Article 9 of the EU AI Act requires that a risk management system shall be established, implemented, documented, and maintained in relation to each high-risk AI system. The RMS must be an iterative process designed to identify known and reasonably foreseeable risks, estimate and evaluate risks, adopt appropriate risk mitigation measures, and test for residual risk โ throughout the entire lifecycle of the AI system.
DEFONEOS implements the Article 9 RMS as a continuous, automated process. Risks are identified from multiple sources (threat intelligence, adversarial testing, incident reports, red-team output, post-market monitoring), scored using a standardised severity ร likelihood matrix, and mitigated through a hierarchy of controls. The system operates every 5 minutes, processing ~280 checks per cycle.
Key principle: The RMS is not a one-time assessment. It is a living system that evolves with the DEFONEOS deployment. As new threats emerge, new MCPs are added, or new use cases are enabled, the RMS re-evaluates and adapts.
โ ๏ธ Honesty Register
RMS scores and hazard counts are architectural specifications โ they describe the designed risk management capability, not an independently audited risk assessment. A formal Article 9 risk assessment would require engagement with a notified body and evidence of deployment in specific operational contexts. DEFONEOS provides the framework and tooling for such assessment; it does not claim to have completed one. ISO 14971 alignment is structural (process model), not certified.
๐ The 7-Step Article 9 Lifecycle
1
Identify Known and Reasonably Foreseeable Risks (Art 9(2)(a))
Systematic identification of hazards arising from the intended use and reasonably foreseeable misuse of DEFONEOS. Sources include:
Red-Team Output: 8-vector adversarial testing framework (see defoneos-adversarial-robustness.html) โ prompt injection, jailbreak, data poisoning, model evasion, supply chain, model extraction, DoS, side channel
Incident History: 7-phase incident response pipeline historical data (see defoneos-incident-response.html)
Post-Market Monitoring: 14 monitoring vectors from deployed sensors (see defoneos-post-market-monitoring.html)
Foreseeable Misuse: Red-line violation attempts, unauthorised data access, dual-use exploitation, model repurposing
Known AI Risks: Hallucination, bias, drift, opacity, automation bias, adversarial vulnerability
Output: 42 identified hazards catalogued in the DEFONEOS risk register, each tagged with source, category, and initial severity estimate.
2
Estimate and Evaluate Risks (Art 9(2)(b))
Each identified risk is scored using a Severity ร Likelihood matrix aligned with ISO 14971 and NIST AI RMF:
Low Likelihood
Medium Likelihood
High Likelihood
Catastrophic
MEDIUM
HIGH
CRITICAL
Serious
LOW
MEDIUM
HIGH
Moderate
LOW
LOW
MEDIUM
Risk scoring dimensions:
Harm to Health & Safety: Physical harm from autonomous systems, sensor misinterpretation, delayed alerts
Harm to Fundamental Rights: Privacy violation, discrimination, due process denial, human dignity
Harm to Property: Infrastructure damage, data loss, financial harm, reputation
Harm to National Security: Sovereign infrastructure compromise, information warfare, critical infrastructure
Output: Risk register with 42 entries scored 1-5 on severity and 1-5 on likelihood (scale 1-25). Current distribution: 0 Critical, 0 High, 3 Medium, 39 Low residual risk.
DEFONEOS follows the hierarchy of controls (in order of preference):
Elimination by design: Remove the capability that creates the risk (e.g., no kinetic targeting, no personal surveillance โ 7 red lines enforced)
Substitution: Replace high-risk component with lower-risk alternative (e.g., on-device processing instead of cloud, local inference instead of remote API)
Article 9(2)(d) โ Residual Risk: Only risks reduced to acceptable levels may be permitted. "Acceptable" means the residual risk does not exceed the benefit. DEFONEOS's 3 residual Medium risks are:
MR-1: Hallucination in generated intelligence summaries (mitigated by source citations + human review + confidence scoring)
MR-2: Supply chain compromise of third-party MCP packages (mitigated by sandboxing + integrity verification + provenance tracking)
MR-3: Model drift over time without retraining (mitigated by automated drift detection PSI/KL + retraining triggers + performance monitoring)
4
Test for Residual Risk (Art 9(2)(g))
Residual risks are tested against real-world attack scenarios and adversarial conditions:
Adversarial Testing: 340 test cases per cycle across 8 attack vectors (see defoneos-adversarial-robustness.html)
Red-Team Exercises: Simulated attacks on SIGIL chain, MCP supply chain, model extraction, prompt injection
Pass criterion: Residual risk must remain at or below "Medium" under adversarial conditions. Current pass rate: 97.3% (9 failures per cycle, all caught and mitigated within 5 minutes).
5
Deploy Mitigation Measures and Provide Information (Art 9(3))
Where risks cannot be eliminated by design, mitigation measures are deployed and the following are provided:
To Deployers (Art 26): Instructions for use, known limitations, performance metrics, monitoring guidance (see defoneos-transparency-deployers.html)
To Affected Persons (Art 86): Transparency obligations, right to explanation, complaint mechanisms, human review
To Authorities (Art 73): Serious incident reporting within 15 days, corrective action documentation, market surveillance cooperation
To the Public (Art 52): AI system transparency, synthetic content marking (Article 50 watermarks via Article 50 passport system)
6
Monitor System and Update RMS (Art 9(4)-(5))
The RMS operates continuously throughout the AI system's lifecycle. Post-market monitoring (Art 72) feeds new data back into the RMS:
Feedback Loop: Incident reports โ risk register update โ new mitigation controls โ adversarial test expansion
Version Tracking: Every RMS change is SIGIL-signed and hash-chained. Full audit trail of risk decisions.
Corrective Actions: Triggered automatically when risk exceeds thresholds โ can include model rollback, capability suspension, or system shutdown
Article 9(5) Experimental Testing: DEFONEOS supports real-world testing under controlled conditions with informed consent, data minimisation, and strict oversight. All experimental deployments require BFT council approval (23/33 quorum).
7
Document and Maintain (Art 9(1))
The RMS is documented as part of the technical documentation (Annex IV) and maintained for 10 years post-market placement (Art 18(1)). DEFONEOS documentation includes:
Risk Register: All 42 identified hazards with severity, likelihood, mitigation status, residual risk
Mitigation Inventory: 156 controls mapped to specific risks, with implementation evidence
Test Results: Historical adversarial test outcomes, pass/fail trends, corrective actions taken
Change Log: Every RMS modification with rationale, approval, and impact analysis
Audit Trail: Ed25519-signed SIGIL chain providing cryptographic evidence of all risk decisions