How to Mitigate AI Risk: A Step-by-Step Framework
Photo: Sasun Bughdaryan / Pexels
Key takeaways
- AI risk mitigation starts with knowing what tools are in use, not with buying software.
- Data classification (what can and can't go into an AI tool) removes most of the risk on its own.
- Tier selection, business vs free, closes a training-data risk that policy wording alone can't.
- Human review of AI output catches the accuracy risk that mitigation plans often forget.
- Ongoing monitoring matters more than the initial assessment, since tools and their terms change.
Mitigating AI risk sounds like it should require a security team and a budget line, but for most small and mid-sized businesses it's five concrete steps, done in order, none of which need specialist tooling. The mistake we see most often isn't skipping a step. It's starting in the wrong place, usually by buying a governance platform before anyone has actually written down which tools staff use. Fix the order and the rest gets considerably easier.
Step 1: find out what's actually in use
You can't mitigate a risk you haven't located. Before writing a single control, pull together a real list of AI tools your team uses, through expense reports, SSO or OAuth admin logs, or simply by asking each team directly, which is often the fastest and most accurate method of the three. Expect the real list to be longer than the official one. That gap is the risk you're about to address, and finding it is worth more than any control you'll add afterwards.
Step 2: classify your data, not your tools
The highest-leverage move in AI risk mitigation isn't picking better software. It's deciding, in writing, what categories of data can never go into an AI tool: client-identifying information, financial records, health data, unreleased product plans, source code under NDA. Once that line exists, most risk mitigation becomes a matter of enforcing a rule people can actually remember, rather than trying to police every individual prompt after the fact.
Step 3: fix the tier, not just the tool
This is the step most policies skip, and it's often the single biggest risk reducer available. The same AI tool, on a free consumer account versus a paid business account, can carry completely different data-training terms. Anthropic's commercial terms, for instance, state that Claude for Work and Enterprise data isn't used for model training, a protection the free consumer tier doesn't carry in the same way. Moving a team from free to business tier on their existing tool can cut real risk more than swapping to a different tool entirely.
Step 4: build human review into anything customer-facing
AI risk isn't only about data leaving your business. It's also about wrong or misleading output going out under your name. Any AI-generated content that reaches a customer, whether it's a support reply, a marketing email or a legal summary, needs a human check before it ships. This is the risk mitigation plans most often forget, because it's about accuracy rather than confidentiality, but a confidently wrong AI answer sent to a client can do more immediate damage than a data-handling slip nobody notices for months.
Step 5: monitor, don't just assess once
A risk assessment is a snapshot, and AI vendors change their data-training terms, retention periods and default settings more often than most software categories. Set a recurring review, quarterly is reasonable for a small team, to recheck your approved tools against their current terms, not the terms that applied when you first vetted them. Our AI vendor risk assessment is designed to be re-run rather than done once, precisely because the underlying facts shift.
A short worked example
A fifteen-person recruitment agency ran through this exact sequence after a near-miss: a recruiter had pasted a candidate's full CV, including a home address, into a free AI tool to draft a summary. Discovery turned up two other free-tier tools nobody had approved. Data classification made clear that candidate personal data could never leave the approved system. Moving the team to a business-tier AI writing tool with a signed DPA closed the training-data risk, and a quarterly fifteen-minute check-in kept the register honest going forward. None of it required new software beyond the one tier upgrade.
Keeping mitigation proportionate
Not every risk needs the same weight of response. A marketing team brainstorming blog topics with AI carries far less risk than a finance team summarising unreleased earnings, and treating both identically wastes effort on the low-risk case while potentially under-covering the high-risk one. Use our AI tool risk directory to see how individual tools score, and put your mitigation effort where the data sensitivity actually is, rather than applying a uniform process everywhere out of caution.
What good AI risk mitigation is not
It's worth being clear about what this process isn't, because the wrong mental model wastes effort. It isn't a one-off project with an end date; new tools and new terms mean the work continues indefinitely, at a low ongoing cadence rather than a single sprint. It isn't primarily a technology purchase, since the highest-leverage steps here, data classification and tier selection, cost nothing beyond time. And it isn't a way to reach zero risk; AI tools will always carry some residual risk, and the goal is proportionate, documented mitigation, not an unachievable guarantee that nothing will ever go wrong.
How to know if your mitigation plan is actually working
Two signals matter more than a compliance checklist. First, can anyone on your team name, without hesitation, which data categories can never go into an AI tool? If not, step two hasn't actually landed regardless of what the policy document says. Second, when a new AI tool gets adopted, does it go through even a five-minute check before real data touches it, or does it slip in quietly the way the original shadow AI problem started? A mitigation plan that only exists on paper, with no change in day-to-day behaviour, hasn't reduced risk no matter how thorough the document looks.
Mitigating risk from AI agents specifically
The steps above assume a human is reading AI output before it does anything, which covers most current small-business use. Where this needs adapting is autonomous AI agents that take actions directly, sending emails, updating records, booking appointments, without a person approving each step. For agents, data classification and tier selection still apply, but a sixth consideration becomes necessary: what's the blast radius if the agent takes a wrong or unexpected action, and is there a fast way to pause or override it. If your team is starting to use agentic AI features rather than simple chat interfaces, this is the point to revisit your mitigation plan specifically for that added layer of autonomy, rather than assuming the same five steps cover it unchanged.
How to budget time and effort realistically
For a team of ten to thirty people, expect the first pass through all five steps to take a few days of focused effort spread across a couple of weeks, mostly waiting on vendor responses about DPAs and training terms rather than internal debate. After that initial pass, ongoing maintenance drops to perhaps an hour a month: a quick scan of expense reports for new tools, a brief check of vendor terms during the quarterly review, and updating the register when something changes. This is a realistic budget precisely because the heaviest lifting, deciding what your data rules actually are, only needs doing properly once, with light maintenance afterward rather than a repeated large effort.
A note on getting buy-in from the rest of the team
Mitigation steps that arrive as an unexplained edict from management tend to get quiet, low-grade resistance, staff nodding along in a meeting and then continuing much as before. A short explanation of why each step matters, framed around a real risk rather than abstract compliance language, tends to land better: 'we're doing this because a client's data ending up in the wrong place would be genuinely bad for them and for us' lands more effectively than 'this is now company policy'. The five steps above work considerably better with genuine understanding behind them than with reluctant compliance alone.
| Step | What it addresses | Typical effort |
|---|---|---|
| Discover actual tool use | Unknown/shadow AI | A few hours |
| Classify data | What can go into a prompt | 1-2 hours to draft, ongoing to enforce |
| Fix the tier | Training-data risk | Minutes per tool, if a business tier exists |
| Human review | Wrong or misleading output | Ongoing, built into workflow |
| Recurring monitoring | Terms changing after initial vetting | 15-30 minutes per quarter |
“AI risks and benefits can vary in nature, timescale, and level based on the complex interplay of technical design decisions, societal dynamics, and the context of use.”