“What is our AI risk posture?”
When a board member asks this question, most organisations do not have a good answer. They have qualitative assessments — traffic lights, heat maps, subjective ratings produced by a consultant six months ago. They do not have a number. They do not have a trend. They do not have a system that continuously measures and reports on AI risk.
At LittleData, we believe AI risk must be measured the same way financial risk, operational risk, and cybersecurity risk are measured: quantitatively, continuously, and with sufficient granularity to drive action.
This article describes our four-dimension scoring methodology — the model behind the risk scores in littledata.ai.
The Problem With Qualitative AI Risk Assessment
Most AI risk assessments today produce qualitative outputs. A consultant evaluates your AI systems, assigns ratings like “High,” “Medium,” or “Low,” and delivers a report. This approach has several fundamental limitations:
- Subjectivity — Two assessors evaluating the same system will often assign different ratings. There is no standardised scale, no calibration, and no repeatability.
- Point-in-time — The assessment reflects a snapshot. By the time the report is delivered, the threat landscape has changed, models have been updated, and new systems have been deployed.
- Incomparable — You cannot compare “Medium” risk across different AI systems, different assessors, or different time periods. Without a common quantitative scale, aggregation and trending are impossible.
- Non-actionable — A traffic light tells you that something is “Red” but does not tell you how far from “Green” you are, which specific factors are driving the rating, or where to invest remediation effort for the greatest risk reduction.
Under Article 9 of the EU AI Act, providers of high-risk AI systems must establish a documented risk management system. The regulation requires identification, analysis, estimation, and evaluation of risks — language that implies quantitative rigour, not colour-coded charts.
The Four Dimensions
LittleData’s risk scoring model evaluates AI systems across four dimensions. Each dimension captures a distinct category of AI risk, scored independently on a 0-100 scale, and weighted to produce a composite risk score.
Dimension 1: Observability (25% Weight)
Core question: Is the AI system behaving as expected?
Observability measures the degree to which an AI system’s behaviour can be monitored, understood, and verified in production. A highly observable system provides clear signals about its performance, behaviour, and health. A poorly observable system is a black box — you discover problems only when users complain or outcomes are audited.
The Observability dimension evaluates:
- Performance monitoring — Are accuracy, latency, throughput, and error rates tracked continuously? Are baselines established and deviations flagged?
- Drift detection — Is data drift (changes in input distribution) and concept drift (changes in the relationship between inputs and outputs) monitored? Drift is a leading indicator of model degradation.
- Anomaly identification — Are unusual patterns in model inputs, outputs, or behaviour detected? Anomalies may indicate adversarial activity, data quality issues, or system malfunctions.
- Logging completeness — Are model inputs, outputs, confidence scores, and metadata logged in sufficient detail for audit and investigation? This maps directly to Article 12 (Record-Keeping) requirements.
- Alerting effectiveness — Do monitoring alerts reach the right people, at the right time, with sufficient context to enable action?
A score of 100 represents full observability — comprehensive monitoring, real-time alerting, and complete audit trails. A score approaching 0 represents a blind spot — you have no visibility into how the system is performing or behaving.
Dimension 2: Adversarial (25% Weight)
Core question: Has the AI system been tested against attacks?
The Adversarial dimension measures the degree to which an AI system has been tested for resilience against adversarial attacks. This maps directly to Article 15 of the EU AI Act, which requires “appropriate levels of accuracy, robustness and cybersecurity” including “resilience regarding attempts by unauthorised third parties to alter its use, outputs or performance.”
The Adversarial dimension evaluates:
- Evasion testing coverage — Has the system been tested against adversarial inputs designed to cause misclassification? Across what range of attack techniques and perturbation budgets?
- Extraction vulnerability assessment — Has model extraction risk been evaluated? Are query rate limits, output perturbation, and monitoring controls in place?
- Poisoning resilience — Has the training pipeline been audited for poisoning vectors? Are data integrity controls implemented? Has backdoor scanning been performed?
- Injection testing — For systems that process natural language, has prompt injection testing been conducted? Are guardrails tested against known bypass techniques?
- Inference attack assessment — Has membership inference risk been evaluated? Are privacy leakage controls in place?
A score of 100 represents a system that has been comprehensively tested across all five attack categories, with documented results and implemented mitigations. A score approaching 0 represents an untested system — unquantified risk. Our AI red team services provide the testing that drives this dimension.
Dimension 3: Privacy (30% Weight)
Core question: Is personal or sensitive data exposed?
