The Cyber Academy take
AI Risk Manager is the credential (PECB / ISACA emerging) for practitioners running AI-specific risk programmes: model risk, bias, drift, transparency, third-party model risk. Operational layer that complements ISO 42001 (system-level) and the AI Act (regulatory layer). Common companion to a CISO or Lead AI Auditor.
AI Risk Manager is the operational role and emerging credential for people who run an organisation's AI risk programme day to day. Where ISO 42001 sets up the management system and the EU AI Act sets the legal floor, the AI Risk Manager is the person turning those frameworks into a working register: identifying where a model can fail, deciding what controls go around it, and reporting residual risk to leadership. It is the AI-specific cousin of the information-security risk manager, and it borrows most of its method from classic risk management while adding the failure modes that are unique to machine learning.
What the role actually covers
Traditional IT risk asks whether a system is available, confidential and has integrity. AI risk keeps all of that and adds a layer of questions that conventional controls never had to answer. An AI Risk Manager works across the model lifecycle and typically owns the following risk families.
- Model risk: the model is wrong in ways that are hard to see, performs well in testing but poorly on real inputs, or fails silently on edge cases.
- Bias and fairness: the model produces systematically worse outcomes for some groups, often inherited from the training data.
- Drift: input data or the real world shifts after deployment, so accuracy degrades over time and the model needs monitoring and retraining triggers.
- Transparency and explainability: stakeholders, auditors or regulators need to understand how a decision was reached, especially for high-impact use cases.
- Third-party and supply-chain model risk: foundation models, APIs and datasets you did not build but are accountable for.
Where it sits relative to ISO 42001 and the AI Act
The clearest way to place the role is by layer. The AI Act is the regulatory layer that says which obligations apply to which risk tier. ISO 42001 is the management-system layer that gives you the governance structure, accountability and continuous-improvement loop to meet those obligations. The AI Risk Manager is the operational layer underneath both, doing the recurring assessment work that feeds evidence up to the AIMS and demonstrates that high-risk obligations are being met in practice. This is why the role is usually a companion to, not a replacement for, a CISO or a Lead AI Auditor.
| Layer | Artefact | Question it answers |
|---|---|---|
| Regulatory | EU AI Act | Which legal obligations apply to this AI system? |
| Management system | ISO/IEC 42001 (AIMS) | How does the organisation govern AI accountably? |
| Operational | AI risk register and controls | Where can this model fail and what reduces that risk? |
| Assurance | AI audit (e.g. AAIA scope) | Is the above working as intended? |
The credential landscape
The title is still consolidating. PECB and ISACA are the two bodies most associated with formalising AI risk competence, and the certification market is newer than for established disciplines like the CISA or the ISO 27001 Lead Implementer. In practice, employers care less about which badge you hold and more about whether you can run a defensible AI risk assessment, justify a control set, and map your work onto ISO 42001 clauses and AI Act tiers. Treat the credential as evidence of method, not as the job itself.
Frequently asked questions
01How is an AI Risk Manager different from a general IT or security risk manager?
Same core method, wider risk surface. An AI Risk Manager keeps confidentiality, integrity and availability but adds model-specific failure modes such as bias, drift, explainability gaps and third-party model risk that conventional security controls do not address.
02Do I need ISO 42001 in place before appointing an AI Risk Manager?
No. The role is useful even without a formal AIMS. That said, ISO 42001 gives the governance structure the risk work feeds into, so the two reinforce each other and many organisations build them together.
03Is AI Risk Manager an audit role?
No. The risk manager builds and runs the risk programme; auditing it is a separate, independent function. A credential like the AAIA covers the audit side. The two are complementary and should not be held by the same person for the same system.
04Which certification should I pursue?
PECB and ISACA are the bodies most associated with formal AI risk and AI governance training. Choose based on the framework you work with most and your existing certifications, since employers weigh demonstrated method over the specific badge.