Article 9 of the EU AI Act: The Risk Management System
Article 9 is the backbone of high-risk compliance: a continuous, iterative risk-management system that runs across the entire lifecycle of the AI system — not a one-off document.
What Article 9 requires
Providers must identify and analyse known and foreseeable risks to health, safety and fundamental rights; estimate risks from intended use and reasonably foreseeable misuse; evaluate risks from post-market monitoring data; and adopt targeted risk-management measures. Residual risk must be judged acceptable, with testing against defined metrics.
Who it binds
Providers of high-risk AI systems. The risk-management system is usually the first artifact an auditor asks to see, and it feeds — and is fed by — post-market monitoring (Article 72).
Key points
- Continuous and iterative — updated across the whole lifecycle.
- Covers intended use and reasonably foreseeable misuse.
- Feeds into, and is updated by, post-market monitoring.
FAQ
Is Article 9 a one-time document?
No. It requires a living, continuously updated risk-management process across the system's lifecycle, not a single document.
Related articles
Run the free 2-minute checker — deterministic, no sign-up.