CHAPTER 5: Risk Appetite in the Age of AI – What Does Too Risky Mean When It Is Done by AI?

by | Jun 9, 2026

ARiMI Learning Series:

AI FOR RISK PROFESSIONALS & LEADERS

This chapter is part of the “AI For Risk Professionals & Leaders” learning series, designed to help risk professionals and leaders engage with AI in ways that complement sound judgment, strategic thinking and ethical practice. Whether you are a certified expert or a curious practitioner, each chapter offers practical guidance to support the confident, clear and responsible use of AI tools in risk management

From Accountability to Acceptable Risk

In the previous chapter, we examined accountability in AI and the difficult question of who bears responsibility when AI supported decisions produce unintended, erroneous, or harmful outcomes. That discussion remains essential, especially as AI tools become more embedded in daily operations, decision support, customer interaction, monitoring activities and enterprise workflows.

Accountability clarifies who must answer for AI related decisions. Risk appetite clarifies what level of AI related uncertainty an organisation is prepared to accept before those decisions are made.

This distinction matters.

As AI moves from experimentation into operational use, organisations can no longer rely only on broad principles, isolated governance committees or general statements of responsible AI. They need clearer boundaries. They need to know:

    1. which uses of AI are acceptable,
    2. which require stronger controls, and
    3. which should remain outside the organisation’s tolerance.

This is where risk appetite becomes a practical discipline.

For risk professionals, the challenge is no longer limited to identifying AI risks after tools have been adopted. The more strategic task is to help leadership define the conditions under which AI can be used responsibly, the limits that should not be crossed, and the signals that indicate rising exposure.

Why Existing Risk Appetite Boundaries Are Being Tested

Traditional risk appetite statements often address financial loss, regulatory breaches, operational disruption, fraud, cyber incidents, reputational damage and strategic uncertainty. These categories remain relevant, but AI introduces new questions that many existing statements were not designed to answer.

AI tools can support recommendations, generate responses, classify information, identify anomalies, rank priorities and guide workflows. In more advanced environments, AI agents may take on sequences of tasks that previously required human coordination.

As AI becomes embedded in more business activities, organisations are encountering forms of uncertainty that are often harder to define, monitor, and explain through traditional approaches.

A traditional system usually follows defined rules. An AI system may operate through probability, inference, pattern recognition or adaptive outputs. Its results may vary based on inputs, prompts, data quality, model design, user behaviour and surrounding controls.

The organisation may therefore face a situation where the output appears useful, the process appears efficient, and the risk remains insufficiently understood.

These realities place greater importance on:

    1. how organisations define acceptable levels of uncertainty and
    2. where they choose to draw their boundaries.

Organisations must therefore consider how much uncertainty is acceptable when AI contributes to decisions that affect customers, staff, operations, compliance obligations, financial outcomes, or public trust.

When Efficiency Creates New Exposure

AI is often adopted because it promises speed, scale and consistency. These benefits are attractive, especially when teams face growing workloads, compressed timelines and rising expectations from stakeholders.

However:

    1. speed can also reduce the time available for challenge
    2. scale can amplify errors
    3. consistency can create confidence in outputs that have not been sufficiently tested
    4. a tool that improves one part of a process may introduce new risk elsewhere.

For example, an AI tool that accelerates risk screening may improve productivity. If the screening logic misses context specific red flags, the organisation may process more cases faster while weakening the quality of review.

An AI enabled monitoring tool may detect more anomalies than a manual review process. If alerts are poorly calibrated, teams may face alert fatigue and miss the signals that matter.

An AI assisted decision process may help standardise recommendations. If the model reflects hidden bias or outdated assumptions, the organisation may create systematic exposure across many decisions rather than isolated errors.

These examples show why AI risk appetite cannot be reduced to whether a tool is accurate or efficient. The more important question is whether the organisation understands the consequences of relying on that tool within a specific context.

Core Questions for AI Risk Appetite

Risk appetite in the age of AI should help decision makers answer practical questions before AI use expands too far.

