The enterprise AI agent risk register for 2026 resolves to a 12-column template that captures every risk an enterprise must document under EU AI Act Article 9 and NIST AI RMF Manage function: risk ID, deployment ID, threat class (per OWASP Agentic AI Top 10), likelihood, impact, inherent risk score, control mapping (against the seven-control surface), residual risk score, named accountable individual, review cadence, status, last-reviewed date. The register is operated by the Head of AI Governance, reviewed monthly in the AI governance committee, and queryable in the under-4-business-hour Article 73 incident-response window. The 12-column template integrates the threat surface (OWASP Agentic AI Top 10, claim AM-043), the controls (seven-control surface, claim AM-043), the audit substrate (claim AM-046), and the kill-criterion enforcement (claim AM-047), into a single living artefact. An enterprise that operates the register seriously has substantially completed the Article 9 risk-management system documentation requirement; the register is the single artefact that resolves the cross-reference matrix between operational reality and regulatory framework.

AI agent risk register template. 60-day review cadence. Watches: (1) European AI Office Article 9 enforcement guidance (expected Q3 2026) that may codify specific register column requirements, (2) ISO/IEC 42001 implementation guidance that may map onto the register format, (3) major case studies in 2026 enforcement actions that establish precedent for what constitutes an adequate register, (4) tooling vendor releases of agent risk register modules (Microsoft Purview, ServiceNow GRC, Archer, OneTrust have signalled native modules in development for 2026).