Building a clinical AI risk register from scratch

A clinical AI risk register is the foundational document that underpins your practice's governance framework. It catalogues every risk associated with your AI tools, assesses their likelihood and severity, and documents the controls you have in place to mitigate them. Without one, your governance framework lacks the structure needed to demonstrate due diligence to regulators, insurers, or courts.

Start by identifying all AI tools in clinical use and listing the specific risks each one introduces. For a radiology AI tool, these might include false negative findings, alert fatigue from excessive false positives, workflow disruption during system outages, or patient data exposure through cloud processing. For each risk, assess the likelihood of occurrence and the severity of potential harm using a standard risk matrix aligned with ISO 14971 principles.

Next, document the controls in place for each identified risk. Controls can be preventive (e.g., requiring radiologist sign-off before AI findings are included in reports), detective (e.g., monthly concordance audits), or corrective (e.g., a defined process for disabling a tool that falls below accuracy thresholds). Each control should have an assigned owner and a review frequency. CAIOS Domain 02 requires that risk assessments are reviewed at least annually or whenever a tool is updated.

The final step is making the register a living document. Schedule quarterly reviews, integrate it with your incident reporting process, and ensure new AI tool deployments trigger a risk assessment before clinical use begins. Attest automates much of this workflow, pre-populating risk categories based on tool type and generating review reminders, but the clinical judgment behind each assessment must come from your team.