Privacy carries the highest weight in our model because privacy failures create the most immediate and severe consequences — regulatory penalties under GDPR, reputational damage, and direct harm to data subjects. Privacy risk in AI systems is also uniquely difficult to manage because models can memorise, leak, and re-identify personal data in ways that traditional data protection controls do not address.
The Privacy dimension evaluates:
- PII detection in training data — Has the training data been scanned for personally identifiable information? Are PII handling procedures documented and enforced?
- PII detection in model outputs — Does the model produce outputs containing personal data? Are output filtering and redaction controls in place?
- PII in logs and monitoring data — Is personal data inadvertently captured in operational logs? Are log retention and access controls appropriate?
- Data subject rights — Can you respond to data subject access requests (DSARs), right to erasure requests, and objection requests as they relate to AI training data?
- Privacy impact assessment — Has a Data Protection Impact Assessment (DPIA) been conducted for the AI system? Is it current?
Scores are weighted by severity (type of PII involved) and volume (scale of exposure). A single exposed medical record scores differently from a single exposed email address. This weighting ensures that the Privacy score reflects actual risk, not just the count of findings.
Dimension 4: DLP (20% Weight)
Core question: Are data loss prevention policies enforced?
The DLP dimension measures the effectiveness of controls that prevent sensitive data from leaving the organisation through AI systems. This is particularly relevant for organisations deploying third-party AI services (cloud LLMs, AI-powered SaaS tools) where data submitted to the service may be stored, logged, or used for training.
The DLP dimension evaluates:
- Policy coverage — Are DLP policies defined for all AI systems that process sensitive data? Do policies cover input filtering, output monitoring, and data retention?
- Policy enforcement — Are DLP policies technically enforced, not just documented? Are violations blocked, logged, and escalated?
- Violation tracking — How many policy violations have occurred? Are violations trending upward or downward? Are root causes addressed?
- Data exfiltration monitoring — Are patterns consistent with data exfiltration through AI systems detected? This includes both intentional exfiltration and inadvertent data leakage.
- Third-party data handling — For AI services provided by third parties, are data processing agreements in place? Are data retention and deletion commitments verified?
From Dimensions to Composite Score
Each dimension produces a score from 0 to 100. The composite risk score is calculated as a weighted sum:
Composite Score = (Observability x 0.25) + (Adversarial x 0.25) + (Privacy x 0.30) + (DLP x 0.20)
The weights reflect the relative impact of each dimension on overall AI risk. Privacy carries the highest weight due to the severity of privacy failures under GDPR and the EU AI Act. Observability and Adversarial are equally weighted because detection capability and tested resilience are equally important. DLP carries the lowest weight but remains essential, particularly for organisations using third-party AI services.
Trending and Predictive Alerting
A single score is a snapshot. The real value is in the trend. LittleData’s platform tracks each dimension score and the composite score over time, providing:
- Trend analysis — Is your risk posture improving or degrading? Which dimensions are driving the trend?
- Predictive alerting — Based on score trajectory, the platform generates alerts before risk levels breach defined thresholds. This enables proactive remediation rather than reactive incident response.
- Benchmark comparison — How does each AI system’s risk score compare to others in your portfolio? Where should remediation effort be prioritised?
Meeting Article 9 Requirements
The EU AI Act’s Article 9 requires a risk management system that is “continuous and iterative” and includes “identification and analysis of the known and foreseeable risks,” “estimation and evaluation of the risks,” and “adoption of appropriate and targeted risk management measures.”
A quantitative, multi-dimensional, continuously updated risk scoring methodology satisfies these requirements in a way that qualitative assessments cannot. The four-dimension model provides:
- Identification — Each dimension maps to specific categories of AI risk.
- Analysis — Sub-scores within each dimension pinpoint specific risk factors.
- Estimation — Quantitative scores enable comparison and prioritisation.
- Evaluation — Trending and thresholds determine when risks require action.
- Auditability — Every score has a documented basis, methodology, and history.
When your board asks “What is our AI risk posture?” you should have a number, not a feeling. When an auditor asks “How do you manage AI risk?” you should have a system, not a spreadsheet.
Quantify Your AI Risk Today
LittleData’s platform provides real-time AI risk scoring across all four dimensions — Observability, Adversarial, Privacy, and DLP. Each score is backed by quantifiable metrics, trended over time, and supported by predictive alerting. Move from qualitative assessment to quantitative risk management.
Explore the platform: littledata.ai
Learn more about our risk methodology: littledata.com/ai-risk-platform
Get in touch: littledata.com/contact
