Hostname: page-component-6766d58669-7fx5l Total loading time: 0 Render date: 2026-05-24T17:31:17.838Z Has data issue: false hasContentIssue false
  • English
  • Français

AI risk management – A law and economics perspective

Part of: AI and The Corporation

Published online by Cambridge University Press:  22 May 2026

Jan-Frederick Göhsl Open the ORCID record for Jan-Frederick Göhsl [Opens in a new window]
Jan-Frederick Göhsl*
Affiliation:
University of Münster Faculty of Law, Münster, Germany
*
Email: jgoehsl@uni-muenster.de
Rights & Permissions [Opens in a new window]

Abstract

The governance of Artificial Intelligence (AI) fundamentally depends on the implementation of risk management standards. Article 9 of the EU AI Act exemplifies this challenge, as it relies on indeterminate terms, such as “reasonably foreseeable risks” and “acceptability of risk”, to define the scope of the provision. This paper argues that such open risk management provisions require an economic framework in order to establish a coherent and innovation-friendly standard of care.

Drawing on the theoretical parallels between risk management and tort law, the analysis demonstrates the importance of cost-benefit and risk-utility models in transforming ambiguous legal standards into actionable ones. However, a purely quantitative approach proves insufficient for several reasons, including the risk of “metrics shopping” and the protection of fundamental rights. Consequently, the paper proposes a hybrid approach to risk management that integrates quantitative metrics with qualitative safeguards. Furthermore, in addressing the challenge of hindsight and outcome biases in ex-post enforcement, the analysis recommends applying the Business Judgment Rule (BJR) logic from corporate law. By limiting the standard of review to the quality of ex ante decision-making, this framework can be applied more widely to the management of AI risks.

Keywords

AI acthigh-risk AI systemsrisk managementeconomic analysishybrid approachhindsight bias

Information

Type
Research Article
Information
Cambridge Forum on AI: Law and Governance , Volume 2 , 2026 , e6
Check for updates
Creative Commons
Creative Common License - CCCreative Common License - BY
This is an Open Access article, distributed under the terms of the Creative Commons Attribution licence (http://creativecommons.org/licenses/by/4.0), which permits unrestricted re-use, distribution and reproduction, provided the original article is properly cited.
Copyright
© The Author(s), 2026. Published by Cambridge University Press.

1. Introduction

As artificial intelligence (AI) is adopted more widely in both the private and public sectors, the effective management of AI risks becomes of profound societal consequence. The EU AI Act addresses this challenge primarily in Article 9, which mandates that providers of high-risk AI systems identify and mitigate risks (Schneeberger, Hötzendörfer & Tschohl, Reference Schneeberger, Hötzendörfer, Tschohl, Pehlivan, Forgó and Valcke2025). However, the effectiveness of this provision hinges entirely on the interpretation of its open-ended terms, such as “reasonably foreseeable risks” and “acceptability of risks.” If interpreted too strictly, this regulation can stifle the innovation necessary for economic growth, for example the availability of novel AI-based medical products. Conversely, if interpreted too leniently, it can allow harmful systems to endanger fundamental rights and public health and safety. Thus, the interpretation of Article 9 of the AI Act, along with the general approach to AI risk management, is not merely a technical legal exercise. It is the central mechanism for striking the right balance between technological progress and societal protection in AI governance laws.

This paper argues that achieving this balance requires the interpretation of risk management provisions to be operationalised through an economic framework.Footnote 1 While recent scholarship has noted the theoretical links between risk management and tort law with regard to Article 9 of the AI Act (Chamberlain, Reference Chamberlain2023; Fraser & Bello y Villarino, Reference Fraser and Bello y Villarino2024), this paper goes further by proposing a more concrete, generalised methodology for integrating cost–benefit and risk–utility analyses into AI risk management. Not only is an economic reading of Article 9 of the AI Act permissible but it is also necessary to establish a clear standard of care. These findings can also be applied to other contexts of international AI governance involving risk management (see also Ebers, Reference Ebers2025).

However, a purely economic and quantitative approach to risk management fails to consider the complexity and inconsistency of risk measurement metrics, as well as the need to protect fundamental rights (Fraser & Bello y Villarino, Reference Fraser and Bello y Villarino2024; Haines, Reference Haines and Drahos2017; Mahler, Reference Mahler2022; Tartaro, Reference Tartaro2024). To address these additional issues, this paper proposes a “hybrid approach” (see also Novelli et al., Reference Novelli, Governatori, Rotolo, Sileno, Spanakis and van Dijck2023), combining quantitative methods with some qualitative safeguards.

Furthermore, the analysis extends to the enforcement stage, addressing the practical challenges of ex-post adjudication of AI risk management measures. Acknowledging that hindsight and outcome biases can distort the evaluation of risk management decisions (Arkes & Schipani, Reference Arkes and Schipani1994; Fischhoff, Reference Fischhoff1975; Peer & Gamliel, Reference Peer and Gamliel2013; Strohmeier et al., Reference Strohmeier, Pluut, van den Bos, Adriaanse and Vriesendorp2021), the paper suggests transposing the logic of the “Business Judgment Rule” (BJR) from corporate law. This offers a novel solution for restricting the standard of review, ensuring that providers are judged on their ex ante decision-making processes rather than on adverse outcomes alone.

The paper proceeds as follows: Section 2 provides an overview of the risk management requirements in the AI Act and the respective literature. Section 3 then considers the application of economic concepts in AI risk management. Section 4 introduces a hybrid approach to AI risk management. Section 5, meanwhile, addresses the challenges of ex-post adjudication of AI risk management measures. Section 6 concludes.

2. Risk management in the AI Act

The European Union adopted the AI Act (AI Act) in December 2023.Footnote 2 The risk management provision in Article 9 of the AI Act is part of the provisions on high-risk AI systems in Article 6-15 of the AI Act. These are considered one of the key elements of the regulation (Schuett, Reference Schuett2024).

2.1. Overview

Providers of high-risk AI systems are obliged under Article 9 of the AI Act to set up a risk management system. Article 9 of the AI Act creates a comprehensive legal framework which mandates the establishment, implementation, documentation and maintenance of a risk management system. Providers of such systems are obliged to identify and analyse risks to health, safety and fundamental rights, and ultimately adopt measures to mitigate them. They must eliminate the identified risks until the remaining risks are deemed acceptable. Providers must therefore take extensive precautionary measures. To manage the risks, they also need to adjust the technical aspects of the AI system. The aim of the AI Act is to achieve compliance by design and default (Schneeberger et al., Reference Schneeberger, Hötzendörfer, Tschohl, Pehlivan, Forgó and Valcke2025).Footnote 3

Article 9(2) of the AI Act outlines that risk management is an iterative process including identifying and analysing risks, estimating and evaluating emerging and operational risks, and ultimately implementing targeted risk management measures (Fernández, Reference Fernández, Lora and Díaz González2025; Mahler, Reference Mahler2022). Notably, Article 9(5) of the AI Act requires individual assessments to determine if residual risks of the AI system are acceptable. Systems with unacceptable residual risks must undergo further mitigation efforts or be discontinued. Articles 9(6) to 9(8) of the AI Act address testing procedures of the high-risk AI system. These involve determining suitable risk mitigation measures through testing during the development phase.

In case of regulatory impact, the two most important prerequisites are the duty to identify and analyse known and reasonably foreseeable risks under Article 9(2)(a) of the AI Act and the obligation in Article 9(2)(d), (5) of the AI Act to establish risk management measures so that the relevant individual residual risks as well as the overall residual risk is judged to be acceptable.