Organisations should be able to define:

  • Which decisions AI may support
  • Which decisions require mandatory human review
  • Which decisions should remain fully human led
  • What level of model uncertainty is acceptable
  • What level of explainability is required
  • What types of data may or may not be used
  • What level of vendor dependency is acceptable
  • What failures must trigger escalation
  • What incidents require suspension or review of the AI tool
  • What evidence is required before an AI supported process is approved for wider use

These questions move risk appetite from abstract wording into operational guidance. They also help leaders avoid vague statements such as “we have low appetite for AI risk” without defining what that means in practice.

Different AI Uses Require Different Appetite Levels

Not every AI use carries the same risk.

A tool used to organise internal workflow may require one level of control. A tool used to support credit decisions, clinical triage, fraud investigation, regulatory classification or employee evaluation requires a very different level of scrutiny.

Risk professionals should therefore help organisations distinguish between categories of AI use.

    1. Low sensitivity use may involve internal productivity support, administrative assistance or limited process structuring where outputs are reviewed before use.
    2. Moderate sensitivity use may involve risk scoring, anomaly detection, compliance screening or management reporting where outputs influence decisions but do not directly determine outcomes.
    3. High sensitivity use may involve decisions that affect rights, access, safety, financial exposure, employment, legal obligations, public trust or reputational standing.

This classification helps risk appetite become more precise. It allows organisations to apply stronger controls where consequences are higher, while still permitting responsible innovation in lower risk areas.

Organisations will inevitably apply different levels of control across different AI use cases. The degree of oversight, review, and governance should reflect the potential consequences of the decision being supported.

 

Risk Appetite and Human Oversight

Human oversight is often included in AI governance documents. In practice, the quality of oversight varies greatly.

Some organisations treat human review as a meaningful control. Others treat it as a formal step where users approve AI outputs without adequate time, training or authority to challenge them.

Risk appetite should define what effective human oversight means.

This includes:

  • Who is authorised to review AI supported outputs
  • What knowledge or training reviewers must have
  • When reviewers may override AI recommendations
  • What must be documented when AI outputs are accepted or rejected
  • What escalation route applies when reviewers disagree with AI outputs
  • What level of challenge is expected before a decision is made

Human oversight only works when people have the competence, time and authority to act. Without those conditions, oversight becomes procedural rather than protective.

This is why ARiMI continues to emphasise the role of trained and certified risk professionals. AI may provide speed and structure, but professional judgment determines whether the output is relevant, acceptable and fit for use.

The Risk Appetite Calibration Lens

To support practical discussion, risk professionals can begin with a simple calibration lens when reviewing AI use cases.

Calibration Area Key Question Risk Appetite Consideration
Purpose What decision or process will AI support? Is the use aligned with business objectives and risk strategy?
Consequence What could happen if the output is wrong? Does the potential impact fall within accepted tolerance?
Autonomy How much freedom does the AI tool have? Is the level of human control proportionate to the risk?
Explainability Can the decision pathway be understood and explained? Is the explanation sufficient for governance, audit or stakeholder review?
Data Sensitivity What data does the tool depend on? Are privacy, confidentiality and data quality expectations met?
Monitoring How will performance or drift be detected? Are indicators and escalation triggers clearly defined?
Accountability Who owns the decision and response? Are roles, review points and remediation duties clear?

The calibration lens is intended to support discussion and challenge. It helps structure conversations that might otherwise remain vague or overly focused on technical considerations. It also provides a practical starting point for moving discussions from general enthusiasm or concern into structured judgment.

It also helps organisations avoid treating AI use as a single category. Some use cases may sit comfortably within appetite. Others may require additional controls. A few may fall outside acceptable boundaries altogether.

When Risk Appetite Is Too Vague

A vague risk appetite statement can create a false sense of control.

Statements such as “we support responsible AI” or “we have low tolerance for unethical AI use” may sound reassuring, but they do not guide decisions unless they are translated into thresholds, review processes and ownership.

