Back to Projects
AI Risk Tools landing page showing the AI Governance assessment tool with NIST AI RMF scoring across GOVERN, MAP, MEASURE, and MANAGE dimensions
v2 Coming Soon

AI Risk Tools

A multi-tenant SaaS platform for AI governance and compliance — helping organizations profile AI systems, surface relevant risks from the MIT AIRISK database, and map to established frameworks like NIST AI RMF.

The Problem

Organizations are deploying AI systems faster than they can govern them. Risk and compliance teams are handed a model output and asked: “Is this safe to use?” They don’t know how to answer that question, because no one built them the tools to ask it rigorously.

AI Risk Tools is an attempt to change that — give practitioners a structured, software-backed way to capture AI context, surface real risk from a curated database, and produce artifacts that connect to actual governance standards.

Three Tools, One Pipeline

The platform is built as a three-stage pipeline. Each stage produces a structured artifact that flows into the next.

Stage 1 — ProfileBuilder

Risk management starts with understanding what you’re building. ProfileBuilder walks teams through a structured questionnaire — capturing organization context, system purpose, data sensitivity, deployment lifecycle stage, and trustworthiness priorities across five dimensions: privacy, fairness, reliability, transparency, and safety.

Output is a versioned risk profile (JSON v1.5, CSV, or PDF) — not a checkbox exercise, but a legible document that drives everything downstream.

Stage 2 — RiskMapper

With a profile in hand, RiskMapper filters the MIT AIRISK database — 1,612 normalized, cross-source AI risks — down to 40–60 risks that actually apply to that specific system. Filtering is five-dimensional:

  • Use case matching — maps system purpose to risk categories
  • Sector rules — applies domain-specific risk patterns (healthcare, finance, education)
  • Lifecycle filtering — excludes post-deployment risks for systems still in pilot
  • Criticality weighting — boosts severity scores for high-stakes systems
  • Trustworthiness alignment — surfaces risks matching the system’s declared priorities

A high-stakes healthcare diagnostic AI gets a very different risk list than an internal productivity tool. That’s the point.

Stage 3 — FrameworkMapper

With a filtered risk list, FrameworkMapper maps to the 72 subcategories of the NIST AI RMF — prioritized by a trustworthiness boost algorithm that re-ranks requirements based on the system’s actual characteristics. It shows where the system aligns, where gaps exist, and what controls are missing.

The goal is not compliance theater. It’s helping practitioners understand the actual risk posture of a system they’re accountable for.

Platform

All three tools sit on a multi-tenant SaaS foundation built in parallel:

  • Auth: Supabase with Google OAuth and email/password, HTTP-only cookies, dev-bypass for testing
  • Workspaces: Full multi-tenancy with row-level security enforced at the database layer (50+ RLS policies across 13 tables)
  • RBAC: Four-tier permission model — platform admin, workspace owner, admin, member
  • Team collaboration: Email invitations, role assignment, ownership transfer
  • Admin: Platform-level impersonation with full audit logging

Technical Foundation

  • Architecture: pnpm monorepo — three Next.js apps, four shared packages (types, UI, design system, config)
  • Frontend: Next.js 15 (App Router), React 19, TypeScript 5 strict, Tailwind CSS 4
  • Data layer: Supabase PostgreSQL + Prisma ORM, 13 entities, RLS throughout
  • Testing: Playwright E2E (20 test cases), Jest unit/integration
  • Payments: Stripe Checkout + webhooks with idempotency

Why It Matters

This started as a practical answer to a real gap — governance tooling for organizations that can’t afford consultants but still need to do this rigorously. The pipeline structure (profile → risk → framework) is the insight: most tools jump straight to frameworks, which is useless without first understanding what you’re actually building and what could actually go wrong.

The MIT AIRISK database integration is what makes Stage 2 meaningful — it’s not invented risk categories, it’s a curated, source-cited dataset of how AI systems have actually caused harm, filtered to your context.

Current Status

This is an early MVP — the platform is live and functional. I’ve stepped back from active development to reassess direction; the product concept and technical foundation are sound, but the right positioning and go-to-market approach are still open questions I’m working through.

Outcome Signals

  • Working MVP: End-to-end three-stage pipeline is live: ProfileBuilder, RiskMapper, and FrameworkMapper with exportable governance artifacts.
  • Substantive Data Coverage: Risk filtering pipeline integrates 1,612 MIT AIRISK entries and narrows results to system-specific risk sets.
  • Enterprise-Ready Platform Base: Multi-tenant foundation includes RLS, RBAC, team collaboration, and Stripe billing with tested flows.