2.2. Changes in the legislative process

The structure of the provision, especially Articles 9(2)(a) and 9(5) of the AI Act, has changed significantly from the first proposal of the AI Act (EU Commission, 2021) to the AI Act’s final version (see for a contrary view Fernández, Reference Fernández, Lora and Díaz González2025). The primary proposal of the AI Act was very rigid because it required organisations to identify all risks that are foreseeable, regardless of the reasonableness of their identification efforts. The final version of Article 9(2)(a) of the AI Act now actually stipulates a “reasonableness” threshold for identifying risks, as called for by some academics (Fraser & Bello y Villarino, Reference Fraser and Bello y Villarino2024) and the EU Parliament (2023). When identifying risks, as required in the final version under Article 9 (2)(a) of the AI Act, only “reasonably foreseeable risks” now need be taken into account.Footnote 4

In addition, the standards for the risk mitigation measures to be carried out in Article 9(2)(d), (5) of the AI Act were also relaxed in the final version. The risk management measures no longer necessarily must eliminate or reduce risks as far as possible (AFAP principle; see Fraser & Bello y Villarino, Reference Fraser and Bello y Villarino2024). This would have meant that providers of high-risk AI systems would have had to minimise the associated risks by any means necessary. According to the final version, it is sufficient if the risk associated with a specific hazard as well as the overall residual risk are in as far as technically feasible eliminated or reduced through adequate design and development of the high-risk AI system and judged to be acceptable (Article 9(5) AI Act). Furthermore, Article 9(2)(d) of the final version of the AI Act requires now that risk management measures are “appropriate” instead of “suitable,” which was prescribed in the first draft of the AI Act (EU Commission, 2021). These changes in wording mean that the AI Act switched in respect of risk mitigation requirements from the AFAP-principle (Fraser & Bello y Villarino, Reference Fraser and Bello y Villarino2024) to a more lenient but rather undefined standard.

However, not all attempts to change Article 9 of the AI Act during the legislative proceedings have been successful. The EU Parliament’s suggestion to include an explicit reasonableness threshold in Article 9(5) (EU Parliament, 2023, amendment 273) was not taken up in the final version of the AI Act. Since the wording of the risk management requirements in the final compromise version of the AI Act is not based on concepts of risk management in other EU legislation, such as the EU Medical Device Regulation (MDRFootnote 5), it is unclear how the final requirements in Article 9(2), (5) of the AI Act should be interpreted. This leaves room for interpretation, how these concepts should be applied in practice.

2.3. Literature review

In view of its significant economic impact, it is essential for providers of high-risk AI systems precisely to determine the scope of the necessary risk management measures. It is therefore surprising that Article 9 of the AI Act has not yet been in the spotlight of legal and economic scholarship. So far, the focus in the literature has primarily been on the Commission’s draft of the AI Act (2021), with the aim of shedding light on the basic terminology of the risk management provision in Article 9 of the AI Act (compare Schuett, Reference Schuett2024). Furthermore, the question was raised as to how the prescribed risk assessment should be designed (see also Schuett, Reference Schuett2024). In particular, the extent to which risks should be mitigated was discussed (“as far as possible” vs. “reasonable”) (see Fraser & Bello y Villarino, Reference Fraser and Bello y Villarino2024). In this respect, the question was also raised as to whether and how a cost–benefit and risk–utility analysis could and should be carried out under Article 9 of the AI Act (Fraser & Bello y Villarino, Reference Fraser and Bello y Villarino2024).

Moreover, the literature has not reached a consensus on how the risk management caveats presented in the final version of the AI Act should be understood. These caveats include the introduction of a reasonability threshold in Article 9(2)(a) and changes to the wording in Articles 9(2)(d) and 9(5) of the AI Act. Some argue that the introduction of the reasonability threshold and the switch from the AFAP-principle to the reasonable foreseeability and acceptability criterion have cleared the way for a cost–benefit analysis within Article 9 AI Act (Schneeberger et al., Reference Schneeberger, Hötzendörfer, Tschohl, Pehlivan, Forgó and Valcke2025; Chamberlain, Reference Chamberlain2023). However, for example Ebers (Reference Ebers2025) notes that at least risk-utility analysis is generally not possible under the final version of the AI Act. Fernández (Reference Fernández, Lora and Díaz González2025) leaves the question unanswered, referring it to technical standards that will soon be adopted (see in this respect also Soler Garrido et al., Reference Soler Garrido, Fano Yela, Panigutti, Junklewitz, Hamon, Evas, André and Scalzo2023).

3. Economic concepts in AI risk management: cost–benefit and risk–utility approach

As discussed in Section 2.3, recent scholarship has explored the application of economic concepts to the interpretation of the risk management provision in the AI Act. While some scholars have endorsed this approach (Schneeberger et al., Reference Schneeberger, Hötzendörfer, Tschohl, Pehlivan, Forgó and Valcke2025; Chamberlain, Reference Chamberlain2023), others have opposed it to some extent (Ebers, Reference Ebers2025). In any case, this paper argues that this approach proves to be very helpful for interpretation of the AI risk management provision. Article 9 of the AI Act relies on indeterminate terms such as “reasonably foreseeable risks” and “acceptability of risks,” which in the absence of a legislative definition require an external framework for operationalisation. Economic analysis provides this interpretative framework, drawing on the shared theoretical underpinnings of risk management and tort law (Chamberlain, Reference Chamberlain2023, Fraser & Bello y Villarino, Reference Fraser and Bello y Villarino2024). Specifically, the standard unilateral tort law model,Footnote 6 in which additional precautions are required only when the marginal costs are lower than the marginal benefits of the precautionary measure (Miceli, Reference Miceli1997; Chamberlain, Reference Chamberlain2023), mirrors the cost-benefit structures already present in maritime (European Maritime Safety Agency (EMSA), 2015) and nuclear (French, Bedford & Atherton, Reference French, Bedford and Atherton2005) risk management provisions. This approach can generally be applied to the management of AI risks.

However, identifying the relevance of economic analysis for AI risk management does not clarify which exact standard applies. So far, it remains unclear whether Article 9 of the AI Act requires a pure cost–benefit analysis, the “as low as reasonably possible” (ALARP) standard (Hurst et al., Reference Hurst, McIntyre, Tamauchi, Kinuhata and Kodama2019), the stricter AFAP principle, or the consideration of risk–utility ratios. Consequently, this paper conducts a two-fold analysis. Firstly, it demonstrates through interpretive analysis that Article 9 of the AI Act can indeed be subject to economic reasoning. Secondly, it establishes which economic concept most coherently satisfies the distinct statutory thresholds of “reasonably foreseeable risks” and “acceptable” risk mitigation.

3.1. Cost–benefit analysis

The economic concept of cost–benefit analysis in risk management scenarios provides insights on how far risk identification and risk mitigation measures have to be set in place (Novelli et al., Reference Novelli, Casolari, Rotolo, Taddeo and Floridi2024). The assessment under a cost-benefit analysis comes down at the outset to a simple comparison between the costs and the benefits of a certain risk management measure (French et al., Reference French, Bedford and Atherton2005; Novelli et al., Reference Novelli, Casolari, Rotolo, Taddeo and Floridi2024).Footnote 7 On the one hand, identifying risks and taking precautionary measures is costly. In line with the well-known law and economics tort law concepts (Calabresi, Reference Calabresi1970; Cooter & Ulen, Reference Cooter and Ulen2016; Shavell, Reference Shavell1987), the costs of risk management can be associated with the costs of precaution (French et al., Reference French, Bedford and Atherton2005). On the other hand, the identification of risks and the implementation of risk management measures can be associated with benefits. For risk management measures the benefits correspond to the decrease in risk that is effectuated by the respective measure. Since risk means pursuant to Article 3(2) of the AI Act the combination of the probability of an occurrence of harm and the severity of that harm, the risk reduction can either be reached through a reduction of the probability of the occurrence or through the reduction of the impact of a harm (more generally Mahler, Reference Mahler2007).

