Skip to main content

Risk Register API

The Risk Register API manages space-scoped AI risk entries, product links, scoring, status updates, templates, and heat-map aggregation. Product Detail uses the same API with a product_id filter to show risks linked to one AI product.

All paths below are under /api/v1.0. The router is gated by governance.risk_assessment and requires access to the target space.

Endpoints Overview

MethodEndpointDescription
POST/catalog/spaces/{space_slug}/risk-register/Create a risk entry.
GET/catalog/spaces/{space_slug}/risk-register/List risk entries with optional filters.
GET/catalog/spaces/{space_slug}/risk-register/heat-mapGet aggregated heat-map data.
GET/catalog/spaces/{space_slug}/risk-register/templatesGet reusable risk templates.
GET/catalog/spaces/{space_slug}/risk-register/{entry_id}Retrieve one risk entry.
PUT/catalog/spaces/{space_slug}/risk-register/{entry_id}Update risk details or status.
POST/catalog/spaces/{space_slug}/risk-register/{entry_id}/link-productsLink additional products.
DELETE/catalog/spaces/{space_slug}/risk-register/{entry_id}/products/{product_id}Remove one product link.

Scoring And Status

FieldValues
categorybias, privacy, safety, security, transparency, environmental, fundamental_rights, other
severity, likelihood, impactIntegers from 1 to 5
statusopen, mitigating, accepted, closed
reassessment_cadencemonthly, quarterly, semi_annual, annual

The service computes risk_score as round(severity * likelihood * impact / 125 * 100).

TierThreshold
unacceptablerisk_score >= 80
highrisk_score >= 50
limitedrisk_score >= 25
minimalOtherwise

List Risk Entries

GET /api/v1.0/catalog/spaces/{space_slug}/risk-register/?limit=20&offset=0

Query Parameters

ParameterTypeDescription
categorystringFilter by risk category
statusstringFilter by status
tierstringFilter by risk tier
product_idUUIDFilter by linked product
limitintegerPage size, 1-100
offsetintegerPagination offset

The list is ordered newest first.

Risk Heat Map

GET /api/v1.0/catalog/spaces/{space_slug}/risk-register/heat-map

Returns aggregated risk counts by category and derived tier, plus status totals:

{
"cells": [
{ "category": "bias", "tier": "high", "count": 2 }
],
"total_risks": 8,
"open_count": 3,
"mitigating_count": 2,
"accepted_count": 1,
"closed_count": 2
}

Risk Templates

GET /api/v1.0/catalog/spaces/{space_slug}/risk-register/templates

Returns built-in templates for bias, privacy, safety, transparency, security, and environmental risks. Each template includes default scoring and suggested mitigation text.

Create Risk Entry

POST /api/v1.0/catalog/spaces/{space_slug}/risk-register/
{
"title": "Model drift in credit scoring",
"description": "Performance degradation detected",
"category": "safety",
"severity": 4,
"likelihood": 3,
"impact": 4,
"misuse_scenarios": [
{
"scenario": "Scores are reused outside the approved credit workflow.",
"countermeasure": "Limit API consumers and monitor downstream usage.",
"severity": "high"
}
],
"mitigations": [
{
"title": "Add monthly drift review",
"status": "pending",
"priority": "high"
}
],
"product_ids": ["00000000-0000-0000-0000-000000000000"],
"risk_owner_id": "00000000-0000-0000-0000-000000000000",
"reassessment_cadence": "quarterly"
}

The response includes the computed risk_score, derived risk_tier, linked product_ids, and next_reassessment_at when a valid cadence is supplied.

Update Risk Entry

PUT /api/v1.0/catalog/spaces/{space_slug}/risk-register/{entry_id}
{
"status": "mitigating",
"severity": 3,
"residual_risk_level": "limited",
"residual_justification": "Monitoring and human review reduce exposure."
}

Changing severity, likelihood, or impact recomputes risk_score and risk_tier. Changing reassessment_cadence recomputes next_reassessment_at. Invalid status values return 400.

POST /api/v1.0/catalog/spaces/{space_slug}/risk-register/{entry_id}/link-products
{
"product_ids": [
"00000000-0000-0000-0000-000000000000",
"11111111-1111-1111-1111-111111111111"
]
}

Existing links are not duplicated.

DELETE /api/v1.0/catalog/spaces/{space_slug}/risk-register/{entry_id}/products/{product_id}

The response returns the updated entry. If the link does not exist, the API returns 404.

Response Fields

FieldDescription
id, space_idRisk identity and scope.
title, description, categoryRisk description.
severity, likelihood, impact, risk_score, risk_tierScoring fields and derived tier.
statusLifecycle status.
residual_risk_level, residual_justificationAccepted-risk context.
misuse_scenarios, mitigationsStructured risk controls.
risk_owner_id, reassessment_cadence, next_reassessment_atOwnership and review cadence.
created_by_id, created_at, updated_atAudit metadata.
product_idsLinked product IDs.

Error Responses

StatusDescription
400Invalid status or payload validation failure.
401Authentication required for create.
404Risk entry or product link not found.