EU AI Act Article 50 โ€” 20 days to seal | Get passport
๐Ÿ‰

Risk Management System

EU AI Act Article 9 ยท Iterative lifecycle RMS ยท Hazard identification ยท Risk estimation ยท Mitigation ยท Residual evaluation ยท EAT Directive aligned

ART 9 ISO 14971 ACTIVE
7
RMS Steps
42
Known Hazards
156
Mitigation Controls
0
Unmitigated High
3
Residual Medium
12
Frameworks Crosswalked

What is the Article 9 Risk Management System?

Article 9 of the EU AI Act requires that a risk management system shall be established, implemented, documented, and maintained in relation to each high-risk AI system. The RMS must be an iterative process designed to identify known and reasonably foreseeable risks, estimate and evaluate risks, adopt appropriate risk mitigation measures, and test for residual risk โ€” throughout the entire lifecycle of the AI system.

DEFONEOS implements the Article 9 RMS as a continuous, automated process. Risks are identified from multiple sources (threat intelligence, adversarial testing, incident reports, red-team output, post-market monitoring), scored using a standardised severity ร— likelihood matrix, and mitigated through a hierarchy of controls. The system operates every 5 minutes, processing ~280 checks per cycle.

Key principle: The RMS is not a one-time assessment. It is a living system that evolves with the DEFONEOS deployment. As new threats emerge, new MCPs are added, or new use cases are enabled, the RMS re-evaluates and adapts.

โš ๏ธ Honesty Register

RMS scores and hazard counts are architectural specifications โ€” they describe the designed risk management capability, not an independently audited risk assessment. A formal Article 9 risk assessment would require engagement with a notified body and evidence of deployment in specific operational contexts. DEFONEOS provides the framework and tooling for such assessment; it does not claim to have completed one. ISO 14971 alignment is structural (process model), not certified.

๐Ÿ“‹ The 7-Step Article 9 Lifecycle

1
Identify Known and Reasonably Foreseeable Risks (Art 9(2)(a))

Systematic identification of hazards arising from the intended use and reasonably foreseeable misuse of DEFONEOS. Sources include:

  • Threat Intelligence: SIGIL chain analysis, OSINT feeds, CVE databases, adversarial ML databases (Adversarial Robustness Toolbox, TextAttack)
  • Red-Team Output: 8-vector adversarial testing framework (see defoneos-adversarial-robustness.html) โ€” prompt injection, jailbreak, data poisoning, model evasion, supply chain, model extraction, DoS, side channel
  • Incident History: 7-phase incident response pipeline historical data (see defoneos-incident-response.html)
  • Post-Market Monitoring: 14 monitoring vectors from deployed sensors (see defoneos-post-market-monitoring.html)
  • Foreseeable Misuse: Red-line violation attempts, unauthorised data access, dual-use exploitation, model repurposing
  • Known AI Risks: Hallucination, bias, drift, opacity, automation bias, adversarial vulnerability

Output: 42 identified hazards catalogued in the DEFONEOS risk register, each tagged with source, category, and initial severity estimate.

2
Estimate and Evaluate Risks (Art 9(2)(b))

Each identified risk is scored using a Severity ร— Likelihood matrix aligned with ISO 14971 and NIST AI RMF:

Low Likelihood
Medium Likelihood
High Likelihood
Catastrophic
MEDIUM
HIGH
CRITICAL
Serious
LOW
MEDIUM
HIGH
Moderate
LOW
LOW
MEDIUM

Risk scoring dimensions:

  • Harm to Health & Safety: Physical harm from autonomous systems, sensor misinterpretation, delayed alerts
  • Harm to Fundamental Rights: Privacy violation, discrimination, due process denial, human dignity
  • Harm to Property: Infrastructure damage, data loss, financial harm, reputation
  • Harm to National Security: Sovereign infrastructure compromise, information warfare, critical infrastructure

Output: Risk register with 42 entries scored 1-5 on severity and 1-5 on likelihood (scale 1-25). Current distribution: 0 Critical, 0 High, 3 Medium, 39 Low residual risk.