By making the changes in the final version of Article 9 AI Act, the European legislator has basically cleared the way for a pure cost–benefit analysis (see also Chamberlain, Reference Chamberlain2023; Schneeberger et al., Reference Schneeberger, Hötzendörfer, Tschohl, Pehlivan, Forgó and Valcke2025). While the draft version of the AI Act referred to the AFAP principle both in respect to the identification of risks and the adoption of risk mitigation measures (Fraser & Bello y Villarino, Reference Fraser and Bello y Villarino2024), the final version is more in line with the general cost–benefit approach under tort law and economics.

3.1.1. Identification of risks

For the identification of risks, this result is quite clearly following the introduction of the “reasonableness” criterion. Only risks need to be identified that are “reasonably foreseeable” (Article 9(2)(a) of the AI Act). This obligation therefore only applies to those risks whose damage can be detected at all through investigations (Schuett, Reference Schuett2024). The term “reasonable” in Article 9(2)(a) of the AI Act is not defined in the Act itself (Schneeberger et al., Reference Schneeberger, Hötzendörfer, Tschohl, Pehlivan, Forgó and Valcke2025). However, the term is well established in tort law and associated with the concept of reasonable care (Hylton, Reference Hylton2016). In common law, this is defined as “the care that a prudent and cautious man would take to guard against probable danger” (Hylton, Reference Hylton2016).Footnote 8 Civil law jurisdictions also apply a similar standard in tort law (Braun-Binder & Egli, Reference Braun-Binder, Egli, Martini and Wendehorst2024).

Since both tort law and risk assessment involve predicting potential damage, it is evident to apply the economic principles of tort law to Article 9(2) of the AI Act (Braun-Binder & Egli, Reference Braun-Binder, Egli, Martini and Wendehorst2024; Chamberlain, Reference Chamberlain2023; Fraser & Bello y Villarino, Reference Fraser and Bello y Villarino2024). This conclusion is not absolutely predetermined by the dogmatics of Article 9 of the AI Act, of course, because the provision is silent on the applicable standard. However, risk management and tort law are closely linked, so applying these concepts is the most straightforward approach rather than referring to other concepts of reasonableness within European law. Furthermore, referring to tort law concepts allows clear standards to be set for the term “reasonableness.” Following Schneeberger et al. (Reference Schneeberger, Hötzendörfer, Tschohl, Pehlivan, Forgó and Valcke2025), the relevant benchmark is the understanding of an informed average person actually conducting the risk management.

According to an economic understanding of reasonableness, the provider of a high-risk AI system must carry out all risk identification measures whose marginal cost is less than the expected marginal benefit of further risk detection (for example, see Miceli, Reference Miceli1997, for a deviating approach Fernández, Reference Fernández, Lora and Díaz González2025). If the marginal cost is higher than the expected marginal benefit of the measure,Footnote 9 it would not be reasonable to carry out the identification measure. As a result, providers are not necessarily required to carry out more costly investigative measures in the case of serious loss events than in the case of expected minor loss events. The question what a reasonable risk identification measure is depends only on how effective and how costly the respective measure is from a marginal perspective. As testing for so far unknown risks is always related to kind of an explorative exercise, this seems to be justified because there may always be a small probability that a major risk may be discovered from a certain exploration exercise. This, however, does not mean, that it is reasonable to engage into such an identification practice. The costs associated might be excessive. Only a balanced approach makes sure that providers do not need to pursue excessive risk identification measures that unduly restrict providers’ innovation activities.

3.1.2. Risk management measures

In respect to the legal standard that must be applied to the acceptability of risks management measures in Article 9(5) of the AI Act, the wording of the final version of the Regulation is less clear cut, since the formulation that risks have to be judged to be acceptable is broad and open for various interpretations (Fernández, Reference Fernández, Lora and Díaz González2025). The wording of the final Article 9(5)(a) of the AI Act that elimination and reduction of risks identified should be ensured “in as far as technically feasible” through adequate design and development of the high-risk AI system indicates a change with regard to the overall applicable legal standard in Article 9(5) of the AI Act. Contrary to the wording in the AI Act’s draft version (EU Commission, 2021), Article 9(5)(a) of the AI Act does not anymore require the reduction of risks as far as possible (AFAP). The reference to AFAP was completely left out in the final version. This leads to the conclusion that the AFAP principle has been abandoned in the final version of the AI Act (Schneeberger et al., Reference Schneeberger, Hötzendörfer, Tschohl, Pehlivan, Forgó and Valcke2025).

From the perspective of legal clarity, it is somewhat problematic that the AFAP principle has not been replaced with a clear alternative standard in the final version of the AI Act. Instead, the reference now introduced in Article 9(5)(a) of the AI Act, which states that risk management measures should be conducted in as far as technically feasible at the design and development level of the AI system, has a completely different purpose. It (just) clarifies that the idea of compliance by design is central to the AI Act’s regulatory approach (Fernández, Reference Fernández, Lora and Díaz González2025). Despite this, the formulation does not provide any further guidance on the applicable risk mitigation standard.

Article 9(2)(d) of the AI Act also provides no clarification on the applicable standard. The formulation, that “appropriate and targeted” risk management measures should be adopted, provides no indication of the applicable risk threshold. The concept of appropriateness is very broad in scope and does not provide any guidance on proportionality decisions.

In the absence of further theoretical clarification of the applicable risk threshold, interpreting the word “acceptable” in the context of Article 9(5) of the AI Act is crucial. As the wording allows for several standards to be implemented, such as the ALARP principle or a pure cost-benefit analysis, and as the systematic approach to Article 9 has not produced clear results, the interpretation depends largely on the purpose of the provision. In this respect, arguments from the economic analysis of law are particularly worth considering, given that the overall risk management concept is rooted in this sphere (French et al., Reference French, Bedford and Atherton2005).

Applying a cost-benefit analysis would ensure – if applied correctlyFootnote 10 – socially desirable outcomes (Buiten, de Streel & Peitz, Reference Buiten, de Streel and Peitz2021; Fraser & Bello y Villarino, Reference Fraser and Bello y Villarino2024).Footnote 11 Firstly, applying a stricter standard would lead to welfare losses because the provider of a high-risk AI system would have to engage in precautionary measures although their marginal costs would be higher than the marginal benefits of the measure (Buiten et al., Reference Buiten, de Streel and Peitz2021). Secondly, applying a stricter risk mitigation standard would be at odds with the goal of the AI Act to support innovation pursuant to Article 1(1) of the AI Act (Ebers, Reference Ebers2025; Novelli et al., Reference Novelli, Casolari, Rotolo, Taddeo and Floridi2024). Recital (1) of the AI Act reinforces this and clearly stipulates that supporting innovation is equally important as the protection of health, safety and fundamental rights (see also Recital (8)). Hence, a stricter risk mitigation standard may lead to a higher level of protection in terms of health, safety and the fundamental rights enshrined in the Charter of Fundamental Rights.

