Article 9: risk management for high-risk AI
High-risk systems are not set-and-forget. Article 9 asks for a living process that finds and reduces the risks they create, for as long as they are in use.
What Article 9 requires
High-risk systems need a risk management system run as a continuous, iterative process, not a one-time sign-off. It means identifying the known and foreseeable risks a system creates, weighing the ones that come from both intended use and foreseeable misuse, drawing on what real-world monitoring shows, and applying measures to reduce what you find.
The emphasis is on the lifecycle. The duty is not to produce a document once and file it, but to keep a process running for as long as the system is in use.
Provider and deployer
Article 9 is mainly a duty on the provider, to build risk management into the system. It reaches you as a deployer through Article 26: use the system within its intended purpose, keep a human in oversight, and watch how it performs in your hands.
In practice you run your own process for the risks your particular use creates, which the provider cannot see from where they sit.
It is iterative, not a one-off
A risk view from launch day goes stale fast. Revisit it as the system changes, as your use of it changes, and as the data it works on changes. New risks surface in production that nobody predicted on paper.
A practical rhythm is to review after any material change and on a regular calendar beat, so the process keeps pace with reality rather than freezing at go-live.
What to look at
Work through who could be harmed and how, what happens when the system is wrong, the edge cases, and the ways it could be misused, deliberately or not. Then the safeguards you rely on: human oversight, limits on where and how it is used, and a fallback for when it fails.
The aim is not a perfect catalogue of every conceivable risk, but an honest, current picture of the ones that matter and what you are doing about each.
Documenting it
A Risk Management Procedure records the process, the risks you have identified, and the measures you have taken, and is kept current as things change. It is also what you would show an authority asking how you manage the system.
Veillo generates one as a structured starting point you adapt to how your team actually manages risk, rather than leaving you to draft it from a blank page.
This guide is general educational information, not legal advice. For how the Act applies to your organisation, classify your systems and consult qualified counsel.
Put it into practice
Classify your AI systems against the Act and generate the documents this guide describes.