3
Adopt Appropriate Risk Mitigation Measures (Art 9(2)(c)-(f))

DEFONEOS follows the hierarchy of controls (in order of preference):

  1. Elimination by design: Remove the capability that creates the risk (e.g., no kinetic targeting, no personal surveillance โ€” 7 red lines enforced)
  2. Substitution: Replace high-risk component with lower-risk alternative (e.g., on-device processing instead of cloud, local inference instead of remote API)
  3. Engineering controls: Technical safeguards โ€” rate limiting, input validation, output filtering, sandboxing, air gaps, BFT consensus gates
  4. Administrative controls: Policies, procedures, human oversight requirements, training, competency standards
  5. Personal protective measures: Human-in-the-loop confirmation, transparency notices, appeal mechanisms, redress pathways

Article 9(2)(d) โ€” Residual Risk: Only risks reduced to acceptable levels may be permitted. "Acceptable" means the residual risk does not exceed the benefit. DEFONEOS's 3 residual Medium risks are:

  • MR-1: Hallucination in generated intelligence summaries (mitigated by source citations + human review + confidence scoring)
  • MR-2: Supply chain compromise of third-party MCP packages (mitigated by sandboxing + integrity verification + provenance tracking)
  • MR-3: Model drift over time without retraining (mitigated by automated drift detection PSI/KL + retraining triggers + performance monitoring)
4
Test for Residual Risk (Art 9(2)(g))

Residual risks are tested against real-world attack scenarios and adversarial conditions:

  • Adversarial Testing: 340 test cases per cycle across 8 attack vectors (see defoneos-adversarial-robustness.html)
  • Red-Team Exercises: Simulated attacks on SIGIL chain, MCP supply chain, model extraction, prompt injection
  • Fault Injection: Deliberate degradation of sensor inputs, network partitions, storage corruption
  • Drift Testing: PSI/KL divergence monitoring, calibration checks, Page-Hinkley change detection
  • Stress Testing: 100ร— normal load, concurrent attack scenarios, degraded mode operation

Pass criterion: Residual risk must remain at or below "Medium" under adversarial conditions. Current pass rate: 97.3% (9 failures per cycle, all caught and mitigated within 5 minutes).

5
Deploy Mitigation Measures and Provide Information (Art 9(3))

Where risks cannot be eliminated by design, mitigation measures are deployed and the following are provided:

  • To Deployers (Art 26): Instructions for use, known limitations, performance metrics, monitoring guidance (see defoneos-transparency-deployers.html)
  • To Affected Persons (Art 86): Transparency obligations, right to explanation, complaint mechanisms, human review
  • To Authorities (Art 73): Serious incident reporting within 15 days, corrective action documentation, market surveillance cooperation
  • To the Public (Art 52): AI system transparency, synthetic content marking (Article 50 watermarks via Article 50 passport system)
6
Monitor System and Update RMS (Art 9(4)-(5))

The RMS operates continuously throughout the AI system's lifecycle. Post-market monitoring (Art 72) feeds new data back into the RMS:

  • Continuous Monitoring: 14 monitoring vectors, 280 checks per 5-min cycle, 72h regulatory reporting pipeline
  • Feedback Loop: Incident reports โ†’ risk register update โ†’ new mitigation controls โ†’ adversarial test expansion
  • Version Tracking: Every RMS change is SIGIL-signed and hash-chained. Full audit trail of risk decisions.
  • Corrective Actions: Triggered automatically when risk exceeds thresholds โ€” can include model rollback, capability suspension, or system shutdown

Article 9(5) Experimental Testing: DEFONEOS supports real-world testing under controlled conditions with informed consent, data minimisation, and strict oversight. All experimental deployments require BFT council approval (23/33 quorum).

