Risk Strategy

Using AI in Risk Management: What I Learned Building a Risk-Sensing Tool at a Fortune 50

Practitioner lessons from leading a multi-year AI risk-sensing build at a Fortune 50, plus a NIST AI RMF playbook mid-market CFOs can actually use.

By Eric Kennedy · Thu May 14 2026 · 8 min read

Using AI in Risk Management: What I Learned Building a Risk-Sensing Tool at a Fortune 50

A few years ago, I led a multi-year program at a Fortune 50 technology company to build an AI-powered risk-sensing tool. The premise was simple: the annual enterprise risk assessment was a snapshot, not a feed. By the time a risk made it into the next year's assessment, the executive team had often already heard about it three different ways: a customer issue surfaced by sales, a regulatory shift flagged by legal, a competitive threat raised in a strategy review. The tool was designed to ingest those signals continuously, from both inside the company and outside it, and surface emerging themes faster than the annual cycle could. In practice, that meant the executive team saw emerging risk themes refreshed quarterly, with specific signals dating back to the prior month, instead of waiting for the next annual assessment cycle to surface them.

I am writing about it now because the question of how to use AI in risk management is dominating practitioner conversations, and most of what is being written about it is either vendor marketing or Big 4 thought leadership written by people who have not built or run one of these tools. I have, and the experience changed how I think about what AI can and cannot do for risk management.

The short version: AI is not a substitute for the risk discipline itself. It is a way to do three specific things faster. If you treat it that way, it earns its keep. If you treat it as a replacement for the analyst judgment that turns signals into decisions, it does not.

What the profession is actually doing right now

The adoption curve is real. A December 2025 survey from the IIA and AuditBoard found that 83% of senior internal audit leaders expect their internal audit function to increase AI usage over the next year. The IIA's 2025 Pulse data, which we covered in a prior article, showed GenAI use by CAEs jumping from 15% to 40% in a single year. The audit and risk functions are not asking whether to use AI anymore. They are asking how.

At the same time, the discipline is not catching up. Gartner's 2025 Trends for ERM Leaders found that only 18% of ERM leaders express high confidence in identifying and managing emerging risks. And Gartner's Q3 2025 Emerging Risk Report flagged AI-related information governance risks as the second-most cited emerging risk among 184 senior risk and assurance executives, with shadow AI entering the top five for the first time. Practitioners are simultaneously trying to use AI for risk management and trying to manage the risks AI itself creates. Both pressures are real.

What AI actually does well in risk management

Four things, based on what we found at scale.

It ingests more external signal than a human can. The tool pulled from news, regulatory filings, analyst reports, social signals, and industry-specific data feeds. The point was not to read everything. It was to surface the small percentage of content that contained something the risk function should know about. A human analyst can read maybe 40 articles a day. AI can scan 40,000 and surface the 20 that matter. That is a real productivity multiplier.

It finds themes in unstructured internal data. This is the part most teams underuse. AI risk identification works on internal interview transcripts, employee survey responses, customer complaint records, helpdesk tickets, and internal Slack or Teams messages (where access is appropriate and consented). The risks that surface from this kind of internal data are usually different from the risks that surface from external scanning, and that difference is the point. The two together produce a more complete picture than either alone.

It accelerates the analyst work that happens before an executive risk review. This is where most of the time savings actually shows up. A traditional pre-review pulls together a dozen inputs, summarizes them, drafts proposed themes, and packages it for executive discussion. That used to take an analyst a week. With AI in the loop, it takes a day. The executive review itself stays the same. What changes is how much higher-quality input the executives are reviewing. The most concrete example: drafting risk themes for the board, CEO, CFO, or audit committee. That work used to take weeks of preparation. With AI in the loop, we could produce a usable draft in minutes to hours. The executive review still needed practitioner editing and judgment, but the starting point arrived in a fraction of the time. This is the use case most teams reach for first when they start applying AI for enterprise risk management.

It gives functional risk owners a self-service tool. This is the use case I underestimated when we started. Functional risk leaders could ask the tool questions about their risks, brainstorm new risks they had not considered, generate mitigation ideas, and pull external risk information that would have taken them weeks to collect through traditional research. Instead, they got it in minutes. The effect was not just faster analyst work at the center. It was distributed risk capability across the organization, which made the formal risk function more strategic because owners were doing more of their own work.

