Appearance
Risk Identification and Assessment
This page covers the framework's methodological core: building a comprehensive risk inventory, characterizing each risk causally, and scoring it on the framework's scales through the 4×4 likelihood-impact matrix. It maps the two identification requirements MRF-419 and MRF-420 and the three assessment requirements MRF-421, MRF-422, and MRF-423.
The matrix operates per risk: every entry in the register is scored individually, which is what makes the later treatment decisions proportionate and auditable. The framework separately names informed classification of AI systems by risk level — based on likelihood, impact, and context — among its objectives, and periodic reviews revisit that system-level classification (MRF-429); it prescribes no formula for aggregating the per-risk scores into it.
Primary source
SDAIA, National Artificial Intelligence Risk Management Framework, SDAIA-P145, version 1.0, April 2026. This page draws on the stages «تحديد المخاطر» (risk identification) and «تقييم المخاطر» (risk assessment). The Arabic text is authoritative; English renderings are unofficial translations.
The comprehensive risk inventory (MRF-419)
The inventory activity prepares a comprehensive list of the potential risks associated with the AI system — technical and non-technical — classified according to a unified classification so that no type of risk is overlooked. AI risks are often complex and interlocking: a risk may have more than one cause, affect more than one party, and appear before or after release, which makes completeness harder than for classic software.
The framework suggests a seven-category classification for this completeness check:
| Category | Scope in brief |
|---|---|
| Bias, discrimination, and abuse | Unfair treatment or inequitable representation of individuals or groups, often on sensitive characteristics; exposure of users to harmful or inappropriate content; performance disparities across social or geographic groups |
| Privacy and security | Collecting or inferring sensitive information without knowledge or consent; unauthorized data sharing; identity theft or loss of confidential information; security vulnerabilities in the system, its supply chains, or supporting components |
| Misinformation | Unintentional production or spread of incorrect or misleading information; over-personalized outputs creating closed information environments that weaken shared reality and public decision-making |
| Malicious use | Deliberate exploitation: disinformation campaigns, covert surveillance, systematic influence on opinion and behavior, fraud, deception, extortion, impersonation; extending to cyberattacks and weapons-capability enhancement |
| Human-machine interaction | Over-reliance, unsafe use, anthropomorphizing the system, or trust exceeding its actual capabilities; loss of human agency and autonomy when core decisions are delegated, with possible erosion of cognitive skills over time |
| Social, economic, and environmental impacts | Increased inequality and concentration of power; degraded work quality or job loss from automation; competitive race dynamics that push immature systems into release; governance failure when oversight lags the technology; environmental harms from energy, carbon, and materials |
| Safety and limitations | Failure to operate correctly across conditions: goal drift from designer or user intent; dangerous capabilities; weak reliability in critical contexts; weak transparency and explainability; multi-system interactions producing cascading failures or new vulnerabilities |
The classification method is suggested, not imposed, but the comprehensiveness aim is not optional. The framework itself does not define how an alternative taxonomy is accepted; in the Modulos templates, an entity relying on an equivalent taxonomy shows how its categories cover the seven categories' full scope: semantic coverage, not just label matching. As an observation (SDAIA-P145 itself makes no such attribution), the seven categories converge with several widely used AI risk taxonomies, including the domain categories of the MIT AI Risk Repository, so entities already tracking risk under one of those have a ready-made crosswalk.
Causal characterization (MRF-420)
The second identification activity converts each inventoried risk from a general description into a practical, manageable one by classifying it causally on three axes:
| Axis | Values |
|---|---|
| Source | AI system (a deficiency or error in the system) / human (misuse of it) — noting also whether sources are internal or external to the entity |
| Intent | Deliberate / unintentional |
| Timing | Before release / after release |
Each risk's record also explains the circumstances that could lead to its realization and highlights the associated vulnerabilities. The point of the exercise is forward-looking: a causally characterized risk can later be linked to the most suitable controls during assessment and treatment.
Likelihood estimation (MRF-421)
Likelihood is the degree to which the risk scenario is expected to occur within the adopted time horizon, grounded in analysis of the available evidence and data and in practical experience with the system's behavior and operating environment. The four levels:
| Level | Meaning |
|---|---|
| Rare (1) | Occurrence is highly improbable |
| Unlikely (2) | Occurrence is possible but not expected under usual conditions |
| Likely (3) | Occurrence is considerably probable given the system's nature and operating context |
| Almost certain (4) | Occurrence is expected to a high degree unless effective controls limit it |
The justification draws on one or more of four named factors, as fits the risk and the system's context (not necessarily all of them):
- Exposure — the wider the system's operating scope or the duration of exposure, the higher the likelihood (direct relationship).
- Preventive controls — strong, effective controls in place before occurrence lower likelihood; their absence or weakness raises it (inverse relationship).
- Ease of occurrence — the easier errors or exploitations are, for example through complexity, weak configurations, or limited human oversight, the higher the likelihood (direct relationship).
- Precedent — similar past incidents inside the entity or across the sector indicate higher likelihood of recurrence (direct relationship).
The framework deliberately does not build the estimate on fixed percentages, citing the difficulty of assigning them to emerging-technology risks. It supplies indicative annual ranges only as a reference correspondence with established risk-management practice: rare below 1% annually, unlikely 1–10%, likely 10–50%, almost certain 50% or above. A reasoned qualitative justification satisfies the activity; a quantitative estimate mapped onto the ranges is an equally valid way to support the chosen level.
