Most enterprise AI risk frameworks focus on the wrong variables. True risk classification must begin at the data layer.
The Classification Problem
Enterprises typically classify AI risk based on:
- Use case sensitivity
- Output impact
- Regulatory category
While these factors matter, they miss the fundamental source of AI risk: data provenance.
Data-First Risk Assessment
A more effective approach classifies risk based on:
- Consent status: Was data captured with explicit permission?
- Signal abstraction: Is raw data retained or discarded?
- Audit capability: Can decisions be traced to their inputs?
- Governance architecture: Is compliance embedded or bolted on?
Systems with strong data governance can safely pursue higher-risk use cases. Systems with weak governance are risky even for basic applications.
Rethinking Risk Frameworks
Enterprise risk committees should:
- Audit data pipelines before model outputs
- Require consent documentation for all training data
- Prioritize governance architecture over use case restrictions
Risk classification that ignores data provenance is incomplete.