An AI Risk Assessment You Can Actually Run

Most AI is deployed with no risk assessment, and 99% of firms report AI-related losses (EY, 2025). A step-by-step AI risk assessment a WHS pro can run.

11 min read
  • AI
  • AI Risk Assessment
  • WHS
  • AI Governance
  • Risk Management
A professional at a desk methodically working through a structured assessment on a clipboard and laptop

Most AI gets deployed like software and never gets assessed like a hazard, and the bill is arriving. In 2025, 99% of large organisations reported a financial loss from an AI-related risk, with losses averaging US$4.4 million, yet only 12% of their executives could correctly identify the controls that guard against common AI risks (EY Responsible AI Pulse, 2025). That gap, between deploying AI and actually assessing it, is the whole problem. This is a risk assessment you can actually run to close it.

I lead Zero Harm performance and programs across a workforce of around 50,000, and I build AI tools grounded in WHS legislation. So I've sat on both sides of this: signing off risk and building the systems that create it. The method below isn't a new framework. It is your existing WHS risk process, pointed at AI, with the recognised AI standards bolted on where they help. If you've read the companion piece on managing AI as a WHS risk, this is the worked example it promised.

Why don't most organisations risk-assess their AI?

Because AI arrives through procurement, not through the safety system, so no one runs the hazard check. The evidence is stark. In 2025, ISACA found that while 83% of professionals believed staff were already using AI, only 31% of organisations had a formal, comprehensive AI policy (ISACA, 2025). Adoption runs years ahead of governance.

The AI assurance gap: big organisations, 2025
Reported a financial loss from an AI risk99%Lost over US$1 million to AI risk64%Could identify the right AI controls12%
The AI assurance gap: big organisations, 2025
CategoryValue (%)
Reported a financial loss from an AI risk99%
Lost over US$1 million to AI risk64%
Could identify the right AI controls12%
Source: EY Responsible AI Pulse

This is not a story about exotic failures. Across organisations using AI in 2025, 51% reported at least one negative consequence from it (McKinsey, 2025). The harm is ordinary and frequent: a biased screening tool, a monitoring system that pushes people to work unsafely, a chatbot that confidently invents an answer someone acts on. Each is a hazard you'd catch if you assessed it. The reason most teams don't is simpler than it sounds. AI gets bought like a laptop, so it skips the process a hazard would normally trigger.

What frameworks should an AI risk assessment use?

The ones you'd expect, and they all describe the same loop, which is the good news. You do not need to invent a methodology. The recognised AI frameworks converge on the identify, assess, control and review cycle that any WHS professional already runs every week.

The US standard, NIST's AI Risk Management Framework, is built on four functions: GOVERN, MAP, MEASURE and MANAGE, with governance running through the other three (NIST AI 100-1, 2023). On the international side, ISO/IEC 23894:2023 adapts the generic ISO 31000 risk-management process to AI, and ISO/IEC 42005, published in 2025, is the first international standard dedicated to AI impact assessment. In Europe, Article 9 of the EU AI Act requires a continuous risk-management system for high-risk AI. It identifies foreseeable risks to health, safety and fundamental rights, then evaluates, controls and monitors them across the system's life (EU AI Act, Article 9, 2024).

Line those up and the shape is identical to Safe Work Australia's four-step model: identify hazards, assess risks, control risks, review (Safe Work Australia, 2024). So use your WHS process as the spine and borrow the AI-specific risk lists to make sure you're looking in the right places. The five steps below are exactly that. For an Australian checklist in plain language, the Voluntary AI Safety Standard's 10 guardrails map neatly onto these steps, covering accountability, risk management, testing, human oversight and recourse.

Step 1: Inventory every AI system that touches a worker

You cannot assess what you haven't listed, so the first step is a register. Walk through where AI and automated decisions already touch your people: rostering and shift allocation, productivity or location tracking, recruitment screening, performance scoring, and the general-purpose chatbots your team quietly pastes work into. Most organisations are surprised by how long this list is, which is the point. The 51% who hit a negative consequence almost always had a system no one had formally owned (McKinsey, 2025).

NSW Government agencies are required to keep exactly this kind of AI register under the NSW AI Assessment Framework, and it's a habit worth borrowing. For each system, note what it does, who it affects, what data it uses, and whether a human reviews its output. That single page per system is the foundation everything else sits on.

Step 2: Tier the risk, and be honest about "high-risk"

Most AI that touches workers is not low-risk, however much the vendor implies it is. Tiering tells you how much rigour each system needs, and the definitions matter. Australia's 2024 proposals paper on mandatory guardrails listed adverse impacts to a person's physical or mental health or safety as a core criterion for high-risk AI (Department of Industry, Science and Resources, 2024). The EU AI Act goes further and treats AI used to manage workers as high-risk by default. Safety isn't a footnote in these definitions. It's the test.

Run each system through a simple likelihood-and-consequence judgement, the same matrix you'd use for any hazard, and land it in a tier. The NSW framework does this with 16 questions that generate a risk level and a set of required assurance activities, and Canada's Algorithmic Impact Assessment grades systems across four impact levels from reversible to irreversible. You don't need their machinery. You need their discipline.

