AI Risk Disposition

An AI Risk Disposition is the artefact an AI Committee signs. It is the structured memo, not a slide deck, that records the committee's decision about an AI system. Its function is twofold: it is the security gate decision, and it is the evidence record that the decision was made on substance, not on slides.

The disposition has seven sections: the decision (one of five states — proceed, conditional, restricted pilot only, hold, decline); the rationale (what the system does, why this decision, what changes between pilot and production); the required controls (grouped by lifecycle gate); the residual risk acceptance (each accepted risk with a named acceptor); the evidence gaps (each gap with owner and target date); the re-assessment triggers (each with a named owner); and the sign-off log.

Five states matter. A binary approved/rejected disposition is inadequate for real AI systems where conditional clearance, pilot-only deployment, and hold-pending-information are the most useful decisions in practice. The five-state model maps to the way risk works in practice.

Named acceptors and named owners matter. A residual risk accepted by 'the team' is accepted by no one. A re-assessment trigger owned by 'engineering' is owned by no one. The disposition's defensibility depends on explicit accountability.

Dispositions are versioned and retained. Each disposition has a date, a scope, and a next-review date. Each re-assessment produces a new disposition version, not an edit. The retained history is the evidence trail an auditor or regulator can follow.