each pillar requires.
ISO/IEC 42001 AI Management System
ISO 42001 is the first auditable management-system standard for AI. Prism produces the operational evidence each clause asks an internal auditor to see.
AI compliance and risk management for banks
From underwriting copilots to fraud-screening agents, banks need the same model risk discipline they have for traditional models. Prism is built around it.
AI compliance for asset managers
From research copilots to trading-signal models, asset managers face SEC, FINRA, and SR 11-7 expectations on AI. Prism produces the evidence per system.
AI governance for insurance
Insurers face NAIC's Model Bulletin and a patchwork of state-level AI rules. Prism gives carriers one platform to produce the evidence each one demands.
AI risk management for fintech
Sponsor banks expect SR 11-7 hygiene. CFPB and state AGs care about ECOA. Prism makes both legible without slowing your release pace.
Model Drift
Glossary entry
AI Red Teaming
Glossary entry
Shadow AI
Glossary entry
AI Model Audits
Model audits give you a structured review of model behavior, risk profile, and readiness for production, before deployment, not after incidents.
AI Red Teaming
Structured adversarial testing to find prompt injection vulnerabilities, guardrail bypasses, and unsafe behaviors, before they reach production.
LLM Evaluations
Define quality rubrics, score every interaction, and catch regressions before users do, with automated evaluators that run on every trace or on a schedule you control.
Prism X
Prism X enforces data loss prevention policy in the browser, before prompts and uploads reach third-party AI services. Signed policy, real-time enforcement, audit-grade events.
One SDK. Five minutes. Full audit trails, PII redaction, and guardrail enforcement, from day one.