Owner: CoE Lead (with input from Security / Legal if needed). Input: Intake entry exists. Sub-steps:
- Read the intake. Is it complete? If not, send back to the Champion for completion.
- Apply the 3 risk drivers (
framework.md§10.2):- PII / customer / employee data involved? → tag.
- Consequential decisions about people? → tag.
- Autonomous behavior (acts without HITL)? → tag.
- Assign a risk tier (Low / Medium / High) using the rubric in §10.1 and the heuristic ("if a wrong action could embarrass the company publicly, cost money, or create legal exposure → High").
- Check EU AI Act exposure (§10.3): does this use case fall into Annex III? If yes → automatically High and triggers EU-specific obligations.
- Check the company's risk appetite statement (Step A2). Is this use case allowed at all under the stated appetite?
- Map to the value-vs-risk matrix in Pillar 1 (
framework.md§9). High value + manageable risk → prioritize. Low value + any meaningful risk → defer or reject. - Add: risk tier, risk-driver tags, jurisdictional exposure, prioritization score to the registry.
Output / gate criteria: Registry entry fully classified. Risk tier and tags set. Priority assigned.
Decision branches:
- Prohibited use case (EU Article 5 banned practice / outside risk appetite) → reject. Document why. Close.
- Low/Medium/High, in-scope → go to Step 4.
Skip-this-step risk: Every agent gets treated the same. Either everything is over-governed (slow) or High-risk agents get under-governed (incidents).