- Separate technical, legal, operational, and user risks.
- Use a simple map inspired by NIST: govern, map, measure, and manage.
- Decide when an AI app can be published and when it must remain in pilot.
Four questions before publishing
- Govern: who decides, who reviews, and what is prohibited.
- Map: which users, data, tools, and decisions the system touches.
- Measure: which tests check for errors, bias, privacy, and abuse.
- Manage: which limits, logs, permissions, and processes reduce risk.
Minimum risk card
riesgo:
nombre: "responder con información médica inventada"
sistema: "chatbot de atención"
usuarios_afectados: ["clientes", "equipo soporte"]
datos: ["preguntas", "historial de tickets"]
probabilidad: media
impacto: alto
controles:
- limitar dominio
- responder con fuentes
- abstención si no hay evidencia
- revisión humana en casos sensibles
tests:
- preguntas sin evidencia
- instrucciones maliciosas
- datos personales en prompt
responsable: "equipo producto"
fecha_revision: "2026-07-03"