๐Ÿ”AI RiskAtlas
โ† Risk Taxonomy
#19

Breach or misalignment with regulatory or organisational standards

Risk taxonomy

Definition

The model and its outputs fail to meet legal or regulatory requirements, organisational practices or values in how the business operates.

Controls & guardrails that address this

7

Grouped by control function, with the AI lifecycle stage(s) to apply each and the other risks it addresses. Filter by control category below.

Control category
Preventive ยท 5
Regulatory impact assessment mapping obligations at design

Conduct a regulatory impact assessment at design stage. Map planned use case activities to applicable regulatory obligations.

Lifecycle stage1 โ€“ Use Case Context & Design
Early legal engagement on pre-approval requirements

Engage legal and compliance at design stage to identify pre-approval or notification requirements before build begins.

Lifecycle stage1 โ€“ Use Case Context & Design
Pre-deployment compliance review of design and data

Conduct a formal compliance review of model design, data practices, and outputs before deployment approval.

Lifecycle stage3 โ€“ Onboarding, Build & Review
Regulatory pre-approvals secured before go-live

Obtain all required regulatory pre-approvals and file notifications before go-live. Do not launch without confirmation.

Lifecycle stage4 โ€“ Deployment
Legal review of training data regulatory basis

Require legal and compliance review of all training data sources before acquisition to confirm regulatory basis.

Lifecycle stage2 โ€“ Data Acquisition & Processing
Detective ยท 1
Regulatory change register triggering compliance review

Maintain a regulatory change register for applicable rules. Trigger compliance review when new regulatory guidance is issued.

Lifecycle stage5 โ€“ Usage, Monitoring & Change
Corrective ยท 1
Regulator, customer and stakeholder incident notification process

Map notification obligations and timeframes at design and pre-approve templates with legal/compliance. Appoint the notification decision-owner before go-live.

source: PDPC/IMDA mandatory data-breach and incident reporting timeframes; GDPR Art. 33โ€“34 breach notification; NIST SP 800-61r2 (Coordination & Information Sharing); ISO/IEC 27035
Lifecycle stages1 โ€“ Use Case Context & Design5 โ€“ Usage, Monitoring & Change
Open these in the Control Library โ†’

Other risks in Legal & Regulatory

AI RiskAtlas is an educational model of how GenAI & agentic systems work and fail. Architectures and payloads are illustrative and simplified for learning โ€” not operational guidance. Real-world cases are summarised from public reporting.

Sources & further reading โ†’ยทBuilt by Shi Yuan โ†—