The EU AI Act requires a risk management system for high-risk AI systems. Article 9 makes it a continuous, iterative process that runs across the whole lifecycle: identify and analyze the known and foreseeable risks the system poses to health, safety, and fundamental rights, estimate and evaluate those risks, and adopt measures to manage them. Separately, Article 27 requires certain deployers to carry out a fundamental rights impact assessment (FRIA) before putting a high-risk system into use.
The EU AI Act regulates AI by risk tier, and for high-risk systems the central obligation on the provider is a risk management system. It is not a one-time sign-off; it is a process that runs for as long as the system is on the market. A separate impact assessment falls on certain deployers. This guide covers what Article 9 requires, how the process runs, and where the FRIA under Article 27 fits.
The Article 9 risk management system
Article 9 requires providers of high-risk AI systems to establish, implement, document, and maintain a risk management system. It is a continuous iterative process run throughout the system's lifecycle, requiring regular review and updating. The process has to identify and analyze the known and reasonably foreseeable risks the system can pose to health, safety, and fundamental rights, estimate and evaluate the risks that arise in intended use and under reasonably foreseeable misuse, and adopt appropriate risk-management measures.
What the process must do
- Identify and analyze risks to health, safety, and fundamental rights from the high-risk system.
- Estimate and evaluate the risks in intended use and under reasonably foreseeable misuse.
- Evaluate emerging risks using post-market monitoring data.
- Adopt risk-management measures to eliminate or reduce risks as far as possible through design, and to mitigate those that remain.
- Test the system to confirm it performs consistently for its intended purpose and that the measures work.
How to run it
Step 1: Establish the system
Set up a documented risk management process owned for the life of the AI system, not a single assessment.
Step 2: Identify and analyze risks
Identify the known and foreseeable risks to health, safety, and fundamental rights in intended use and foreseeable misuse.
Step 3: Estimate and evaluate
Estimate the likelihood and severity of each risk and evaluate which need management measures.
Step 4: Adopt measures and test
Reduce risk first through design, mitigate the remainder, and test that the system and the measures perform as intended.
Step 5: Monitor and update
Use post-market monitoring to find emerging risks and update the system throughout the lifecycle.
The fundamental rights impact assessment
Article 27 places a separate obligation on certain deployers of high-risk AI, including bodies governed by public law and some private deployers of specified systems, to carry out a fundamental rights impact assessment before deployment. The FRIA describes the deployer's use of the system, the categories of people affected, the specific risks of harm to them, and the measures to take if those risks materialize. The provider's risk management system and the deployer's FRIA are different obligations on different parties; a high-risk system in a covered setting can require both.
For the wider regulation, see the EU AI Act compliance guide and the EU AI Act glossary; for model-risk governance more broadly, see the AI model governance guide.
Primary sources
- Regulation (EU) 2024/1689 (EU AI Act), Article 9 and Article 27: The risk management system required for high-risk AI, and the fundamental rights impact assessment (FRIA).