Pre-Deployment vs Post-Deployment AI Risk Assessment (2026)

Pre-Deployment vs Post-Deployment AI Risk Assessment (2026)

Pre-deployment assessment evaluates risks before market placement. Post-deployment assessment monitors real-world performance. Both are required under the EU AI Act.

Regulatory Context

The EU AI Act requires comprehensive risk assessment for high-risk AI systems. Article 9 mandates a risk management system that is continuous and iterative throughout the AI lifecycle. This assessment methodology supports compliance with those requirements while aligning with international standards including ISO/IEC 42001 and the NIST AI RMF 1.0.

Assessment Process

1. Define scope and objectives of the assessment
2. Identify stakeholders and affected populations
3. Map risks across safety, fairness, privacy, security, and operational dimensions
4. Assess probability and severity of each identified risk
5. Evaluate existing controls and their effectiveness
6. Identify gaps and develop mitigation measures
7. Document findings and establish monitoring procedures
8. Schedule periodic reassessment

Documentation and Review

All risk assessment activities must be documented as part of the technical documentation required by Article 11 and Annex IV. Documentation must be maintained for 10 years (Article 18) and be available to national competent authorities upon request. The risk management system must be continuously updated based on new evidence, incidents, and regulatory developments.

Structured Risk Assessment Methodology

Effective AI risk assessment requires a structured, repeatable methodology that can be applied consistently across different AI systems and use cases. The EU AI Act does not prescribe a specific methodology but requires that the risk management system be continuous, iterative, and address risks to health, safety, and fundamental rights throughout the AI lifecycle (Article 9).

A robust methodology typically includes several phases: scope definition, risk identification, risk analysis, risk evaluation, risk treatment, and monitoring. Each phase should be documented and involve appropriate stakeholders including technical experts, domain specialists, legal counsel, and representatives of affected groups where feasible.

Risk Identification Techniques

Multiple techniques should be used in combination to ensure comprehensive risk identification. Hazard analysis techniques adapted from safety engineering (such as FMEA, HAZOP, and fault tree analysis) can be applied to AI-specific failure modes. Scenario analysis explores how the system might fail in realistic operational conditions. Stakeholder consultation captures concerns from those affected by the system. Review of similar systems and their known issues provides empirical grounding. Red-team exercises probe the system for weaknesses adversarially.

Risk identification should consider the full range of potential harms: physical safety, fundamental rights (non-discrimination, privacy, freedom of expression, human dignity), environmental impact, democratic processes, and economic consequences. The EU AI Act specifically requires attention to risks for vulnerable groups including children, persons with disabilities, and those in asymmetric power relationships.

Risk Analysis and Evaluation

Each identified risk should be analysed for probability of occurrence and severity of impact. Quantitative methods are preferable where data permits, but qualitative assessment using structured scales is acceptable and often necessary for novel AI applications where actuarial data does not exist. The NIST AI RMF recommends considering both expected and worst-case scenarios, and both individual and aggregate impacts.

Risk evaluation compares the analysed risk level against the organisation's risk appetite and regulatory thresholds. Risks exceeding acceptable levels must be treated. Residual risks that remain after treatment must be documented and accepted by appropriate authority levels within the organisation, as required by Article 9(4).

Integration with Existing Frameworks

AI risk assessment should not operate in isolation from existing enterprise risk management. ISO/IEC 42001 explicitly requires integration with the organisation's broader management system. Mapping AI risks to existing risk taxonomies, reporting structures, and governance bodies avoids duplication and ensures appropriate executive visibility. The NIST AI RMF's GOVERN function emphasises this organisational integration as foundational to effective AI risk management.

Where sector-specific risk assessment requirements exist (such as clinical evaluation for medical devices or model risk management for financial services), AI risk assessment should complement rather than replace these established processes. The goal is a unified view of risk that satisfies all applicable frameworks.

Continuous Improvement

Risk assessment is not a one-time compliance exercise. Article 72 requires post-market monitoring for high-risk AI systems. Incident reporting under Article 73 feeds back into risk assessment. Performance monitoring in production may reveal risks not anticipated during development. Regular review cycles should be established, with clear triggers for ad-hoc reassessment such as significant incidents, deployment context changes, or regulatory updates.

Governance and Accountability

Effective AI risk governance requires clear accountability structures. Designate named individuals responsible for AI risk at board, management, and operational levels. The EU AI Act places primary obligations on providers (those developing or placing AI on the market) and separate obligations on deployers (those using AI in professional contexts). Both must maintain quality management systems under Article 17 that encompass risk management processes, data governance, record-keeping, post-market monitoring, and corrective actions.

Internal accountability should be supported by appropriate training. All personnel involved in AI development, deployment, and oversight should understand the risk framework relevant to their role. This includes not only technical staff but also product managers, legal counsel, procurement teams, and senior management. Regular training updates are necessary as regulatory requirements evolve and organisational AI maturity develops.

Record-Keeping and Audit Readiness

Maintain comprehensive records of all risk management activities. This includes risk identification workshops, assessment results, treatment decisions, monitoring data, incident reports, and periodic reviews. These records serve as evidence of due diligence for regulatory inspections and conformity assessments. Article 12 requires high-risk AI systems to be designed for automatic logging of events during operation, providing a technical audit trail that complements procedural records.

Prepare for regulatory scrutiny by organising documentation in a readily accessible structure. National competent authorities may request documentation at any time under Article 21. A well-organised documentation management system that allows rapid retrieval by topic, system, or date significantly reduces the burden of responding to regulatory requests and demonstrates mature governance.

This article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.