What This Is
You just worked through risk classification, technical exposure, legal uncertainty, and ownership fragmentation across the Risk & Compliance section. Your head is full. This is the scaffold that makes it stick: one artifact that names each AI system in your account, classifies it, maps its exposures, and assigns an owner per risk category.
The through-line: where your IDAM intuition transfers cleanly to AI risk, and where it breaks.
Risk Classification
EU AI Act Risk Tier — Classifies AI systems as unacceptable, high-risk, limited, or minimal based on intended use, not underlying technology. Same model, different deployment context, different tier.
- When it comes up: Buyer's legal team asks which tier their AI deployment falls under. The answer depends on use case, not model capability.
- Don't confuse with: NIST AI RMF risk categories. The Act assigns regulatory obligations by tier. NIST provides a voluntary risk management process. They complement each other but serve different functions.
- Deadline update (not covered in source articles, but worth knowing): The Council-Parliament provisional agreement of May 7, 2026 pushes Annex III high-risk obligations to December 2, 2027 and Annex I to August 2, 2028. GPAI obligations and Article 5 prohibitions remain in force now. Formal adoption pending; plan against the new dates but know they aren't final until published in the Official Journal. Corroborated by IAPP and Hogan Lovells.
- Where IDAM intuition misleads: In IDAM compliance, the technology determines the control requirements. You pick your authentication protocol, then you know your obligations. The EU AI Act inverts this. The same LLM in a chatbot is minimal risk; in an HR screening tool, it's high-risk. Classification follows deployment, not architecture.
NIST AI RMF — Voluntary framework organizing AI risk management into four functions: Govern, Map, Measure, Manage. AI RMF 1.0 (January 2023) remains current. AI 600-1 (July 2024) is the operative GenAI profile. Both under revision per the AI Action Plan; no new versions published as of May 2026.
- When it comes up: Federal buyers reference NIST AI RMF the way they reference 800-53. It's the baseline their compliance posture maps to.
- Don't confuse with: ISO/IEC 42001, which is a certifiable management system standard. NIST AI RMF is a voluntary process framework with no certification attached.
ISO/IEC 42001 — Not covered in depth above, but worth knowing. Certifiable management system standard for AI. Where NIST AI RMF gives you a process to follow, 42001 gives you a certification to hold.
- When it comes up: Federal procurement teams increasingly ask vendors for 42001 certification as a trust signal, the same way they ask for SOC 2 or ISO 27001.
- Don't confuse with: NIST AI RMF. You implement NIST. You certify against 42001. Different verbs, different governance outcomes.
The EU AI Act classifies by use case. The model is irrelevant to the tier. NIST AI RMF organizes risk management; compliance obligations come from elsewhere. Your buyer needs both and they serve different functions.
Technical Exposure
OWASP LLM Top 10 — The canonical vulnerability taxonomy for LLM deployments. Several entries map to IDAM-adjacent controls (prompt injection → input validation; sensitive information disclosure → data boundary enforcement). Others have no IDAM analog at all (training data poisoning, vector and embedding weaknesses).
- When it comes up: A CISO asks what threat model you're working from. This is the answer they expect.
- Don't confuse with: The original OWASP Top 10 for web applications. Overlapping brand, different taxonomy, different threat surface.
The register entries that matter most for identity-adjacent risk: LLM01 (Prompt Injection), LLM02 (Sensitive Information Disclosure), LLM06 (Excessive Agency), and LLM07 (System Prompt Leakage). LLM06 is where agentic AI governance lives. The agent acts with more authority than intended. LLM07 is where credentials embedded in system prompts become attack surface. Identity controls are load-bearing for both. Okta for AI Agents (GA April 30, 2026) addresses agent discovery, registration, and scope-level governance including MCP server registration as a documented resource connection type.
OWASP LLM Top 10 is the shared vocabulary between your security team and theirs. Half the entries touch identity. The other half don't, and that's where you stay quiet.
Legal Exposure
Training Data Liability — No final US appellate ruling exists on whether training AI on copyrighted material constitutes fair use. Thomson Reuters v. Ross is fully briefed at the Third Circuit and will likely produce the first circuit-level ruling. NYT v. OpenAI remains in discovery, with 20 million ChatGPT logs ordered produced (Bloomberg Law, January 2026). In Germany, GEMA v. OpenAI (LG München I, 42 O 14139/24) found liability for lyric memorization. Source note: the May 2026 ruling update is sourced from ailawsuittracker.com; verify against primary court filing before citing in customer materials.
- When it comes up: Procurement asks about IP indemnification for AI-generated outputs. The honest answer: the law hasn't settled this, and anyone selling certainty doesn't have it.
- Don't confuse with: Output liability (who's responsible when the AI produces something harmful) versus training liability (whether the training itself infringed). Different legal theories, different risk owners.
- Where IDAM intuition breaks: Training data liability has no IDAM parallel. You can audit who accessed a system. You cannot audit what a model learned. This is a novel risk category that sits entirely with Legal.
No US court has issued a final appellate ruling on AI training and fair use. Your buyer's legal team knows this. Don't pretend otherwise.
