AI assistant — not human

NIST AI RMF + EU AI Act + risk register + prompt injection defense + operational controls. Fixed-fee accelerator tiers.
Last updated July 7, 2026 by Errin O'Connor, Founder & Chief AI Architect, EPC Group
Enterprise AI risk management structured across 6 categories: data, model, operational, compliance, reputational, strategic. NIST AI RMF 4 functions: Govern + Map + Measure + Manage. AI risk register: risk ID, category, likelihood/impact, controls, residual, owner, treatment, monitoring. Prompt injection defenses: Prompt Shields + Content Filters + grounding + metaprompt hardening. EU AI Act enforcement: Feb 2025 prohibited AI, Aug 2026 most obligations, fines up to 7% global turnover. EPC Group AI Risk Assessment $30K + NIST AI RMF Implementation $95K + EU AI Act Program $150K-$400K + Retainer $10K-$25K/mo.
AI risk management is the systematic identification + assessment + treatment + monitoring of risks arising from AI use in the enterprise. Six risk categories: (1) Data risk — PII/PHI/MNPI leakage, over-exposure via AI queries, training data provenance. (2) Model risk — hallucination, bias, drift, adversarial attack, prompt injection. (3) Operational risk — service outage, cost overrun, vendor lock-in, integration failure. (4) Compliance risk — regulatory violation, contract breach, audit finding. (5) Reputational risk — public AI incident, media coverage, customer trust loss. (6) Strategic risk — misaligned AI investment, competitive disadvantage, wasted CapEx. Framework: NIST AI RMF for enterprise structure + EU AI Act for regulatory alignment.
NIST AI Risk Management Framework (RMF 1.0, January 2023) — voluntary framework for managing AI risk across the AI lifecycle. Four functions: (1) Govern — establish AI governance structure, policies, accountability, culture. (2) Map — identify context + AI systems + risks. (3) Measure — quantify risk + performance + reliability. (4) Manage — treat risks + monitor + improve. Applies across Copilot / Copilot Studio / Custom Engine Agents / Azure AI Foundry. Federal agencies + defense contractors + increasingly private sector using NIST AI RMF as risk management standard. EPC Group AI Governance engagements map to NIST AI RMF as one of core frameworks.
An AI risk register is the documented list of identified risks + assessments + treatments + owners. Structure per risk: (1) Risk ID + description. (2) Category (data / model / operational / compliance / reputational / strategic). (3) Likelihood + impact assessment (typically 1-5 scale each = risk score 1-25). (4) Current controls in place. (5) Residual risk after controls. (6) Risk owner (accountable executive). (7) Treatment plan (accept / mitigate / transfer / avoid). (8) Monitoring cadence + metrics. AI risk register is board-reportable and typically updated quarterly. EPC Group AI Governance Accelerator delivers first-cut AI risk register + ongoing update process.
Prompt injection: adversarial input that manipulates AI system to bypass safeguards or reveal restricted information. Common attack patterns: (1) Direct injection — malicious prompt in user query. (2) Indirect injection — malicious content in RAG source data or web content Copilot retrieves. (3) Data exfiltration — coercing AI to reveal training data or system prompts. (4) Jailbreak — bypassing safety filters to produce harmful content. Microsoft mitigations: (1) Prompt Shields (Azure AI Content Safety) — real-time injection detection. (2) Content Filters — output safety filtering. (3) Grounding — RAG restrictions to authorized sources. (4) Metaprompt hardening — system prompt defenses. (5) User query pre-processing. Copilot uses combination of all five. Enterprise AI programs must include prompt injection testing.
Six operational risk controls: (1) Service level monitoring — Copilot uptime + response time + Azure OpenAI Service quota alerts. (2) Cost monitoring — token consumption + capacity utilization + budget alerts. (3) Vendor risk management — Microsoft roadmap + SLA + contract terms + M365 EA renewal timing. (4) Change management — Copilot feature rollout + user impact + rollback procedures. (5) Incident response — Copilot-specific incident playbooks + escalation. (6) Business continuity — Copilot outage handling + M365 fallback + BYOAI backup policy. EPC Group AI operational risk engagements integrate with existing enterprise operational risk framework.
EU AI Act enforcement schedule: (1) August 1, 2024 — Act entered into force. (2) February 2, 2025 — prohibited AI practices (social scoring, real-time biometric surveillance) enforceable. (3) August 2, 2025 — General-purpose AI (GPAI) obligations + AI office establishment. (4) August 2, 2026 — most obligations enforceable (high-risk AI, transparency, GPAI compliance). (5) August 2, 2027 — remaining obligations enforceable (high-risk AI in Annex I). Fines: up to 7% of global annual turnover for prohibited AI, 3% for other violations. Non-EU companies with EU market presence: comply. EPC Group EU AI Act Compliance Program covers full readiness.
EPC Group AI risk management portfolio: (1) AI Risk Assessment ($30K, 3 weeks) — 6-category risk inventory + risk register + top-priority mitigation roadmap. (2) NIST AI RMF Implementation ($95K, 10 weeks) — Govern + Map + Measure + Manage functions deployed + board reporting scorecard. (3) EU AI Act Compliance Program ($150K-$400K, 16-24 weeks) — full EU AI Act readiness for organizations with EU market presence. (4) Ongoing AI Risk Management Retainer ($10K-$25K/month) — quarterly risk register updates + control monitoring + regulatory tracking + incident support. All led by senior compliance architect + Chief AI Architect Errin O'Connor.
$30K/3wk 6-category risk inventory + top-priority mitigation. Call (888) 381-9725.
Monday-Friday, 8 AM - 7 PM CT
We respond to all inquiries within one business day