DEMO MODE · Anonymized composite data. Fictional client: Meridian Health Group.
Module 02 · AI Risk Registry

Every AI initiative at Meridian.
Ranked. Tiered. Accountable.

The single source of truth the Board Risk Committee reviews quarterly. Every initiative has an owner, a tier, a control gap, and a decision path. Shadow initiatives are shown alongside sanctioned ones — because unknown AI is the highest risk.

Total initiatives187
Tier 1 (critical)14
Tier 2 (high)31
Shadow41
Touching PHI62
Missing key controls89
Risk heatmap
Consequence × Likelihood · Number = count of initiatives
Likelihood of adverse outcome
Rare
Unlikely
Possible
Likely
Frequent
Catastrophic
2
4
3
5
2
Severe
4
7
11
9
3
Moderate
6
12
18
14
7
Minor
9
15
11
8
4
Negligible
7
12
6
3
1

Sherlock Consequence Score

Tier 1 · Board notify
Tier 2 · Committee approval
Tier 3 · Business owner
Tier 4 · Standard controls
Tier 5 · Log only
10 initiatives are in the upper-right quadrant — high consequence, high likelihood. These are what the Board needs to see this quarter.
Tier All (14 shown) Tier 1 only Tier 2 only Shadow · Data Touches PHI Clinical decision · Controls Missing key controls
Initiative Tier Owner Key risks Consequence Controls in place / missing Status
Ambient clinical scribe (pilot)
Physician group · Vendor: Ambience-class
T1 Dr. R. Nguyen (CMIO) PHI processed off-prem · Consent-of-record ambiguous · No provider-facing accuracy audit · State AG focus area. 92 ✓ BAA · ✓ SOC 2 ·
✗ Bias audit ·
✗ Consent workflow ·
✗ Accuracy monitoring
Committee review
Radiology assist (breast)
Imaging · FDA-cleared vendor
T1 Dr. S. Patel (Chief of Radiology) Clinical decision · Documented false-negative rate 2.4% · Reader-disagreement workflow undefined. 87 ✓ FDA 510(k) · ✓ Reader QA ·
✗ Disagreement escalation ·
✗ Drift monitoring
Governed
Prior auth denial letters (LLM-drafted)
MA plan · Utilization Mgmt
T1 K. Ramirez (VP UM) Member impact + regulatory · CMS/OIG scrutiny on AI in coverage decisions · No human-in-loop documented for adverse determinations. 94 ✓ MD sign-off ·
✗ Model docs ·
✗ Adverse action audit ·
✗ Explainability record
Paused by GC
Sepsis early warning (EHR-native)
Hospital ops · Epic-embedded
T1 Dr. M. Chen (CMO) Documented alert fatigue · False-positive rate elevated in ED · Nursing over-reliance risk. 78 ✓ Nursing training ·
✓ Alert tuning cadence ·
✗ Outcomes audit
Governed
Copilot for coding & documentation (Epic)
Revenue Cycle · Enterprise
T2 J. Okonkwo (CFO) Upcoding risk · False positives on E&M levels · CMS RADV-adjacent exposure. 71 ✓ Coder review ·
✗ Upcoding audit ·
✗ Vendor bias attestation
Governed
Member call center summarization
MA plan · Contact center
T2 L. Alvarez (VP Member) PHI in transcripts · Vendor multi-tenant · CMS marketing rules on AI-influenced enrollment adjacent. 68 ✓ BAA ·
✗ Data residency ·
✗ Enrollment-content firewall
Committee review
Marketing copy generation (LLM)
Marketing · Shadow deployment
T2 Unassigned CMS Medicare marketing rules · TPMO oversight · Unauthorized brand voice · Discovered via credit card audit. 64 ✗ No BAA ·
✗ No brand governance ·
✗ Not on vendor list
Shadow · Escalate
Denial appeal drafting (physician-facing)
Physician group · Vendor pilot
T2 Dr. R. Nguyen (CMIO) Payer submission integrity · Fabricated clinical facts risk · Reputational. 62 ✓ MD review ·
✗ Fact-check audit ·
✗ Hallucination log
Governed
Bed placement / capacity optimization
Hospital ops · Vendor
T2 P. Grant (COO) Length-of-stay optimization pressure on clinical judgment · Equity implications. 58 ✓ Nursing input loop ·
✗ Equity/disparities audit
Governed
Fundraising donor targeting
Foundation · Shadow tool
T3 Unassigned Combines PHI-adjacent data with donor DB · Data-use crossover not vetted. 54 ✗ Data-use review ·
✗ Privacy opinion
Shadow · Escalate
HR resume screening (vendor)
HR · Enterprise
T3 T. Wallace (CHRO) NYC Local Law 144 posture · Bias audit posture · Union grievance risk. 49 ✓ Vendor bias report ·
✗ Internal disparate impact test
Governed
Contract redlining (Legal)
Legal · GC-approved
T3 J. Feld (GC) Privilege exposure with vendor · Version control on final agreements. 42 ✓ Privileged instance ·
✓ No training on data
Governed
Provider directory update (LLM extraction)
MA plan · Ops
T3 K. Ramirez (VP UM) CMS provider directory accuracy penalties · Ghost network exposure. 38 ✓ Human QA ·
✓ Sample audit
Governed
Meeting transcription (enterprise)
Enterprise · Universal
T4 CIO Recording consent · Retention · Sensitive-meeting posture. 28 ✓ Consent capture ·
✓ Retention policy
Governed
Showing 14 of 187 initiatives · Export register (PDF) · Sync to Committee packet
Next: Use-Case Portfolio → ← Readiness Scorecard All demos