Ownership Assignment
As you saw across the source material, ownership is where IDAM intuition breaks hardest. In identity, the security team owns the control plane. AI risk fragments across four functions, and the register is how you make that fragmentation visible before it becomes dangerous.
| Risk Category | Owner | IDAM Transfer? |
|---|---|---|
| Access control & credential lifecycle | Security / IDAM team | Direct transfer |
| Data provenance & training data rights | Legal / Privacy | None |
| Model risk tier classification | Compliance / Legal | None |
| Output liability & IP exposure | Legal / Business unit | None |
| Procurement & vendor risk | Procurement / Security | Partial (vendor assessment transfers) |
Security owns the access layer. Legal owns the liability layer. No single team owns "AI risk" as a category, and the register is how you keep that from becoming a gap.
The Register Template
One row per AI system. Five dimensions. If a cell is empty, that's a finding.
| Dimension | What to Capture | Example |
|---|---|---|
| System Inventory | Name, vendor, deployment model, data inputs, integrations, user population | "Copilot for M365 — SaaS — ingests SharePoint, email, Teams — 12,000 users" |
| EU AI Act Risk Tier | Unacceptable / High / Limited / Minimal — based on use case | High-risk (Annex III) — HR screening application |
| Sector Regulation | Domain-specific obligations (HIPAA, FERPA, CJIS, ITAR) | HIPAA — processes PHI in summarization workflow |
| OWASP LLM Top 10 Exposure | Applicable vulnerabilities, current mitigations, gaps | LLM01 mitigated by input filtering; LLM06 — no agent-level access governance in place |
| Ownership | Named owner per risk category | Security: J. Park; Legal: M. Torres; Privacy: K. Shah; Procurement: R. Chen |
Vocabulary Collisions
Shared Terms, Different Meanings
| AI Term | What It Means in AI | IDAM Equivalent | Key Divergence |
|---|---|---|---|
| Token | Sub-word unit processed by the model; also the billing and context window unit | OAuth/OIDC token — a credential asserting identity or authorization | AI tokens are linguistic fragments. IDAM tokens are trust artifacts. "Token limit" means context window capacity, not credential expiry. |
| Agent | An AI system that takes autonomous actions across tools and APIs | Service account or machine identity | AI agents decide which actions to take. Service accounts execute predefined operations. The autonomy gap is the governance problem. |
| Scope | The range of tools, data, or actions an agent can access at runtime | OAuth scope — permissions a token carries | In IDAM, scope is declared at authorization time. In agentic AI, scope can expand dynamically as the agent chains tool calls. This is where excessive agency (LLM06) lives. |
| Session | A conversation or task context maintained between user and model | Authenticated session with timeout and binding | AI sessions carry no authentication binding by default. A "session" here means a context window with no trust relationship underneath it. |
| Identity | The agent itself as an entity requiring lifecycle management | A human or machine identity in a directory | Your IDAM intuition applies here. Agents need provisioning, governance, and deprovisioning. Okta treats them as first-class non-human identities in Universal Directory. |
AI-Only Concepts, Nearest IDAM Analog
| AI Term | What It Means in AI | Nearest IDAM Analog | Why the Analog Breaks |
|---|---|---|---|
| Hallucination | Model generates confident, factually wrong output | None | No IDAM equivalent to a system that produces authoritative-sounding falsehoods. Novel risk category. |
| Training data provenance | Lineage and rights status of data used to build the model | Vendor assessment (closest process) | You can audit who accessed a system. You cannot audit what a model learned or from whom. |
| Context window | Maximum input a model can process in one interaction | Security context (attributes available for an access decision) | Both define what the system can see right now. A security context is curated and policy-bound. A context window is a capacity limit that accepts whatever fits. |
Source Index
| Authority | Reference |
|---|---|
| OWASP LLM Top 10 | OWASP LLM project |
| EU AI Act | Council provisional agreement, May 7, 2026; IAPP corroboration; Hogan Lovells analysis |
| NIST AI RMF 1.0 | NIST AI Risk Management Framework |
| NIST AI 600-1 | GenAI Profile, July 2024 |
| NIST IR 8596 | Cyber AI Profile, preliminary draft, December 2025 |
| ISO/IEC 42001 | AI management system standard (certifiable); no free-access primary text |
| Thomson Reuters v. Ross | Third Circuit, No. 25-8018 — fully briefed; response brief |
| NYT v. OpenAI | S.D.N.Y., MDL No. 1:25-md-03143 — discovery phase; Bloomberg Law |
| GEMA v. OpenAI | LG München I, 42 O 14139/24 — tracker (verify against primary filing) |
| Okta for AI Agents | GA April 30, 2026 — okta.com |
Things to follow up on...
- Third Circuit rules first: Thomson Reuters v. Ross Intelligence is fully briefed and will likely be the first appellate ruling on AI training and fair use — no oral argument date confirmed, but watch for it this summer.
- NIST AI RMF revision: A footnote in NIST IR 8596 confirms the AI RMF is under revision per the AI Action Plan, with provisions on misinformation and bias likely to change — no revised version published yet.
- Colorado enforcement date wobbles: Colorado SB 24-205 enforcement is set for June 30, 2026, but lawmakers are weighing proposals to amend the statute before it takes effect — verify current status before citing in account plans.
- EU Omnibus formal adoption: The May 7 provisional deal pushing high-risk deadlines to December 2027 still requires formal adoption and publication in the Official Journal, expected by end of July 2026.