EU AI Act

EU AI Act Risk Management for High-Risk AI

The short version

The EU AI Act requires a risk management system for high-risk AI systems. Article 9 makes it a continuous, iterative process that runs across the whole lifecycle: identify and analyze the known and foreseeable risks the system poses to health, safety, and fundamental rights, estimate and evaluate those risks, and adopt measures to manage them. Separately, Article 27 requires certain deployers to carry out a fundamental rights impact assessment (FRIA) before putting a high-risk system into use.

The EU AI Act regulates AI by risk tier, and for high-risk systems the central obligation on the provider is a risk management system. It is not a one-time sign-off; it is a process that runs for as long as the system is on the market. A separate impact assessment falls on certain deployers. This guide covers what Article 9 requires, how the process runs, and where the FRIA under Article 27 fits.

The Article 9 risk management system

Article 9 requires providers of high-risk AI systems to establish, implement, document, and maintain a risk management system. It is a continuous iterative process run throughout the system's lifecycle, requiring regular review and updating. The process has to identify and analyze the known and reasonably foreseeable risks the system can pose to health, safety, and fundamental rights, estimate and evaluate the risks that arise in intended use and under reasonably foreseeable misuse, and adopt appropriate risk-management measures.

What the process must do

How to run it

Step 1: Establish the system

Set up a documented risk management process owned for the life of the AI system, not a single assessment.

Step 2: Identify and analyze risks

Identify the known and foreseeable risks to health, safety, and fundamental rights in intended use and foreseeable misuse.

Step 3: Estimate and evaluate

Estimate the likelihood and severity of each risk and evaluate which need management measures.

Step 4: Adopt measures and test

Reduce risk first through design, mitigate the remainder, and test that the system and the measures perform as intended.

Step 5: Monitor and update

Use post-market monitoring to find emerging risks and update the system throughout the lifecycle.

The fundamental rights impact assessment

Article 27 places a separate obligation on certain deployers of high-risk AI, including bodies governed by public law and some private deployers of specified systems, to carry out a fundamental rights impact assessment before deployment. The FRIA describes the deployer's use of the system, the categories of people affected, the specific risks of harm to them, and the measures to take if those risks materialize. The provider's risk management system and the deployer's FRIA are different obligations on different parties; a high-risk system in a covered setting can require both.

For the wider regulation, see the EU AI Act compliance guide and the EU AI Act glossary; for model-risk governance more broadly, see the AI model governance guide.

Primary sources

Common questions

What does the EU AI Act require for risk management?
Article 9 requires providers of high-risk AI systems to establish and maintain a risk management system: a continuous, iterative process across the lifecycle that identifies and analyzes risks to health, safety, and fundamental rights, estimates and evaluates them, and adopts measures to manage them.
What is a fundamental rights impact assessment (FRIA)?
Under Article 27, certain deployers of high-risk AI, including public bodies and some private deployers, must carry out a fundamental rights impact assessment before deployment. It describes the use of the system, the people affected, the specific risks of harm, and the measures to take if those risks occur.
Who is responsible, the provider or the deployer?
The Article 9 risk management system is the provider's obligation. The Article 27 FRIA is the deployer's obligation. They are separate, and a high-risk system in a covered setting can require both.
Is the AI Act risk management system a one-time assessment?
No. Article 9 makes it a continuous iterative process that runs throughout the system's lifecycle, with regular review and updating, drawing on post-market monitoring to catch emerging risks.
From the team behind this guide

AI risk, governed across the lifecycle

Compliance Command Center brings model-risk discipline to AI obligations: a documented risk process across the lifecycle, with a human in the loop, aligned to recognized governance standards. Practitioners build it, with a human reviewing every deliverable, so the work holds up to scrutiny.

See Compliance Command Center Talk to a Practitioner