AI use versus AI governance (2025)
Believe staff are already using AI83%Have a formal, comprehensive AI policy31%
AI use versus AI governance (2025)
CategoryValue (%)
Believe staff are already using AI83%
Have a formal, comprehensive AI policy31%
Source: ISACA, AI use is outpacing policy and governance
Risk tierWhat it usually looks likeWhat it should trigger
LowAI assists only; no effect on a person's work, pay or safety; output always checkedRecord it, set basic use rules
MediumShapes how work is done, or informs a decision about a personFull assessment, named owner, worker consultation
HighAllocates work, sets pace, monitors people, or drives a pay, shift or discipline decisionFull assessment, controls signed off, human override, review schedule
CriticalAutomated decisions with legal or safety consequences and little human oversightSenior sign-off and independent review before go-live

Step 3: Assess against the hazards, with the right questions

This is the heart of it, and the trick is asking the questions the technology hides. Point each system at three lists you already have or can borrow: Safe Work Australia's 14 psychosocial hazards, the four risks the NSW Digital Work Systems Act now names (excessive workload, unreasonable performance metrics, excessive surveillance, and discriminatory decisions), and the AI-specific failure modes like confabulation, bias and data leakage that NIST catalogues. The questions below cover the ground for most workplace systems.

Hazard areaThe question to ask
Job demands and controlDoes it set the pace or workload? Can a worker alter or pause it?
Monitoring and surveillanceWhat does it watch, how openly, and is that proportionate?
Fairness and discriminationCould its decisions disadvantage a group? Has it been tested for bias?
Accuracy and confabulationWhat does a confident wrong answer cost here, and who checks the output?
Transparency and recourseDo affected workers know it's used, and can they challenge an outcome?
Security and dataWhat worker data goes in, where does it go, and who can see it?

Now the part no framework can do for you: consult the workers affected. Consultation is a duty under the model WHS Act whenever a change may affect health and safety, and it surfaces the lived harms a procurement deck never will. The people managed by an algorithm know precisely where it pinches. Skipping that conversation isn't just a compliance miss. It's how you assess the wrong risks.

Step 4: Control the risk with the hierarchy of controls

Once you've found the risks, control them the way you'd control any hazard, strongest control first. The hierarchy of controls works here exactly as it does on a site. Can you eliminate the riskiest feature, or substitute a less intrusive tool? If not, engineering-style controls keep a human in the loop, make decisions explainable, and let workers alter the pace or pause a machine-set task. Administrative controls cover policy, training, transparency and a genuine right to challenge an outcome.

This is also where Australia's guardrails earn their keep, because several are controls in plain language: test the system before and after deployment, enable meaningful human oversight, inform people when AI is in use, and give them a way to contest a decision (Voluntary AI Safety Standard, 2024). A control you can point to in the system, and trace back to a risk you named, is auditable. A vague promise that "a human reviews everything" is not. The same lesson runs through my piece on AI-assisted SWMS and risk assessments: the control has to fit the actual task, not the average one.

Step 5: Assign an owner, then keep it live

A risk assessment with no owner and no review date is already out of date. Name a competent person who is accountable for each high-risk system, because under section 27 of the model WHS Act, officer due diligence cannot be delegated to a tool. Keep records of the assessment and the controls, which is also one of Australia's guardrails. Then schedule the review.

The reason review matters more for AI than for a fixed plant hazard is that AI moves. The model gets updated, the vendor changes the training data, a new team starts using it for something it was never assessed for. So re-assess on a schedule, and also on any trigger: a model change, a new use case, or an incident. The EU AI Act frames its risk-management system as continuous and lifecycle-long for exactly this reason (EU AI Act, Article 9, 2024). Treat your assessment as a living document, not a certificate you file and forget.

Make the assessment the thing that has to happen

The frameworks are settled, the duty is clear, and the cost of skipping the work is now measured in millions. None of that is the hard part. The hard part is making the assessment a step that actually happens before an AI system reaches your people, rather than after something goes wrong. Build it into procurement and change, run your normal WHS process with an AI-specific eye, consult the people affected, and keep a competent human accountable for the result.

If this is useful, the hub on managing AI as a WHS risk sets out why AI is a hazard in the first place, the NSW AI law explainer covers the statute behind it, and the practitioner's field guide maps where AI helps and harms safety work. If you're building an AI risk assessment for your own organisation and want to compare notes, reach out. I'm always happy to.

Frequently asked questions

What is an AI risk assessment?
It is a structured check of what could go wrong when you deploy an AI or automated system, and what you will do about it. You identify the system, assess its risks to people (safety, psychosocial, fairness, privacy), apply controls, and review. It is your normal WHS risk process applied to a new kind of hazard.
Which framework should I use for an AI risk assessment?
Use the WHS risk process you already run as the spine, then borrow an AI-specific taxonomy. NIST's AI Risk Management Framework (2023), ISO/IEC 23894 and the EU AI Act all describe the same identify, assess, control and review loop. Australia's Voluntary AI Safety Standard gives you 10 plain-language guardrails to check against.
What counts as high-risk AI?
Broadly, AI that can hurt someone or materially affect their rights. Australia's 2024 proposals paper lists adverse impacts to a person's physical or mental health or safety as a high-risk criterion, and the EU AI Act treats systems that manage workers as high-risk. If an AI tool allocates work, monitors people or decides about pay or shifts, treat it as high-risk.
Do I need to consult workers about AI?
Yes. Consultation is a duty under the model WHS Act whenever a change may affect health and safety, and introducing AI that shapes how people work is exactly that. The workers who use or are managed by the system hold the work-as-done knowledge a vendor demo never shows, so consult before you deploy, not after.
How often should I review an AI risk assessment?
Treat it as a living document. Re-assess on a set schedule, but also whenever the model is updated, the use case changes, or an incident occurs. AI systems drift as their models and data change underneath you, so a one-off assessment goes stale fast. The EU AI Act frames this as continuous, lifecycle-long monitoring.
All articlesSay hi

More from the blog

A site supervisor reviewing a safe work method statement on a clipboard at a construction site
Tutorials

AI-Assisted SWMS and Risk Assessments, Safely

11 min read
A worker on an industrial site, the kind of setting an ICAM investigation examines
Tutorials

AI for Incident Investigation: Using It Without Losing ICAM Rigour

11 min read