The risks of AI: what you need to know

Lets discuss your AI risks
AI colleagues
The World Economic Forum’s Global Risks Report 2026 sends a clear signal. Among all 33 global risks surveyed, adverse outcomes of AI technologies showed the largest upward shift. The possible negative impact of AI moved from position 30 in the two-year outlook to position 5 over the ten-year horizon. No other risk climbed as fast or as far.
 

Vast opportunities, new risks to manage 

This does not mean organisations should shy away from AI. The opportunities and benefits are vast, from transforming customer experiences to streamlining operations and unlocking new sources of value. AI is here to stay, and those who embrace it thoughtfully will gain a competitive edge. But with opportunity comes risk.  

Generative and agentic AI systems have the potential to transform economies, yet it also introduces risks that could manifest rapidly due to market forces, geopolitical pressures, and the slow development of governance frameworks. If your organisation is implementing AI, this translates into a new set of risks that emerge at every stage of your adoption journey.

The good news is that these risks are manageable. If you embed risk management practices from the start, you will be better positioned to capture value while avoiding costly setbacks. Besides this, the EU AI Act also adds a regulatory dimension, requiring you to understand and classify the risk levels of your AI systems.

AI implementation risks at every stage

Risk management is not something to bolt on at the end of an AI initiative. It is an essential discipline throughout the entire AI roadmap, from discovery through to evaluation. 

How our AI experts at BDO defined it, a typical AI journey moves through five stages: Discover, Define, Develop, Deliver, and Evaluate - each with its own set of potential risks. Here are a couple of examples for every phase: 

1

🔍 Discover

potential risks

Adoption time challenges, reluctance from a lack of understanding, an unclear view of internal and external stakeholders.

2

📝 Define

potential risks

HR implications, unclear roles and responsibilities for AI initiatives.

3

⚙️ Development

potential risks

Unexplainable or uninterpretable AI systems, bad data quality.

4

🚀 Deliver

potential risks

Cultural resistance and lack of change management, underestimating integration efforts, non-compliance with GDPR or data privacy laws.

5

📊 Evaluate

potential risks

Overestimation or underestimation of AI capabilities, an unclear view on the ROI of AI initiatives.

Early identification = Proactive management

The earlier you identify future risks, the more proactively you can manage them and the faster you will realise a return on your AI investment.

Building an AI risk management framework

From a methodological perspective, AI represents a new risk domain. But that does not mean you need to start from scratch. AI risks can be addressed using existing risk management frameworks.

There are two common approaches: 

  • Develop a separate AI risk taxonomy that sits alongside your existing risk categories. 
  • Integrate AI risks into your existing risk taxonomy, treating AI as a cross-cutting theme. 

Both approaches are valid. What matters is that your approach is clear and actionable. 

While many organisations are looking merely at the operational risks of AI in areas such as data and people, it’s important to also look at the broader picture. With a structured view based on multiple, other pillars - such as strategy, value and governance - you ensure nothing falls through the cracks. 

EU AI Act compliance and third-party AI risks

The EU AI Act introduces a regulatory dimension to your AI implementations. Under this regulation, AI systems must be classified based on their risk level, with corresponding obligations and controls. But the impact does not stop at your own systems. The EU AI Act also affects your third-party risk management. Think about the following important questions related to your suppliers: 

  • Are our suppliers using AI in the services they deliver to us? 
  • If so, are they compliant with the EU AI Act? Are underlying risks such as information security, bias, privacy, and model risk under control? 
  • Are they providing us with an AI system that we deploy ourselves? 
  • If so, we must comply with the EU AI Act as a deployer and ensure that the underlying risks are properly managed. 

This approach to AI risk management can be documented in several ways: as a dedicated AI risk management policy, as part of your general AI policy, or as a component of your overall risk management policy. All options are valid, as long as the result is a well-defined policy that can easily be put into practice. 

More info on AI policy? 

Read our article on the 5 essential elements of an AI policy. 

How BDO can help

At BDO, we combine AI expertise with deep risk management experience to help organisations turn potential into profit. 

Whether it’s with a quick AI vision workshop, through a more detailed AI maturity assessment with a tailored roadmap, or the execution of your AI roadmap, you can rely on BDO to support you with every step of your AI journey. From clear insights to concrete implementations. 

  • Need an AI policy aligned with your organisation’s goals and strategy? 
  • Got any data foundations to sort out before implementing any AI solutions? 
  • Do you want support in training or change management?  

Our Data & AI team has all the in-house expertise to take your AI ambitions to the next level! 

This integrated approach means you get one adviser who can coordinate across disciplines, rather than managing multiple providers. We help you move forward with confidence, capturing the benefits of AI while keeping the risks under control.


AI colleagues looking at their pc

Frequently Asked Questions

Below you can find some related FAQ's.

AI risks span multiple dimensions, including strategy, data quality, governance, compliance, people and culture, and technical implementation. They can emerge at every stage of an AI initiative, from initial discovery through to evaluation and ongoing operation.

If your organisation develops, deploys, or uses AI systems within the EU, the EU AI Act is likely to apply to you. The regulation covers both providers and deployers of AI systems and requires risk classification with corresponding obligations.

You need to understand whether your suppliers use AI in the services they provide you and whether they are compliant with applicable regulations. If a supplier provides you with an AI system that you deploy, you may have obligations as a deployer under the EU AI Act.

Not necessarily. You can document your approach to AI risk in a dedicated AI risk management policy, within your general AI policy, or as part of your overall risk management policy. The key is that your approach is clear and actionable.

From day one. Risk management should be embedded throughout your AI journey, starting from the discovery phase. The earlier you identify potential risks, the more proactively you can manage them and the faster you will see a return on your AI investment.