Module 3: Governance & Risk Management · BoK III.A

Business, regulatory and legal risks

Six direct business risks → bias & discrimination, job displacement, vendor dependence, liability & accountability, lack of transparency, IP infringement → then the regulatory and legal list. Recognition-level knowledge is enough, but you need all of them.

Six direct business risks, then the regulatory and legal list. Recognition-level knowledge is enough, but you need all of them.

Bias & discrimination → from poor training data, inadequate labelling, flawed transformation, subpar algorithms and improper tuning → unfair outcomes. Counter with quality data and rigorous testing.
Job displacement → automation can displace roles → mitigate with reskilling and upskilling.
Vendor dependence → vendor lock-in makes switching costly · vendor failure (e.g., bankruptcy) disrupts operations → evaluate stability, keep contingency plans.
Liability & accountability → vagueness about who is responsible for AI decisions → document AI logic and potential risks.
Lack of transparency → treating AI as a black box breeds mistrust and misuse → document logic and decision processes for stakeholders.
IP infringement → scraping the internet can ingest others' IP → copyright, patent and trademark disputes and financial liability.

The regulatory & legal risk list → compliance with laws and regulations · liability for harm caused by the AI system · intellectual property disputes · human rights violations · reputational damage · socioeconomic inequality · social manipulation · opaque decision-making · lack of human oversight.

← Aligning risk strategies The four AI risk categories →