A more useful statement would clarify:

  • Which AI uses are encouraged
  • Which AI uses require approval
  • Which AI uses are restricted
  • Which AI uses are prohibited
  • Which incidents trigger escalation
  • Which decisions require human sign off
  • Which metrics or indicators will be monitored

Without this level of specificity, risk appetite becomes difficult to apply. Different departments may interpret the same statement in different ways. Vendors may fill the gaps. Employees may rely on informal judgment. Senior leaders may assume controls exist when they have not been operationalised.

This is where risk professionals can add significant value. They can translate high level appetite into practical decision boundaries that help the organisation act consistently.

The Board and Executive Role

AI risk appetite cannot be left entirely to technical teams or operational users. Board and executive leadership have a central role in setting the tone and defining boundaries.

Leadership should be involved in decisions concerning:

  • AI use in high impact areas
  • Acceptable levels of automation
  • Vendor dependency and concentration risk
  • Ethical expectations
  • Regulatory exposure
  • Reputational consequences
  • Investment in monitoring and assurance
  • Response protocols for AI related incidents

Risk appetite should reflect the organisation’s strategy, values and obligations. It should also reflect its actual capability to manage AI related risks.

An organisation with limited monitoring capability should be more cautious about highly autonomous AI deployment. An organisation with stronger governance, trained users and mature assurance processes may be able to accept a broader range of AI enabled activities.

Risk appetite must therefore be honest. It should reflect not only what the organisation wants to achieve, but what it is capable of governing.

The Role of Risk Professionals

Risk professionals are not expected to define risk appetite alone. Their role is to facilitate the discipline behind the decision.

They help leadership examine trade offs, challenge assumptions and convert broad intentions into practical boundaries. They also help ensure that appetite statements are connected to risk registers, controls, monitoring indicators, escalation pathways and incident response arrangements.

In AI related contexts, risk professionals should be prepared to ask:

  • What are we allowing AI to influence?
  • What happens if the output is wrong?
  • Who reviews the output before action is taken?
  • What evidence do we require before scaling this use case?
  • How will we detect model drift or performance deterioration?
  • What would make us pause, restrict or withdraw this AI tool?
  • How do we document acceptance, challenge and override decisions?

These questions help organisations maintain decision quality as AI becomes more deeply integrated into operational and strategic activities.

From Appetite to Action

Risk appetite only becomes meaningful when it influences decisions.

For AI, this means connecting appetite to practical controls such as:

  • Approval thresholds for AI use cases
  • Mandatory review for high impact decisions
  • Defined escalation triggers
  • Model monitoring indicators
  • Vendor assurance requirements
  • Documentation standards
  • User training expectations
  • Periodic review cycles
  • Incident response protocols

These controls help organisations move from stated appetite to applied discipline. They also create a stronger bridge to accountability. When boundaries are clear, it becomes easier to determine whether actions stayed within accepted limits or crossed into unacceptable exposure.

Why This Matters Now

Over the period between June 2025 and June 2026, AI became increasingly integrated into business operations, often through a combination of enterprise platforms, embedded applications, third party services, and employee initiated use. In many organisations, the discussion moved beyond individual AI projects to the cumulative impact of AI supported activities across multiple functions.

As this integration deepens, risk appetite becomes more significant. Decisions concerning acceptable levels of automation, oversight, reliance, and intervention can no longer be addressed on a case by case basis alone. Organisations require a clearer view of where boundaries exist and how those boundaries will be applied consistently.

For risk professionals and leaders, this reinforces the importance of structured risk thinking. Attention is increasingly shifting towards how organisations govern uncertainty, exercise judgment, and maintain accountability as technology becomes more influential in decision making.

A Foundation for Practical Integration

Risk appetite provides the bridge between accountability and integration.

Chapter 4 examined who is responsible when AI outcomes create harm. This chapter has explored how organisations can define acceptable boundaries before those outcomes occur.

The next step involves practical integration. Defining risk appetite is only one part of the challenge.

Organisations must also translate those boundaries into day to day risk management practices, reporting structures, governance processes, and oversight activities. The next chapter explores how AI can be integrated into existing enterprise risk management frameworks in a practical and sustainable manner.

View All Chapters