A four-quadrant graphic titled "What AI Actually Does Well in Risk Management" showing four AI capabilities. Quadrant 1: Ingests external signal (AI scans 40,000 articles to surface the 20 that matter). Quadrant 2: Finds themes in internal data (surfaces patterns across interviews, surveys, and complaints). Quadrant 3: Accelerates executive pre-reads (theme drafts that took weeks now arrive in minutes to hours). Quadrant 4: Self-service for risk owners (functional leaders brainstorm risks and pull research in minutes instead of weeks). A before/after time comparison graphic. The "Before" panel shows weeks of preparation for manual theme generation, requiring research across data sources, analyst synthesis, and draft prep. The "After" panel shows AI-accelerated theme generation in minutes to hours, with AI synthesizing external and internal signal while the practitioner edits for judgment and the executive review remains unchanged.

What AI does not do well in risk management

Also three things.

It does not replace the judgment that turns signals into themes. AI surfaces patterns. A human practitioner decides whether the pattern is a real risk, a noise artifact, or a signal that needs more investigation. We had cases where the tool would surface what looked like a clean theme, and a senior risk director would look at it and say "that is three unrelated things stapled together." The reverse also happened. The judgment is still the work.

It does not understand what the executive team actually cares about. AI optimizes for the inputs you give it. It does not know that the CFO is preparing for an earnings call next week, or that the CEO has a strategic review in two months that is going to make some risks more important and others less. Risk theme priority is a function of executive context, and that context is not in any data feed.

It does not produce decisions. It produces inputs to decisions, including the AI risk themes that surface from external scanning and internal interview data. This is the part the vendor marketing systematically obscures. No AI tool is going to read your risk register and tell you which three risks to escalate to the audit committee this quarter. That call is still made by a human practitioner who can weigh the risk landscape against business context.

Two practitioner-experience patterns worth flagging here. The first: more data is not always better. We had stretches where adding more external feeds produced noisier output, not better signal. The fix was usually narrowing the inputs to a smaller set of higher-quality sources, not expanding them. The second: results have to be explainable, or risk managers will quietly ignore them. AI outputs that read as "the model says this is a risk" with no traceable reasoning got bypassed in practice, even when they were correct. The risk owners did the work themselves anyway because they could not defend an unexplained AI conclusion to an executive. Plan for explainability from day one.

Where the NIST AI Risk Management Framework fits

The other half of "AI in risk management" is the question every CFO is going to face within the next year, if they have not already: how is the company managing the risks of the AI it is using?

The reference point most practitioners are converging on is the NIST AI Risk Management Framework. Published by the U.S. National Institute of Standards and Technology in 2023 and updated since, the NIST AI RMF is a voluntary framework for organizations to identify, assess, and manage risks from AI systems they build, buy, or deploy. It is not a regulation. It is a structured approach that has become the de facto reference point for AI governance discussions, including in vendor questionnaires from enterprise customers.

Three things a mid-market company should know about it.

It is increasingly showing up in customer contracts. Enterprise buyers are starting to require NIST AI RMF alignment or attestation from their suppliers. If your company sells to large enterprises and uses AI in any customer-facing process, expect to be asked about NIST AI RMF in the next vendor diligence cycle.

It does not require a full implementation to be useful. The NIST AI RMF has four core functions (Govern, Map, Measure, Manage) that map well to risk practices most mid-market companies already have. The right approach is usually not to "implement" NIST AI RMF as a separate program but to use it as a checklist against your existing risk and compliance processes.

The governance piece is what most mid-market companies are missing. Shadow AI (employees using public AI tools without oversight) is a real and growing exposure. The first NIST AI RMF function (Govern) is where most mid-market companies need to start. A simple AI use policy, a list of approved tools, and a designated owner are usually enough to close 80% of the gap.

A framework graphic showing the four core functions of the NIST AI Risk Management Framework. Govern: establish AI risk culture, policy, and accountability. Map: identify AI systems, their context, and risks. Measure: assess and analyze AI risks. Manage: prioritize and respond to identified AI risks. Each function includes a mid-market translation showing how a smaller company can apply it without building a separate program.

What this means for a mid-market company

You do not need to build a Fortune 50 version of an internal risk-sensing tool. You probably should not. The build cost and the data infrastructure required are not justified by the scale of a $200M to $500M company. But you can capture most of the value with a much lighter version of AI in risk management.

Three practical moves.

Use general-purpose AI tools to ingest external signal. Tools like ChatGPT, Claude, and Gemini, paired with current research access, can do most of what a custom external-signal feed does. The workflow: weekly or biweekly, the risk owner runs a structured prompt against the AI tool covering industry news, regulatory changes, competitive moves, and macroeconomic shifts. The output is a one-page summary. The risk owner reads it. The themes that matter get added to the risk register.

