EU AI Act Article 9
Risk Management File

{{ system.name }}

Version {{ system.version }}

Provider{{ system.provider_name }}
Assessor{{ register.assessor_name }}, {{ register.assessor_role }}
Assessment Date{{ register.assessment_date.strftime('%d %B %Y') }}
Review Date{{ register.review_date.strftime('%d %B %Y') }}
RMF Schemav{{ rmf.rmf_schema_version }}
Generated{{ rmf.generated_at.strftime('%d %B %Y %H:%M UTC') }}

SHA-256: {{ rmf.sha256_hash }}

1. Executive Summary

Purpose: {{ system.purpose }}

Annex III Category: {% if system.annex_iii_category %} {{ system.annex_iii_category.value.replace('_', ' ').title() }} {% else %} Not classified {% endif %}

Self-Classification Documented: {{ 'Yes' if system.annex_iii_self_classification_documented else 'No — see Gate G2' }}

Total Risk Items: {{ register.items | length }}

Open Items (above appetite threshold of {{ register.risk_appetite_threshold }}): {{ register.open_items() | length }}

Knowledge Gaps: {{ register.knowledge_gaps() | length }}

2. System Description

FieldValue
System ID{{ system.id }}
Name{{ system.name }}
Version{{ system.version }}
Provider{{ system.provider_name }}
Provider Contact{{ system.provider_contact or 'Not specified' }}
Intended Users{{ system.intended_users | join(', ') or 'Not specified' }}
Inputs{{ system.inputs | join(', ') or 'Not specified' }}
Outputs{{ system.outputs | join(', ') or 'Not specified' }}
Deployment Context{{ system.deployment_context or 'Not specified' }}

3. Risk Register

Risk appetite threshold: {{ register.risk_appetite_threshold }} (scores above this require mitigation or acceptance).

{% set dimensions = ['health_safety', 'fundamental_rights', 'discrimination', 'privacy', 'transparency', 'human_oversight', 'robustness', 'data_governance'] %} {% for dim in dimensions %} {% set dim_items = register.items | selectattr('dimension.value', 'equalto', dim) | list %}

3.{{ loop.index }} {{ dim.replace('_', ' ').title() }}

{% if dim_items %} {% for item in dim_items %}
{{ item.title }} {{ item.risk_band.upper() }} ({{ item.risk_score }})

{{ item.description }}

Likelihood{{ item.likelihood.name }} ({{ item.likelihood }}) Severity{{ item.severity.name }} ({{ item.severity }})
Residual Likelihood{{ item.residual_likelihood.name }} Residual Severity{{ item.residual_severity.name }}
Source{{ item.source }} Regulatory Status{{ item.regulatory_status }}
{% if item.article_refs %}

Article refs: {{ item.article_refs | join(', ') }}

{% endif %} {% if item.nist_rmf_ref %}

NIST AI RMF: {{ item.nist_rmf_ref }} {% if item.iso42001_ref %} | ISO/IEC 42001: {{ item.iso42001_ref }}{% endif %}

{% endif %} {% if item.mitigations %}
Mitigations:
    {% for m in item.mitigations %}
  • {{ m.control_type.title() }} [{{ m.status }}] — {{ m.description }} {% if m.is_vague %}(flagged: generic language){% endif %}
    • {% endfor %}
{% endif %} {% if item.accepted %}
Accepted: {{ item.acceptance_rationale }}
{% endif %} {% if item.knowledge_gap %}
Knowledge gap — test requirements derived. See Section 5.
{% endif %}
{% endfor %} {% else %}

No risk items recorded for this dimension.

{% endif %} {% endfor %}

4. Article 9(7) Test Requirements

{% if rmf.test_requirements %} {% for t in rmf.test_requirements %} {% endfor %}
Risk ItemMetricThresholdArticle
{{ t.risk_item_id | string | truncate(8, True, '') }} {{ t.metric_type }} {{ t.threshold_range }} {{ t.article_ref }}
{% else %}

No test requirements derived. Run riskforge tests generate to derive requirements from risk items.

{% endif %}

5. Audit Trail

This document includes a SHA-256 hash-chained audit trail stored in .riskforge/audit.jsonl. The export hash links this document to a specific audit log entry.

Export Audit Entry Hash{{ rmf.audit_entry_hash or 'Not recorded' }}
Document SHA-256{{ rmf.sha256_hash }}
Signed By{{ rmf.signed_by or 'Unsigned' }}

Verify integrity at any time: riskforge verify

6. Disclosure

{{ rmf.disclosure }}