← Governance

Section 02 · Risk Tiering

Tier AI systems by impact, not enthusiasm.

Not all embedded AI systems carry equal risk. A marketing recommender does not require the same governance rigor as a model influencing financial decisions, workforce actions, or regulated customer outcomes. This framework classifies systems across six dimensions and produces a single weighted tier (Tier 1 through Tier 4). The tier drives required SDLC checkpoints, red team intensity, vendor review depth, monitoring rigor, escalation triggers, and reporting cadence.

When to assess

  • Prior to development
  • Prior to third-party model integration
  • Upon material system change
  • Upon expansion of data scope

Interactive Tool

Risk Tier Calculator

Score your AI system across six dimensions. The tier and required controls update live. Use the result to inform intake reviews, governance escalation, and audit documentation.

Data Sensitivity

weight 20%

Decision Criticality

weight 20%

Customer / User Impact

weight 15%

Regulatory Exposure

weight 20%

Third-Party Model Dependency

weight 10%

Automation Amplification

weight 15%

Result

1.00

weighted score (1.0 – 5.0)

Score 1.0–2.0

Tier 1: Minimal Impact

Low sensitivity, informational use, no automation. Lightweight controls.

Required Controls

  • Lightweight documentation
  • Standard SDLC
  • Basic logging

Weighted formula: (Data × 0.20) + (Decision × 0.20) + (Customer × 0.15) + (Regulatory × 0.20) + (Vendor × 0.10) + (Automation × 0.15). Re-calibrate weights for industry, threat model, and regulatory posture.

On the weights

The default weights (20 / 20 / 15 / 20 / 10 / 15) reflect a baseline calibration emphasizing data sensitivity, decision criticality, and regulatory exposure as the primary drivers of AI exposure. They are deliberately opinionated, but tunable. Enterprises should re-calibrate based on industry, threat model, and regulatory posture. The goal is a defensible, reproducible classification, not a universal constant.

Automation as an independent flag

A high-impact, human-in-the-loop system is operationally different from a low-impact, fully automated one, even at the same weighted score. Carry the Decision Criticality and Automation Amplification scores forward as separate metadata on the model registry, not just as inputs to the tier. Two systems can share Tier 3 and have very different incident response postures.

What the tier drives

Required SDLC checkpoints

Red team intensity

Vendor review depth

Monitoring rigor

Escalation triggers

Reporting cadence

Continue to Threat ModelingBack to Governance Hub