However, this would have a strong negative impact on innovation in the area of high-risk AI systems. The likely high cost burden on the providers could lead to the development of socially desirable AI systems being cancelled or stopped altogether (Fraser & Bello y Villarino, Reference Fraser and Bello y Villarino2024). This would negatively impact the Union’s status as a centre of innovation, which is not in line with the objectives of the AI Act (see also on the interplay of regulation and innovation Floridi et al., Reference Floridi, Cowls, Beltrametti, Chatila, Chazerand, Dignum, Luetge, Madelin, Pagallo, Rossi, Schafer, Valcke and Vayena2018). For this reason, the only way to reconcile the different objectives of the AI Act is to apply a cost–benefit approach to Article 9(5). Following the approach in tort law, this means that a provider of a high-risk AI system would have to implement risk management measures as long as the marginal costs associated with reducing risk are lower than the marginal benefits resulting from this reduction (Buiten et al., Reference Buiten, de Streel and Peitz2021). As further risk management efforts are likely to have a diminishing impact on reducing risk, it is clear that the risks associated with an AI system will not be reduced as far as possible (Buiten et al., Reference Buiten, de Streel and Peitz2021). Instead, the final version of the AI Act takes a more balanced approach to enhancing risk mitigation and ensuring innovation efforts.

3.2. Risk-utility analysis

Another question regarding the application of the relevant risk mitigation standard under Article 9 of the AI Act is whether the individual utility provided by the AI system can be considered in the risk management process (see for a general analysis Ebers, Reference Ebers2025; Goudkamp, Reference Goudkamp2017; Mulheron, Reference Mulheron2017). In a risk-utility analysis, the risks posed by a potentially harmful product – in this case, an AI system – are weighed against the (societal) utility it provides. This means that AI systems with high utility would be deemed acceptable even if they pose higher risks. Conversely, AI systems with low utility should be treated less leniently. Such an analysis of utility is not uncommon in European product safety law. For example, Annex I(I)(1),(2) and (8) of the MDR and Annex I(I)(1),(2) and (8) In-Vitro-Diagnostic Medical Devices Regulation (IVDRFootnote 12) refer to a benefit–risk ratio, which is similar to the risk–utility analysis referred to in this paper. In both the MDR and the IVDR, the relevant standard is that risks must be eliminated without adversely affecting the risk-utility ratio (Annex (I)(I)(2) MDR/IVDR).

3.2.1. Basic idea

The basic idea behind the consideration of the risk–utility ratio stems from the renowned sociologist Luhmann (Reference Luhmann2002) who famously coined the frequently referenced wisdom that the notions of danger and risk are not interchangeable and that societal progress can only be achieved if risks are taken, because risk is often closely linked to societal benefits, i.e. utility (Boyd, Reference Boyd2012; Ebers, Reference Ebers2025; Kaminski, Reference Kaminski2023). AI seems particularly amenable to a risk-utility analysis because groundbreaking technological advancements in this sector create great potential to advance humanity, but also pose significant risks to society. Achieving a balance between these two factors would lead to the greatest societal progress. Thus, one might conclude that accepting a certain amount of risk from a high-risk AI system could be worthwhile, provided it offers sufficient utility gains (Cane & Goudcamp, Reference Cane and Goudcamp2018). Conversely, even a moderate level of risk from an AI system may be deemed unacceptable if it offers little societal benefit (Fraser & Bello y Villarino, Reference Fraser and Bello y Villarino2024).

Given the distinct levels of utility that different categories of high-risk AI systems may provide, it is generally useful to have a flexible assessment standard for the broad spectrum of AI systems covered by the AI Act’s rules on high-risk AI systems. For instance, the societal benefits of using AI systems in recreational boats or for determining whether employees should receive a bonus differ from the utility of using them in medical devices, despite all three being classified as high-risk AI. These examples illustrate the significant differences in the level of utility of various high-risk AI systems. As Article 6 of the AI Act rigidly classifies high-risk AI systems and does not allow for any utility assessments, the only way to differentiate between different utilities is through concrete risk management.

Furthermore, the potential negative impact of risk management measures on the utility of the AI system must be considered. This idea is also reflected in other European product safety legislation, such as Annex I(I)(2) of the MDR/IVDR. Annex I(I)(8) of the MDR/IVDR requires that the known and foreseeable risks of a medical device shall be minimised and be acceptable when weighed against the evaluated benefits to the patient and/or user arising from the achieved performance. The same idea can easily be applied to the development and training of an AI system. For example, if an AI system’s overall performance is reduced or certain functionalities are omitted due to risk mitigation efforts, this decreases the system’s utility (Ebers, Reference Ebers2025; Fraser & Bello y Villarino, Reference Fraser and Bello y Villarino2024; Gornet & Maxwell, Reference Gornet and Maxwell2024). From a societal perspective, this may be undesirable since it hinders innovation and ultimately prevents society from reaping the benefits of AI systems.

3.2.2. Application within the AI Act

This raises the question of whether, and indeed how, the interaction between risk mitigation and utility can be considered within the legal framework of Article 9 of the AI Act. Ebers (Reference Ebers2025) argues that the AI Act does not allow for such a risk–utility analysis. However, based on the approach adopted in this paper, there are potentially two reference points for the flexible consideration of risk–utility arguments within Article 9 AI Act.

The first aspect to consider is that the decrease in utility resulting from risk management measures, which has already been mentioned, can also be framed as opportunity costs (Ebers, Reference Ebers2025). Consequently, these effects on utility represent an additional cost factor. For this reason, it seems reasonable to take these opportunity costs into consideration in the overall cost-benefit assessment presented in the Section 3.1. This approach would at least indirectly recognise utility arguments within Article 9 AI Act.

Alternatively, one may question whether risk management actions that lead to a significant decrease of the AI system’s utility are “appropriate” within the meaning of Article 9(2)(d) AI Act, or “acceptable” under Article 9(5) AI Act. This would require a broad interpretation of the terms in question, but the wording alone does not seem to preclude this (Fraser & Bello y Villarino, Reference Fraser and Bello y Villarino2024).

The second question is whether a pure risk-utility analysis can be conducted under the umbrella of Article 9 of the AI Act. This would involve making a real comparison of the residual risks of the AI system and its utility. This could, for example, result in different standards being applied to recreational boats than to medical devices. The only suitable dogmatic reference point for consideration of risk–utility arguments would be the acceptability judgment under Article 9(5) of the AI Act. Under this approach, the residual risks posed by AI systems with a high (societal) utility could more easily be judged as acceptable than those with a low societal utility.

The general understanding of the term “acceptability” does not preclude such a broad interpretation. However, the systematics underlying Article 9 and the entire regulation of high-risk AI systems in the AI Act may be incompatible with the introduction of utility arguments. As Ebers (Reference Ebers2025) rightly points out, the AI Act does not take the potential utility of an AI system into account directly in its regulatory framework. The regulation is primarily aimed at preventing risks, with the provisions making only limited reference to the utility or benefits of the regulated AI systems.Footnote 13 This may speak against the consideration of utility arguments.

Nevertheless, it should be borne in mind in this respect that Article 1(1) of the AI Act stipulates supporting innovation is one of the Act’s objectives.Footnote 14 As this goal is formulated positively (“supporting innovation”) instead of negatively (“not harming innovation”),Footnote 15 it can be derived that the AI Act should generally be interpreted as mutually supportive of innovation.Footnote 16 The general idea is that AI systems can benefit society. The AI Act seeks to realise this potential while minimising the associated risks. This may justify a more flexible interpretation of the AI Act if the provision in question affects innovation incentives. Given these considerations, even if the AI Act’s systematic approach does not initially suggest this interpretation, the interplay of the Act’s objectives may support the consideration of utility arguments within the risk management framework.