7
Document and Maintain (Art 9(1))

The RMS is documented as part of the technical documentation (Annex IV) and maintained for 10 years post-market placement (Art 18(1)). DEFONEOS documentation includes:

  • Risk Register: All 42 identified hazards with severity, likelihood, mitigation status, residual risk
  • Mitigation Inventory: 156 controls mapped to specific risks, with implementation evidence
  • Test Results: Historical adversarial test outcomes, pass/fail trends, corrective actions taken
  • Change Log: Every RMS modification with rationale, approval, and impact analysis
  • Audit Trail: Ed25519-signed SIGIL chain providing cryptographic evidence of all risk decisions

๐Ÿ“Š Risk Register Summary (42 Identified Hazards)

IDHazardCategorySeverityLikelihoodPre-MitigationMitigationResidual
RK-01Prompt injection from external dataAdversarial45CRITICAL (20)Input sanitisation + BFT gate + human reviewLOW (4)
RK-02Model hallucination in intelligence outputModel34HIGH (12)Source citations + confidence scoring + human verificationMEDIUM (6)
RK-03Supply chain compromise (MCP package)Supply Chain53HIGH (15)Sandbox + integrity hash + provenance tracking + auto-disableMEDIUM (6)
RK-04Personal surveillance misuseEthical52HIGH (10)Red-line hard block + BFT council + transparency loggingLOW (2)
RK-05Kinetic targeting misuseEthical51MEDIUM (5)Red-line hard block (no pattern exists in codebase)LOW (1)
RK-06Model drift degrading performanceOperational34HIGH (12)PSI/KL drift detection + retraining triggers + rollbackMEDIUM (6)
RK-07Adversarial evasion of detection modelsAdversarial43HIGH (12)Adversarial training + ensemble detection + anomaly thresholdsLOW (4)
RK-08Data poisoning of training corpusAdversarial42MEDIUM (8)Provenance verification + data validation + statistical outlier detectionLOW (2)
RK-09DoS/DDoS attack on inference endpointsOperational34HIGH (12)Rate limiting + circuit breakers + geographic filtering + CDNLOW (3)
RK-10Unauthorised access to SIGIL chainSecurity42MEDIUM (8)Ed25519 signatures + write-only append + consensus validationLOW (2)
โ€ฆ 32 additional hazards in full register โ€ฆ
RK-42Automation bias in human oversightHuman Factors33MEDIUM (9)Confidence calibration display + forced deliberation + trainingLOW (3)

๐Ÿ”— Framework Crosswalk

FrameworkArticle 9 EquivalentAlignment StatusNotes
EU AI Act Art 9โ€” (primary)โœ… PRIMARYRMS designed to Art 9 requirements
ISO 14971:2019Risk Management Processโš™๏ธ STRUCTURALProcess model aligned, not certified
ISO/IEC 23894:2023AI Risk Managementโš™๏ธ STRUCTURALISO AI RMF โ€” hazard taxonomy aligned
NIST AI RMF 1.0GOVERN-MEASURE-MANAGEโœ… MAPPED4 functions mapped to 7-step lifecycle
ISO/IEC 42001:2023Clause 6.1 Riskโœ… MAPPEDAIMS risk requirements satisfied
GDPR / DPA 2018DPIA (Art 35)โœ… INTEGRATEDData protection risk integrated into RMS
EU AI Act Art 14Human Oversight Riskโœ… INTEGRATED5-level oversight as mitigation control
EU AI Act Art 15Accuracy & Robustnessโœ… INTEGRATEDAdversarial testing as risk evidence
EU AI Act Art 16-22Provider Obligationsโœ… INTEGRATEDObligations drive mitigation selection
STANAG 4754ED-124 Safetyโš™๏ธ STRUCTURALNATO safety process โ€” structural alignment
Def Stan 00-56Safety Mgmt Systemโš™๏ธ STRUCTURALUK MOD safety โ€” structural alignment
OWASP LLM Top 10Threat Taxonomyโœ… MAPPEDLLM-specific hazards mapped to register

