Skip to Content
Governance & ComplianceEU AI ActArticle 9 — Risk Management

Article 9 — Risk Management System

Article 9 of the EU AI Act requires providers of high-risk AI systems to establish, implement, document, and maintain a risk management system — an ongoing iterative process that identifies, analyses, and mitigates risks associated with the system.

What the Article Requires

Article 9 obligations can be grouped into four areas:

1. Identification and analysis of known and foreseeable risks — Before deployment and throughout the system’s life, you must identify risks that the system could reasonably create for health, safety, and fundamental rights.

2. Estimation and evaluation of risks — Including risks arising from foreseeable misuse. The NIST AI RMF’s MAP function is a widely accepted method for this estimation.

3. Risk mitigation and control measures — Design and technical measures that reduce risks to an acceptable level. This includes testing procedures and performance benchmarking.

4. Post-market monitoring — Ongoing collection and review of data about the system’s performance in real use, and a procedure to act on what you find.

Recital (84) of the Act notes that the risk management system should be consistent with existing risk management standards (ISO 31000, NIST AI RMF, etc.). You don’t need to invent a new framework — VeriProof maps to both.

Where VeriProof Fits

Post-Market Monitoring (Article 9(1)(d))

The post-market monitoring obligation is where VeriProof’s production capture capabilities are most directly relevant. Article 9 requires that the risk management system remains active throughout the operational lifetime of the system — not just at initial deployment.

VeriProof provides the data infrastructure for this continuous monitoring obligation:

Monitoring requirementVeriProof capability
Collect data on production system behaviourSession capture via SDK adapters
Detect deviations from expected behaviourGovernance scoring with configurable thresholds
React to incidents in productionAlert rules with escalation paths
Feed findings back into risk assessmentTime-machine analysis and trend reporting

Risk Estimation Evidence

Your risk assessment documents estimated probabilities and severities. VeriProof provides the production data to test whether those estimates were accurate:

  • Governance scores give you a continuous signal on whether the system is operating within the parameters your risk assessment assumed
  • Alert trigger history records every instance where production behaviour crossed a risk threshold — these are the evidence of your monitoring system functioning
  • Longitudinal trends let you assess whether risk levels are changing over time, for example following a model update

Configuring Article 9 Monitoring in VeriProof

Define your risk dimensions

Identify the risk factors from your Article 9 risk analysis that can be detected from session-level signals. Common examples for LLM-based systems:

  • Harmful output rate: Percentage of sessions where the model produced a policy-violating response
  • Refusal rate: Percentage of sessions where the model refused to answer (can indicate over-restriction)
  • Low-confidence responses: Sessions where model confidence signals fall below a threshold
  • Fairness indicators: Differential response patterns across demographic signals in inputs

Configure governance scoring

In the Customer Portal, open Applications and select the application you want to monitor. Under the Governance tab, click Scoring Configuration. Add a dimension for each risk factor you identified, specifying the metadata field to observe, the threshold value, and the weight it should carry in the composite score. Save the configuration — it takes effect immediately for new sessions.

Set alert thresholds

Navigate to Alerts in the sidebar and click + New Rule. Set the condition to trigger when the governance score drops below your Article 9 threshold, choose the time window, set a severity, and enter the notification email addresses for your risk owner. This rule becomes the operational mechanism for your Article 9 corrective action procedure.

Establish a review cadence

Article 9 requires that risk management findings inform system updates. In the portal, go to Compliance → Evidence Exports, select the EU AI Act framework, enable Article 9, set your desired report period, and click Download Evidence Pack (PDF). Schedule this export as part of your regular risk review cycle — most organisations align it with monthly or quarterly governance meetings.

Documentation for Auditors

The Article 9 risk management system must be documented. Your documentation should reference VeriProof as the post-market monitoring mechanism and include:

  • A description of the monitoring indicators and their relationship to identified risks
  • The thresholds used in governance scoring and the rationale for their selection
  • The alert escalation procedure
  • A log of alert triggers and the corrective actions taken in response

VeriProof’s evidence package for Article 9 includes:

  • Governance score history across the report period
  • Alert trigger log with timestamps and affected sessions
  • Trend analysis (governance score over time)
  • A signed attestation that the session records in the package are complete and unaltered

Next Steps

Last updated on
OverviewArticle 10 — Data Governance