For these reasons, the paper proposes a two-step test to apply the acceptability criterion set out in Article 9(5) AI Act. This test would use the risk-utility framework as an additional correction mechanism to fine-tune the risk management process. The first step of the test would require the provider to conduct a regular cost–benefit analysis, including the opportunity costs that arise from the risk mitigation measures that reduce the utility of the AI system. Risk management measures should be implemented as long as the marginal costs are lower than the marginal benefits resulting from the decrease in risk. In a second step, the provider of an AI system would then have to weigh the residual risks against the AI system’s utility. This reference to utility could swing in two directions (Fraser & Bello y Villarino, Reference Fraser and Bello y Villarino2024). It could be concluded that, under Article 9(5) AI Act, high-risk AI systems with high societal utility and slightly higher residual risk would still be judged acceptable, whereas AI systems with lower societal utility and comparable residual risk would be judged unacceptable.

4. Hybrid approach to risk management

This section will elaborate further on how the developed risk management approach can be practically applied. The approach faces practical challenges, which will be discussed in detail in the following sections.

4.1. Setting the threshold for risks judged acceptable

The first practical obstacle to the suggested risk management approach under Article 9 AI Act is setting the relevant acceptability threshold, which can be a demanding task. This is necessary in order to provide a benchmark for AI development and training purposes, and ultimately to inform the decision as to whether a residual risk is deemed acceptable under Article 9(5) AI Act. The multifaceted nature of the risks associated with AI systems (Haines, Reference Haines and Drahos2017) means that a multidimensional problem must be solved. The fact that some risk variables are potentially negatively correlated makes solving this problem even more difficult. For example, it may not be possible to reduce or eliminate the risks relating to non-discrimination and privacy simultaneously because addressing discrimination issues may necessitate the increased use of personal data (Schuett, Reference Schuett2024). Therefore, the ultimate judgment on the acceptability of the overall residual risk must involve comparing several multidimensional equilibria. In other words, the described trade-offs must be resolved on a case-by-case basis.

The multidimensional nature of the risks associated with high-risk AI systems, and the inevitable trade-offs resulting from them, may also explain why the harmonised standards set out in Article 40 AI Act may not establish a general risk threshold for high-risk AI systems or provide general guidance on how to set one. The harmonised standards developed by the European Standardisation Bodies (CEN/CENELEC) under Article 40 AI Act will be highly relevant in practice because providers of high-risk AI systems could benefit from the presumption of conformity under Article 40(1) of the AI Act by following them (Fernández, Reference Fernández, Lora and Díaz González2025; Veale & Zuiderveen Borgesius, Reference Veale and Zuiderveen Borgesius2021).

However, it is unlikely that the standards and therefore the presumption of conformity (Article 40(1) of the AI Act) will cover the entire individual risk management process under Article 9 AI Act.Footnote 17 In particular, it is unlikely that the standards are able to guide the entities on setting the described risk thresholds on a case-by-case basis. It should be noted that the standards will only be of a general nature, as the EU Commission’s request for standardisation (2023) only addresses abstract issues and does not refer to specific use cases of high-risk AI systems (Ebers & Streitbörger, Reference Ebers and Streitbörger2024). Therefore, providing guidance on the balancing of individual risks and benefits is beyond the scope of the standardisation request (Gornet & Maxwell, Reference Gornet and Maxwell2024). This is consistent with the general approach to standard-setting, given that these specific issues are frequently excluded from standards or only described in general terms (Laux, Wachter & Mittelstadt, Reference Laux, Wachter and Mittelstadt2024).

In fact, there is even a risk that committing to a specific assessment standard to describe the risks and benefits of AI systems (in terms of fairness, for example) could create conditions that achieve this goal in some situations, but not in others (Gornet & Maxwell, Reference Gornet and Maxwell2024; Grother, Reference Grother2022). The reason for this is that no definition of the relevant risk thresholds exists that is universally valid and independent of context (Gornet & Maxwell, Reference Gornet and Maxwell2024; Tartaro, Reference Tartaro2024). Ultimately, the diverse interests and context-specific nature of the underlying balancing issues in risk management mean that they cannot be addressed solely by general standards alone (Ebers & Streitbörger, Reference Ebers and Streitbörger2024; Ferrigno, Rotolo, Godinez, Novelli & Sartor, Reference Ferrigno, Rotolo, Godinez, Novelli and Sartor2025; Laux et al., Reference Laux, Wachter and Mittelstadt2024; Tartaro, Reference Tartaro2024; Veale & Zuiderveen Borgesius, Reference Veale and Zuiderveen Borgesius2021). Accordingly, it can be assumed that the harmonised standards will neither fully address the necessary cost–benefit analysis (Gornet & Maxwell, Reference Gornet and Maxwell2024) nor offer definitive guidance on setting the relevant risk thresholds (Vranckaert, Reference Vranckaert, Pehlivan, Forgó and Valcke2025).

This suggests that providers are unlikely to benefit from the presumption of conformity under Article 40 of the AI Act with regard to their risk management systems. They will probably still be subject to individual judicial scrutiny of their approach to risk management, particularly the setting of the individual risk thresholds.

4.2. Why pure quantification of risks fails

From a Law and Economics perspective deciding whether the risk management approach under Article 9 of the AI Act should be qualitative or quantitative may be rather straightforward at first sight. The major advantage of a purely quantitative approach is that it can lead to an unambiguous result when applied correctly, despite risk management involving the solution of a multidimensional problem (see Section 4.1). A quantitative approach promises to reduce legal uncertainty.

However, it has not been possible to follow a purely quantitative approach in risk management until now because it is not possible to fully quantify all relevant risks (Mahler, Reference Mahler2022; Mantelero, Reference Mantelero2022). For many risks, the quantification already fails due to the lack of context-specific data (Mahler, Reference Mahler2022) or technical metrics, which makes assessing the performance of an AI system in a certain context difficult (Ebers, Reference Ebers, DiMatteo, Poncibo and Cannarsa2022; Gornet & Maxwell, Reference Gornet and Maxwell2024). In addition, the risks to be considered under Article 9 of the AI Act also relate to social values and fundamental rights (Ferrigno et al., Reference Ferrigno, Rotolo, Godinez, Novelli and Sartor2025). Laux et al. (Reference Laux, Wachter and Mittelstadt2024) rightly highlight that balancing these rights and values raises hard normative questions (see also Ferrigno et al., Reference Ferrigno, Rotolo, Godinez, Novelli and Sartor2025). Although considerable progress has been made in quantifying and automating fundamental rights-based assessments (Kaeber & Roth-Isigkeit, Reference Kaeber and Roth-Isigkeit2025; Novelli et al., Reference Novelli, Governatori, Rotolo, Sileno, Spanakis and van Dijck2023; Sartor, Reference Sartor, Bongiovanni, Postema and Rotolo2018; Tartaro, Panai & Cocchiaro, Reference Tartaro, Panai and Cocchiaro2024), these normative decisions remain difficult or almost impossible to quantify and automate due to their value-laden and relative nature (Fraser & Bello y Villarino, Reference Fraser and Bello y Villarino2024; Haines, Reference Haines and Drahos2017; Mahler, Reference Mahler2022; Tartaro, Reference Tartaro2024). Until now, the quantification and automation of fundamental rights-based assessments has remained in its infancy. These approaches are not yet robust enough to support risk-balancing exercises based on common mathematical values (Tartaro, Reference Tartaro2024). Therefore, risk management under Article 9 of the AI Act will definitely involve qualitative analysis (Ferrigno et al., Reference Ferrigno, Rotolo, Godinez, Novelli and Sartor2025; Mahler, Reference Mahler2022). This insight also highlights the important role of humans, particularly corporate management, in the risk management process. The aforementioned hard normative questions (Laux et al., Reference Laux, Wachter and Mittelstadt2024) must generally be decided by the governing body of the relevant organisation.

