BackDecision-Making

This page is still being polished. If you have thoughts, please share them via the feedback form.

Data on this page is preliminary and may change. Please do not share or cite these figures publicly.

Decision-Making

Campos (2025)|LLM classified

Mitigation Taxonomy

2Organisation

2.1Oversight & Accountability

2.1.1Leadership Oversight

Board and executive-level accountability, approval authority, and strategic direction.

Also in Oversight & Accountability

2.1.2 Roles & Accountability2.1.3 Policies & Procedures

Definitionp. 10

The decisions made by senior management that create or mitigate risk

Additional Informationp. 10

Best practices from other industries include the establishment of clear risk ownership, with designated senior managers responsible for specific risks and a dedicated senior-level committee for risk-focused decision-making (Committee of Sponsoring Organizations of the Treadway Commission, 2017). Senior management should have clear go/no-go decision protocols and rules to follow in their decision-making (Eisenhardt, 1989; Hammond et al., 1998). Finally, since AI risk evolves rapidly, there should also be a clear escalation process for rapid decision-making when there are changes in risk levels(Committee of Sponsoring Organizations of the Treadway Commission, 2017)

LLM Classification Details

Reasoning

Senior management committee establishes risk ownership, decision protocols, and approval authority for AI governance.

Code: 2.1.1Version: v0.5Classified: Jan 22, 2026

Part of

Risk Governance

Risk governance corresponds to the rules and procedures that structure the risk management system in terms of decision-making, responsibilities, authority, and accountability mechanisms

Other mitigations from Campos (2025) (17)

Risk Analysis and Evaluation

Risk analysis and evaluation is a process that starts with the definition of a risk tolerance. This risk tolerance is then operationalized into risk indicators and their corresponding mitigations required to reduce risk below the risk tolerance.

2.2.1 Risk Assessment

Lifecycle:Plan and DesignActor:DeveloperAIRM:Map

Risk Analysis and Evaluation > Setting a Risk Tolerance

A risk tolerance represents the aggregate level of risk that society is willing to accept from AI systems.

3 Ecosystem

Lifecycle:Other (outside lifecycle)Actor:Other (actor not listed)AIRM:Map

Risk Analysis and Evaluation > Operationalizing Risk Tolerance

Risk tolerance must be operationalized into measurable criteria to be practically useful in day-to-day operations. A risk tolerance can be translated into (1) Key Risk Indicator (KRI) thresholds, which are thresholds on measurable signals that serve as proxies for risks, and (2) Key Control Indicator (KCI) thresholds, which are thresholds on measurable signals that serve as proxies for the level of mitigation achieved.

2.2.1 Risk Assessment

Lifecycle:Other (outside lifecycle)Actor:Other (actor not listed)AIRM:Map

Risk Treatment

Risk treatment corresponds to the process of determining, implementing, and evaluating appropriate risk-reducing countermeasures

2.2 Risk & Assurance

Lifecycle:Other (multiple stages)Actor:Other (actor not listed)AIRM:Manage

Risk Treatment > Implementing Mitigation Measures

AI developers should operationalize their KCI thresholds into mitigation measures.

2.3 Operations & Security

Lifecycle:Other (multiple stages)Actor:DeveloperAIRM:Manage

Risk Treatment > Continuous Monitoring and Comparing Results with Pre-determined Thresholds

Developers must therefore implement continuous monitoring of both KRIs and KCIs to ensure that KCI thresholds are met once KRI thresholds are crossed according to the predefined "if-then" statements established in the risk analysis and evaluation phase.

2.3.3 Monitoring & Logging

Lifecycle:Other (multiple stages)Actor:DeveloperAIRM:Manage

View all 17 mitigations from this source →

Source Document

A Frontier AI Risk Management Framework: Bridging the Gap Between Current AI Practices and Established Risk Management

Campos, Simeon; Papadatos, Henry; Roger, Fabien; Touzet, Chloé; Quarks, Otter; Murray, Malcolm (2025)

The recent development of powerful AI systems has highlighted the need for robust risk management frameworks in the AI industry. Although companies have begun to implement safety frameworks, current approaches often lack the systematic rigor found in other high-risk industries. This paper presents a comprehensive risk management framework for the development of frontier AI that bridges this gap by integrating established risk management principles with emerging AI-specific practices. The framework consists of four key components: (1) risk identification (through literature review, open-ended red-teaming, and risk modeling), (2) risk analysis and evaluation using quantitative metrics and clearly defined thresholds, (3) risk treatment through mitigation measures such as containment, deployment controls, and assurance processes, and (4) risk governance establishing clear organizational structures and accountability. Drawing from best practices in mature industries such as aviation or nuclear power, while accounting for AI's unique challenges, this framework provides AI developers with actionable guidelines for implementing robust risk management. The paper details how each component should be implemented throughout the life-cycle of the AI system - from planning through deployment - and emphasizes the importance and feasibility of conducting risk management work prior to the final training run to minimize the burden associated with it.

View source DOI: 10.48550/arXiv.2502.06656

Classification

AI Lifecycle Stage

Other (outside lifecycle)

Outside the standard AI system lifecycle

Responsible Actor

Developer

Entity that creates, trains, or modifies the AI system

Deployer

NIST AI RMF Function

Govern

Policies, processes, and accountability structures for AI risk management

Risk Domains

Primary

6.5 Governance failure