Risk management system

Under EU AI Act Article 9, the continuous, iterative process providers of high-risk AI systems must establish to identify, evaluate, and mitigate risks throughout the system's lifecycle. The RMS produces documented evidence of risk identification, risk-evaluation methodology, mitigation measures, residual-risk acceptance, and post-market monitoring feedback. Required for every Annex III high-risk system.

Risk management system is the load-bearing artefact of EU AI Act compliance — Articles 10-15 are largely the evidence the RMS produces. It is also the artefact most enterprise programmes start building too late. The defensible programme posture is to start the RMS at procurement (the Article 12 audit substrate, Article 9 risk register, Article 17 quality-management documentation are interlocking) rather than to spin one up before the August 2026 enforcement deadline. NIST AI RMF gives the vocabulary; ISO/IEC 42001 gives the certifiable management-system shape; the AI Act gives the legal hook.

Related frameworks

• GAUGE →
• MTTD-for-Agents →

Articles that analyse this term

• The EU AI Act and agentic AI: what August 2026 actually requires
• EU AI Act Article 12 audit-evidence template for agentic AI
• The enterprise agentic AI governance playbook for 2026
• NIST AI RMF mapping for enterprise agentic AI

Primary sources

• European Union. EU AI Act — Article 9 (Risk management system)
• ISO/IEC. ISO/IEC 42001:2023 AI Management System