Another argument against a purely quantitative approach, which has been put forward in the literature, is the risk of strategic behaviour. This may seem counterintuitive at first because one might assume that relying on a specific quantitative metric would reduce the potential leeway for the entities involved, ultimately leading to less opportunistic behaviour. However, given the complexity and multidimensionality of the risk management task (see Section 4.1), Gornet and Maxwell (Reference Gornet and Maxwell2024) and Aivodji et al. (Reference Aivodji, Arai, Fortineau, Gambs, Hara and Tapp2019) argue for the opposite. They refer to the risk that providers will rely only on favourable quantitative metrics, while many others may indicate discriminatory effects (see Buyl & De Bie, Reference Buyl and De Bie2024; Hoffmann, Reference Hoffmann2019; Tartaro, Reference Tartaro2024). This could lead to a form of “metrics shopping” or “fairness hacking.” As with the well-known problem of “forum shopping,” entities could be incentivised to select technical metrics that align with their business model (compare Black, Gilis & Hall, Reference Black, Gilis and Hall2024; Koessler, Schuett & Anderljung, Reference Koessler, Schuett and Anderljung2024; Meding, Reference Meding2025; Meding & Hagendorff, Reference Meding and Hagendorff2024).Footnote 18 Although both qualitative and quantitative approaches carry a risk of opportunistic behaviour, this risk may potentially be even higher with the latter, particularly given the ongoing lack of consensus on how to quantify individual risks. The perceived clarity of quantitative results may make it harder for regulators with less technical knowledge to question the results (Fraser & Bello y Villarino, Reference Fraser and Bello y Villarino2024). Conversely, a qualitative assessment based on comprehensible criteria that takes several metrics of a risk category into account could address this concern to a certain extent.

4.3. The need for a hybrid approach

For the reasons set out in the previous section, it would be worthwhile considering a hybrid approach to risk management (see also Novelli et al., Reference Novelli, Governatori, Rotolo, Sileno, Spanakis and van Dijck2023).Footnote 19 The first stepFootnote 20 would be to quantify as many risks as possible using several predefined assessment metrics that consider multiple factors within a risk category (Sayles, Reference Sayles2024; Shevlane et al., Reference Shevlane, Farquhar, Garfinkel, Phuong, Whittlestone, Leung and Dafoe2023). This would ensure that risks are considered from different theoretical perspectives, thereby disincentivising self-serving behaviour (Koessler et al., Reference Koessler, Schuett and Anderljung2024). Additionally, qualitative arguments should be gathered for each risk, focusing particularly on possible trade-offs between different risk metrics. Furthermore, any risks that cannot be quantified should be explained in detail using recognised techniques, such as risk mapping, checklists and risk matrices (Ackermann et al., , Reference Ackermann, Howick, Quigley, Walls and Houghton2014; Buyl & De Bie, Reference Buyl and De Bie2024; Koessler et al., Reference Koessler, Schuett and Anderljung2024; Schuett, Reference Schuett2024; Schneeberger et al., Reference Schneeberger, Hötzendörfer, Tschohl, Pehlivan, Forgó and Valcke2025; Shevlane et al., Reference Shevlane, Farquhar, Garfinkel, Phuong, Whittlestone, Leung and Dafoe2023). This maximises transparency for the subsequent decision on the acceptability of each estimated risk and the overall residual risk (Fernández, Reference Fernández, Lora and Díaz González2025). The second step relates to the final decision on the acceptability of a risk. When making this decision, all relevant qualitative and quantitative criteria should be considered, as well as references to specific risk trade-offs. The provider of a high-risk AI system would then need to explain and document why and how certain risk trade-offs and normative decisions were made. This ultimately ensures that the multidimensionality of the risk management problem, as well as the hard normative decisions (Gornet & Maxwell, Reference Gornet and Maxwell2024; Laux et al., Reference Laux, Wachter and Mittelstadt2024), are made with access to all relevant information, are documented (compare Hupont et al., Reference Hupont, Micheli, Delipetrev, Gómez and Soler Garrido2023) and are supervised by the governing body of the respective entity.

5. Problems of ex-post adjudication

There are also practical challenges in applying a balanced and innovation-friendly risk management framework under Article 9 of the AI Act with regard to regulatory and judicial review. From a behavioural economics perspective, the norm structure of Article 9 of the AI Act may foster the emergence of the so-called hindsight bias and outcome bias in the context of an ex-post adjudication on risk management measures by regulators and courts.

5.1. Hindsight bias skews ex post review

The hindsight bias problem refers to the insight that people tend to systematically overestimate the probability of occurrence of events that were very unlikely ex-ante when considering them ex-post (Fischhoff, Reference Fischhoff1975). The phenomenon is particularly pronounced in respect of prognostic decisions because they inevitably involve a decision ex-ante under uncertainty (Arkes & Schipani, Reference Arkes and Schipani1994). When applying legal norms, this can lead to authorities and courts systematically applying an overly strict standard of review (Peer & Gamliel, Reference Peer and Gamliel2013; Strohmeier et al., Reference Strohmeier, Pluut, van den Bos, Adriaanse and Vriesendorp2021).Footnote 21

In light of these insights, it can be concluded that AI risk management in general, and Article 9 of the AI Act in particular, may be susceptible to issues of hindsight bias because the norm is based on two prognostic decisions. This applies to both the assessment of whether a risk was reasonably foreseeable and whether it was acceptable. These two forecast decisions are inherently subject to considerable uncertainty, which can already trigger hindsight bias. Furthermore, this effect may regularly be reinforced by two specificities of AI risk management.

5.2. Outcome bias

The first additional concern involves to a related cognitive heuristic called outcome bias. Baron and Hershey (Reference Baron and Hershey1988) found that people tend to judge the quality of a decision based on the outcome rather than on the circumstances that led to the decision ex-ante. This can lead to a serious incident being incorrectly interpreted as resulting out of ex-ante misconduct (Bainbridge, Reference Bainbridge2004; Peters, Reference Peters1999). This is further emphasised by the fact that regulators and courts often lack the necessary technical expertise to understand the underlying risk determination and mitigation issues in AI risk management (Fraser & Bello y Villarino, Reference Fraser and Bello y Villarino2024). The lack of expertise often results in an even greater inability to understand that a harmful outcome may not be caused by improper management from an ex-ante perspective. For example, due to a lack of understanding of technology and management, judges in particular may find it difficult to accept that the risk assessment and judgment on the acceptability of the risks posed by AI systems was not flawed if a significant risk materialises at a later stage.

5.3. Unknown unknowns

The second additional concern refers to the issue that regulators and courts may have an even bigger problem to accept that some AI-related risks were not at all foreseeable, in particular if they are catastrophic or at least very harmful in nature (Bainbridge, Reference Bainbridge2004; Hawkins & Hastie, Reference Hawkins and Hastie1990). It is well known in the computer science literature on AI that so-called “unknown unknowns” exist (Buyl & De Bie, Reference Buyl and De Bie2024, see also Chamberlain, Reference Chamberlain2023). This describes the phenomenon that the development and deployment of new technologies, such as AI systems, often leads to surprising and completely unforeseen results. These “unknown unknowns” are events that cannot be foreseen ex-ante, even if significant investments in risk identification were made (Koessler & Schuett, Reference Schuett2024). These risks are beyond the scope of ex-ante knowledge, since they usually cannot be detected with the current technical expertise or because it is just unknown that certain causal relationships even exist.

The existence of “unknown unknowns” is particularly prevalent for AI systems because of the “blackbox problem”: the exact mode of action of AI systems is often even beyond the understanding of developers (Wendehorst, Reference Wendehorst, Voeneky, Kellmeyer, Mueller and Burgard2022). In these situations, there is no possibility for providers to take concrete, targeted measures from an ex-ante perspective (Koessler et al., Reference Koessler, Schuett and Anderljung2024; Law et al., Reference Law, Malik, Du and Sinha2020). However, regulators and judges may find it hard to believe from an ex-post perspective that certain risks were simply unforeseeable, especially when they lead to extremely harmful situations. In such cases, it is therefore highly likely that the defence that a risk was reasonably not foreseeable will not be accepted.