Impact estimation (MRF-422)
Impact is the severity of harm if the risk materializes, analyzed through the nature, scope, duration, and recoverability of the harm. The framework names the impact types to consider — fundamental rights, human safety, privacy and data protection, service continuity, public trust, and regulatory compliance — with regard to the sensitivity of the sector and the nature of the decision the system supports or takes. The four levels:
| Level | Meaning |
|---|---|
| Low (1) | Expected harm is limited, localized, and quickly containable and remediable |
| Medium (2) | Harm is tangible but limited in scope, containable and remediable within a reasonable period, without grave or long-term effects |
| High (3) | Harm is large and clearly consequential; usually containable, but with material consequences that call for a clear institutional response |
| Catastrophic (4) | Extreme cases only: very grave harm, wide in scope and depth, potentially uncontainable or irreversible, requiring long-term recovery |
The catastrophic level is reserved by definition. The framework says it typically appears when characteristics like the following are present — typical indicators, not a closed prerequisite list:
- direct harm to public security or societal stability, or threats of national dimensions;
- direct harm to human safety, or grave danger to individuals' lives or physical or psychological health;
- harm to religion, offense against religious sanctities, or religious incitement or misinformation, with potentially grave and sensitive social consequences;
- effective deprivation of fundamental rights or vital services that cannot be compensated easily or quickly;
- breach of or control over critical systems, or unauthorized access to essential operational components of high sensitivity;
- wide-scale leakage of highly sensitive data, such as health, financial, identity, or security data.
These enumerated characteristics are the framework's most jurisdiction-specific content, and they are what distinguishes its impact scale from a generic risk matrix.
As with likelihood, the justification draws on one or more of four named factors: harm severity (direct), scale of impact — the number of affected people, systems, or services (direct), sensitivity of decisions or data (direct), and speed of recovery (inverse: the faster the recovery, the lower the impact).
Risk-level determination: the 4×4 matrix (MRF-423)
The third assessment activity converts the two estimates into a unified quantitative risk level:
Risk level = likelihood × impact, on a range of 1 to 16.
| Likelihood \ Impact | Low (1) | Medium (2) | High (3) | Catastrophic (4) |
|---|---|---|---|---|
| Almost certain (4) | 4 | 8 | 12 | 16 |
| Likely (3) | 3 | 6 | 9 | 12 |
| Unlikely (2) | 2 | 4 | 6 | 8 |
| Rare (1) | 1 | 2 | 3 | 4 |
The product classifies into four bands, color-coded in the framework to ease decision-making:
| Band | Range | Color |
|---|---|---|
| Low risk | 1–2 | Green |
| Medium risk | 3–6 | Yellow |
| High risk | 8–12 | Orange |
| Catastrophic risk | 16 | Red |
The arithmetic is deterministic: given a likelihood level and an impact level, the risk level and band follow mechanically, which makes the classification reproducible and auditable across entities. The output guides the next stage: acceptance, treatment, or escalation decisions and controls proportionate to each risk's severity and context of use.
Worked example: scoring in practice
The framework's appendix scenario (an internal report-drafting LLM in a government entity) registers eight risks spanning all seven categories and scores each with factor-by-factor justifications. Two illustrate the method:
- Generating inaccurate or misleading information (category: misinformation; source: AI system; unintentional; post-release). Likelihood likely (3) — daily use by many staff, hallucination is intrinsic to LLMs, controls partial (human review depends on user discipline), precedents common. Impact medium (2). Risk level 6, medium.
- Entry or leakage of sensitive internal information (category: privacy and security; source: human; unintentional; post-release). Likelihood unlikely (2) — manual entry, clear prohibition rules, internal hosting. Impact high (3). Risk level 6, medium.
None of the eight risks reaches the catastrophic impact level, consistent with its extreme-cases-only definition.
Cross-framework mapping (preview)
Preview
- NIST AI RMF — identification and assessment correspond to the Map and Measure functions; the SDAIA framework is more prescriptive about the scoring mechanics (fixed scales, fixed bands).
- ISO/IEC 23894 and ISO 31000 — the per-risk likelihood-impact method follows the classic risk-management pattern those standards describe, specialized for AI.
- MIT AI Risk Repository — the seven inventory categories converge with its domain taxonomy, which is itself a synthesis of dozens of prior frameworks; in the Modulos templates, a documented crosswalk satisfies the completeness check.
These are framework-level adjacencies; cross-framework reuse is realised at the control layer, not as clause-by-clause equivalence.
Related pages
Reference pillars and context scoping
The stage before this one: pillars and the context record the assessment consumes — ORF-449–452, MRF-414–418
Risk treatment, monitoring, and incidents
What the scores feed: strategies, controls, residual risk, and decisions — MRF-424–430
Operationalizing in Modulos
The OFF-23 / MFF-23 rollout sequence, control split, and evidence model
Source attribution
The authoritative source is the National Artificial Intelligence Risk Management Framework (SDAIA-P145, version 1.0, April 2026), published by the Saudi Data and Artificial Intelligence Authority. This page draws on the risk identification and risk assessment stages and the applied scenario in the appendix. The Arabic text is authoritative; English renderings are unofficial translations. Requirement and control codes are Modulos template identifiers, not SDAIA references.
Disclaimer
This page is for general informational purposes and does not constitute legal advice. The framework is advisory and creates no new obligations. Verify against the current published edition and consult qualified advisers.