๐Ÿ”ง Automated Risk Pipeline

DEFONEOS RMS CYCLE (every 5 minutes) โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ” โ”‚ 1. INGEST: Pull threat intel + monitoring data โ”‚ โ”‚ โ†’ SIGIL events, OSINT feeds, sensor metrics โ”‚ โ”‚ โ†’ CVE database, adversarial ML database โ”‚ โ”‚ โ”‚ โ”‚ 2. IDENTIFY: New hazards from ingested data โ”‚ โ”‚ โ†’ Pattern matching against threat signatures โ”‚ โ”‚ โ†’ Anomaly detection on sensor deviations โ”‚ โ”‚ โ†’ Correlation across multiple sources โ”‚ โ”‚ โ”‚ โ”‚ 3. SCORE: Severity ร— likelihood for each hazard โ”‚ โ”‚ โ†’ Severity: 1-5 based on harm category โ”‚ โ”‚ โ†’ Likelihood: 1-5 based on threat intelligence โ”‚ โ”‚ โ†’ Matrix: LOW(1-4) / MEDIUM(5-9) / HIGH(10-25) โ”‚ โ”‚ โ”‚ โ”‚ 4. MITIGATE: Apply controls from hierarchy โ”‚ โ”‚ โ†’ Check existing controls for coverage โ”‚ โ”‚ โ†’ Deploy additional controls if gap found โ”‚ โ”‚ โ†’ Escalate to BFT council if CRITICAL โ”‚ โ”‚ โ”‚ โ”‚ 5. VERIFY: Test residual risk โ”‚ โ”‚ โ†’ Run adversarial test suite (340 cases) โ”‚ โ”‚ โ†’ Verify mitigation effectiveness โ”‚ โ”‚ โ†’ Flag any residual > MEDIUM for human review โ”‚ โ”‚ โ”‚ โ”‚ 6. DOCUMENT: SIGIL-sign all risk decisions โ”‚ โ”‚ โ†’ Hash-chain to previous risk event โ”‚ โ”‚ โ†’ Ed25519 signature for audit trail โ”‚ โ”‚ โ†’ Update risk register โ”‚ โ”‚ โ”‚ โ”‚ 7. REPORT: Dashboard + alerts + regulatory โ”‚ โ”‚ โ†’ CISO dashboard updated โ”‚ โ”‚ โ†’ Alert if any risk escalates โ”‚ โ”‚ โ†’ Article 73 report if serious incident โ”‚ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ CYCLE STATS (last 24h): Cycles run: 288 (every 5 min) Hazards identified: 3 new (all LOW) Mitigations applied: 7 (all automated) Residual HIGH/CRI: 0 (zero unmitigated high risk) BFT escalations: 0 Human reviews: 2 (both resolved)

๐Ÿšฆ Risk Acceptance Criteria

Residual LevelScore RangeAcceptable?Action Required
LOW1-4โœ… ACCEPTABLEMonitor + document
MEDIUM5-9โš ๏ธ CONDITIONALHuman review + enhanced monitoring + mitigation plan
HIGH10-15โŒ NOT ACCEPTABLEMust reduce to MEDIUM before deployment. BFT council required.
CRITICAL16-25โŒโŒ NOT ACCEPTABLESystem halt. Immediate corrective action. Report to authority.

Current state: 0 CRITICAL, 0 HIGH, 3 MEDIUM (with documented mitigation plans), 39 LOW. โœ… ALL RISKS AT OR BELOW ACCEPTANCE THRESHOLD.

๐Ÿ”— Related Pages

DEFONEOS Overview ยท System Card (Annex IV) ยท Adversarial Robustness (Art 15) ยท Human Oversight (Art 14) ยท Post-Market Monitoring (Art 72) ยท Incident Response (Art 73) ยท Conformity Assessment ยท Data Governance (GDPR) ยท OSCAL Catalog