This could result in unreasonable liability risks for providers of high-risk AI systems and cause them to anticipate the hindsight and outcome bias of regulators and courts. They may act overcautiously in anticipation of this, which could lead them to refrain from socially desirable AI innovations.

5.4. Solutions

Solutions to mitigate the problems of hindsight and outcome bias in ex-post adjudication may be derived from corporate law. In this area of law, hindsight bias is linked to the issue of board liability. Ultimately, the application of the Business Judgment Rule (BJR) should prevent courts from adopting an overly strict standard when assessing the reasonableness of management decisions in hindsight (Easterbrook & Fischel, Reference Easterbrook and Fischel1996).Footnote 22 The BJR was originally developed in US corporate law but has since been adopted by jurisdictions around the globe (Jedlińska, Reference Jedlińska2024; Roth, Reference Roth, Basedow, Hopt and Zimmermann2012).

5.4.1. Background of the business judgment rule

Ultimately, the BJR aims to address situations in which courts must assess a business decision made in the face of ex-ante uncertainty (Bainbridge, Reference Bainbridge2004; Easterbrook & Fischel, Reference Easterbrook and Fischel1996). It aims to change the basis on which decisions are assessed by taking into account the nature of hindsight evaluation. Consequently, the outcome of a decision should no longer be the determining factor, but rather whether the decision was made in good faith, in the best interests of the corporation, and based on sufficient information.Footnote 23 These are all criteria that can much more easily be assessed by judges, since they do not have to engage in any form of prognosis that could be affected by hindsight and outcome bias. The BJR’s goal is to enable corporate managers to take necessary risks to reach their businesses’ full potential and generate benefits associated with risk. This should eventually result in better products or services overall, as well as a more innovative society.

For this reason, the BJR is rightly considered both a material liability rule and an important procedural instrument for addressing hindsight situations in the assessments of courts. For example, Bainbridge (Reference Bainbridge2004) refers to the BJR as a theory of abstention (see also McMillan, Reference McMillan2013, with a focus on the aspect of immunity). Branson (Reference Branson2002), meanwhile, argues that the BJR constitutes more of a standard of review than a pure material legal standard (see also Jedlińska, Reference Jedlińska2024). These approaches make it clear that the BJR encompasses more than just liability principles. From an economic standpoint, the BJR essentially serves to restrict judicial review of decisions made in uncertain situations (Kraakman et al., Reference Kraakman, Armour, Davies, Enriques, Hansmann, Hertig, Hopt, Kanda, Pargendler, Ringe and Rock2017).

5.4.2. Why the logic of the business judgment rule applies to AI risk management

Even if the final conclusion of the nature of the BJR is open to debate, particularly in the context of European corporate law (see Told, Reference Told2015, for example), the fact remains that the theoretical and economic underpinnings of the BJR are also based on a procedural guiding principle that may be transposed to risk management under Article 9 of the AI Act. It is suggested that, despite the apparent lack of direct comparability between the BJR and risk management under Article 9 of AI Act, some aspects of this principle can be successfully applied to risk management.

As a starting point, the BJR only applies directly to business decisions made by management relating to the corporation itself. By contrast, the risk management provision in Article 9 of AI Act is a legal obligation that aims to protect third parties, not just the company involved. The BJR was not originally developed for situations involving third parties, nor is it intended to apply to legal obligations, which are generally considered to be clear-cut and thus not comparable to business decisions.

Despite these dogmatic differences, the procedural issues concerning the risk of hindsight and outcome bias are essentially identical for AI risk management and for management decisions that benefit from the BJR privilege. In both situations, the governing body is required to make highly uncertain decisions involving potential “unknown unknowns” and trade-offs. Therefore, even though some dogmatic specificities of the BJR may differ, the general need to restrain the power of regulators and courts to second-guess decisions made under uncertainty remains the same.

Consequently, classifying the risk management obligation under Article 9 as a legal obligation that affects third parties does not preclude the application of the basic BJR principles, given that the underlying procedural interests are highly similar.

5.4.3. Test for ex-post adjudication of AI risk management

Taking into account the basic criteria of the BJR, some elements of the BJR legal test could easily be applied to guide the ex-post assessment of risk management decisions under Article 9 of the AI Act. In particular, regulators and courts should not judge the outcome of a risk management decision, but rather assess whether management acted in good faith and on an informed basis (see for a comparable approach in medical malpractice law, Haskel, Reference Haskel2007, see also Kraakman et al., Reference Kraakman, Armour, Davies, Enriques, Hansmann, Hertig, Hopt, Kanda, Pargendler, Ringe and Rock2017).

Firstly, the reference to good faith would exclude cases in which providers acted in their own interest by engaging in “metrics shopping,” described in Section 4.2. To comply with this obligation, the provider would need to explain in detail how and why certain quantitative metrics were chosen for assessment, and how these relate to other metrics (see Section 4.2).

Secondly, it is easier for regulators and courts to assess the requirement to decide on a sufficient basis of information in hindsight. Objective criteria can be applied to determine whether the information basis was sufficient, and the regulators and courts do not need the same technical and management expertise as they would if they had to evaluate the risk management decision itself. In this context, the regulators and courts should also consider the entity’s general AI governance efforts. They should assess whether the organisational structure is designed to process relevant information effectively and whether the risk management tasks are properly arranged within the entity. This means that the organisation would have to demonstrate that it has established effective AI governance structures (Sayles, Reference Sayles2024; Schuett, Reference Schuett2024), because only then is it possible to conclude that the ultimate decision on the foreseeability and acceptability of risksFootnote 24 was based on sufficient information. Thus, the need to establish effective AI governance structures should be directly linked to the proposed information requirement.

In addition to AI governance structures, detailed documentation of the risk management process is essential in order to meet the information requirement. This is because documentation enables reviewers to understand the rationale behind decisions. Therefore, authorities and courts should focus on the entity’s documentation when reviewing a risk management decision. This emphasises the relationship between Article 9 of the AI Act and the documentation requirement in Article 11(1) and Annex IV of the AI Act (Fernández, Reference Fernández, Lora and Díaz González2025). The regulatory bodies’ central task would then be to check that sufficient information has been collected regarding the individual procedural steps in the risk management process, and that this information has been adequately included in the risk assessment.

6. Conclusion

Risk management is a key element of AI governance, so Article 9 of the AI Act is set to play a pivotal role in ensuring compliance with the AI Act. This paper has demonstrated that taking a law and economics approach to risk management in the field of AI, and more specifically with regard to Article 9 of the AI Act, could be beneficial in a number of ways.

As the legal issues raised by Article 9 will not be conclusively resolved by technical standards alone, cost–benefit and risk–utility analyses can be used for risk management purposes. Furthermore, a hybrid approach to risk management that combines quantitative and qualitative analysis appears beneficial as it reduces the incentive for self-serving behaviour while catering for the specific needs of fundamental rights protection.

In terms of the risk of hindsight and outcome bias in ex post adjudication, the fundamental principles of the BJR could be applied to AI risk management decisions, despite theoretical differences. To avoid hindsight and outcome bias, regulators and courts should assess whether management acted in good faith and based on sufficient information when making a risk management decision, rather than judging the outcome of that decision. The test would involve establishing whether a robust and sufficient AI governance structure had been put in place within the relevant entity.