Use AI to summarize internal interview transcripts. Most mid-market companies do not have unstructured internal data at scale. What they have is interviews. Each year, in preparation for the enterprise risk assessment, the risk lead interviews 15 to 25 executives and senior managers. AI summarization of those transcripts surfaces themes the human reviewer would miss, especially patterns that show up across multiple interviews but get buried in any single conversation. This is the highest-leverage AI risk identification use case for mid-market practitioners.

Use AI to draft the pre-read for executive risk reviews. This is the highest-ROI use for mid-market practitioners. AI does the synthesis work between owner updates and the consolidated executive view, and the practitioner edits. The executive review itself is unchanged. The pre-read gets sharper, faster, and more current.

A three-step playbook graphic titled "The Mid-Market AI Risk Management Playbook." Step 1: Ingest external signal using general-purpose AI tools like ChatGPT, Claude, and Gemini with weekly or biweekly structured prompts. Step 2: Summarize internal interviews from the annual ERM cycle to reveal cross-interview patterns. Step 3: Draft executive pre-reads for quarterly risk review prep. Bottom note: Plus a NIST AI RMF governance baseline for the AI the company itself uses. No new platform. No new headcount.

That is what AI in risk management looks like at the mid-market level. Three specific use cases, plus a NIST AI RMF-aligned governance baseline for the AI the company itself is using. No custom build. No new platform. No additional headcount.

The risk discipline still has to come first

The thing nobody selling AI tools will tell you: AI does not fix a broken risk program. If you do not have named strategic risks, designated owners, and a quarterly cadence, adding AI to the workflow will produce faster, more polished outputs that nobody acts on. The plumbing has to be in place first.

The teams getting the most value from AI in risk management are the ones who already had a working risk program before AI showed up. They are using AI to do the same work better. The teams that are struggling are the ones who hoped AI would compensate for the program they did not build.

You can probably guess which group is bigger.

Key Takeaways

Where to Start {eyebrow="Is Your Program AI-Ready?"}

If you are evaluating where AI fits in your risk program, start with the discipline underneath it. KRG's ERM Diagnostic is a focused 1-to-2-week review that maps your current risk and AI governance against where AI can realistically add value, identifies the gaps that need to close first, and gives you a roadmap.

Schedule a Discovery Call{.cta-primary} Explore the ERM Diagnostic{.cta-secondary}

Built for mid-market companies ($50M to $500M in revenue) navigating AI in risk management and NIST AI RMF questions in vendor diligence. The diagnostic fee is credited toward any future KRG engagement.

Frequently Asked Questions

Can I use ChatGPT to write a risk assessment?

ChatGPT and similar general-purpose AI tools can produce a useful first draft of a risk assessment, especially if you give the tool structured prompts that include your industry, company size, key business drivers, and known risk areas. A practitioner still needs to edit the output, validate it against the actual business, and apply judgment about which risks belong on the executive list versus the working list. Treat the AI output as analyst-level input, not as a finished assessment. The biggest mistake is accepting the first draft without practitioner review.

How is AI being used in risk management right now?

Four primary use cases. First, ingesting external signal (news, regulatory filings, analyst reports) to surface themes faster than humans can. Second, finding themes in unstructured internal data like interview transcripts and employee surveys. Third, accelerating the pre-read for executive risk reviews from weeks to minutes or hours. Fourth, giving functional risk owners a self-service tool for brainstorming risks and pulling external research. The risks of AI itself (shadow AI, model governance) are also driving new use cases around the NIST AI Risk Management Framework.

What is the NIST AI Risk Management Framework?

The NIST AI Risk Management Framework (AI RMF) is a voluntary framework published by the U.S. National Institute of Standards and Technology in 2023 to help organizations identify, assess, and manage risks from AI systems they build, buy, or deploy. It has four core functions: Govern, Map, Measure, and Manage. It is not a regulation, but it has become the de facto reference point for AI governance discussions and is increasingly required in vendor contracts from enterprise customers.

Do mid-market companies need to implement the NIST AI RMF?

Most mid-market companies do not need to implement the NIST AI RMF as a separate program. The right approach is usually to use it as a checklist against existing risk and compliance processes. The governance function (Govern) is where most mid-market companies need to start, typically with three things: a simple AI use policy, a list of approved AI tools, and a designated owner. That covers most of the Shadow AI exposure that comes from employees using public AI tools without oversight.