Acknowledgements

The author would like to thank the participants of the 22th Annual Meeting of the German Law & Economics Assocation (GLEA), which was held on 3–4 July 2025 at the University of Bonn (Germany) for their valuable feedback. The author would also like to thank Prof. Dr. Frauke Wedemann and Prof. Dr. Matthias Casper, and the two anonymous reviewers for their valuable feedback. The author has used deepl.com/write for final language editing and thesaurus.

Funding statement

No funding has been received for this article.

Conflict of interest

In accordance with the ASCOLA Declaration of Ethics, I have nothing to declare.

Prof. Dr. Jan-Frederick Göhsl, LL.M. (University College London), LL.B. (Law and Economics, Bonn), Assistant Professor (with Tenure Track) for Private Law, Commercial Law and Law of the Digital Economy at the University of Münster.

Footnotes

1 The paper does not consider other potentially relevant aspects for the application of Article 9 of the AI Act, such as applied ethics (Jedličková, Reference Jedličková2024; Lara & Deckers, Reference Lara and Deckers2023; Schultz & Seele, Reference Schultz and Seele2023).

2 Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828.

3 See also Recitals (27), (69), (72), (73), (75), (80).

4 According to the draft version, the obligation was formulated in much broader terms (“foreseeable risks”).

5 Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC.

6 This applies in particular to common law concepts of tort law in countries such as the USA, UK, Australia and New Zealand, since most tort law & economics literature is based on these legal systems.

7 See Section 4 for an analysis of difficulties with regard to the application of these concepts.

8 Compare for example Supreme Court of Massachusetts, 60 Mass. 292, 6 Cush. 292, 1850 – Brown v Kendall.

9 The term “marginal benefit” refers to the benefit of further risk detection. In this respect, the benefits for society and for the entity should be the same.

10 See Section 4 for problems regarding practical application. See also for a more critical view on this approach Hwang, Reference Hwang2016.

11 The outcome would be Kaldor-Hicks efficient (see French et al., Reference French, Bedford and Atherton2005).

12 Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU.

13 The benefits of AI systems are only recognised or referred to in Article 7(2)(j) AI Act and Recitals (4) and (20).

14 See also Recital (1), (8), (121), (143).

15 Recital (2) even refers to “boosting” innovation.

16 This interpretation is supported by the formulation in Recital (3), which states that “divergences hampering (…) innovation (…) should be prevented (…).”

17 Article 40(1) AI Act does only apply in cases, where the standards cover these requirements or obligations.

18 Bietti (Reference Bietti2020) highlights that this may also be true for ethical questions.

19 Apostolakis (Reference Apostolakis2004) emphasises that risk management is about making risk-informed decisions, rather than risk-based ones.

20 Dogmatically linked to Article 9(2)(b) AI Act.

21 See also for management decisions Court of Chancery of Delaware 24 Feb, 2009, 964 A.2d 106 (2009) – In re Citigroup Inc. Shareholders Derivative Litigation, para 82.

22 Court of Chancery of Delaware 24 February 2009, 964 A.2d 106 (2009) – In re Citigroup Inc. Shareholders Derivative Litigation, para. 88.

23 See for example, Supreme Court of Delaware 15 March 1988, 539 A.2d 180 (1988) – Grobow v. Perot. Also see Section 93(1)(2) of the German Stock Corporation Act, which stipulates these three conditions.

24 From a dogmatic point of view, this approach could be linked to the requirement in Article 9(2)(a) AI Act of “reasonably foreseeable risks”, as well as the acceptability criterion in Article 9(5) AI Act. Both concepts allow for sufficient interpretation to encompass this proposal.

References

Ackermann, F., Howick, S., Quigley, J., Walls, L., & Houghton, T. (2014). Systemic risk elicitation: Using causal maps to engage stakeholders and build a comprehensive view of risks. European Journal of Operational Research, 238(1), 290299.10.1016/j.ejor.2014.03.035CrossRefGoogle Scholar
Aivodji, U., Arai, H., Fortineau, O., Gambs, S., Hara, S., & Tapp, A. (2019). Fairwashing: the risk of rationalization. Proceedings of the 36th International Conference on Machine Learning, 161170.Google Scholar
Apostolakis, G. E. (2004). How useful is quantitative risk assessment? Risk Analysis, 24(3), 515520.10.1111/j.0272-4332.2004.00455.xCrossRefGoogle ScholarPubMed
Arkes, H. R., & Schipani, C. A. (1994). Medical malpractice v. the business judgment rule: differences in hindsight bias. Oregon Law Review, 73, 587638.Google Scholar
Bainbridge, S. M. (2004). The business judgment rule as abstention doctrine. Vanderbilt Law Review, 57(1), 83130.Google Scholar
Baron, J., & Hershey, J. C. (1988). Outcome bias in decision evaluation. Journal of Personality and Social Psychology, 54(4), 569579.10.1037/0022-3514.54.4.569CrossRefGoogle ScholarPubMed
Bietti, E. (2020). From ethics washings to ethics bashing: A view on tech ethics from within moral philosophy, ACM FAT* 20: Proceedings of the 2020 conference on fairness, accountability, and transparency, 210219. https://doi.org/10.1145/3351095.3372860.CrossRefGoogle Scholar
Black, E., Gilis, T., & Hall, Z. (2024). D-hacking. Proceedings of the 2024 ACM Conference on Fairness, Accountability, and Transparency (FAccT ‘24). https://doi.org/10.1145/3630106.3658928.CrossRefGoogle Scholar
Boyd, W. (2012). Genealogies of risk: searching for safety, 1930s-1970s. Ecology Law Quarterly, 39, 895988.Google Scholar
Branson, D. M. (2002). The rule that isn’t a rule – The business judgment rule. Valparaiso University Law Review, 36, 631654.Google Scholar
Braun-Binder, N., & Egli, C. (2024). KI-VO Art. 9 Risikomanagementsystem. Martini, M. & Wendehorst, C. KI-VO (1st ed.) C.H.Beck.Google Scholar
Buiten, M. C., de Streel, A., & Peitz, M. (2021). EU liability rules for the age of Artificial Intelligence. Centre on Regulation in Europe.10.2139/ssrn.3817520CrossRefGoogle Scholar
Buyl, M., & De Bie, T. (2024). Inherent limitations of AI fairness. Communications of the ACM, 67, 4855. https://doi.org/10.1145/3624700CrossRefGoogle Scholar
Calabresi, G. (1970). The costs of accidents: A legal and economic analysis (1st ed.) Yale University Press.Google Scholar
Cane, P., & Goudcamp, J. (2018). Atiyah’s accidents, compensation and the law (9th ed.) Cambridge University Press.10.1017/9781108367806CrossRefGoogle Scholar
Chamberlain, J. (2023). The Risk-Based Approach of the European Union’s Proposed Artificial Intelligence Regulation: Some Comments from a Tort Law Perspective European Journal of Risk Regulation, 14 (1), 113. https://doi.org/10.1017/err.2022.38CrossRefGoogle Scholar
Cooter, R., & Ulen, T. (2016). Law and economics (6th ed.) Berkeley Law Books.Google Scholar
Easterbrook, F. H., & Fischel, D. R. (1996). The economic structure of corporate law (1st ed.) Harvard University Press.Google Scholar
Ebers, M. (2022). Standardising AI: The case of the European commission’s proposal for an ‘Artificial Intelligence Act. In DiMatteo, L. A., Poncibo, C. & Cannarsa, M. (Eds.), The Cambridge Handbook on Artificial Intelligence (1st ed., pp.321–344). Cambridge University Press. https://doi.org/10.1017/9781009072168CrossRefGoogle Scholar
Ebers, M. (2025). Truly risk-based regulation of Artificial Intelligence how to implement the EU’s AI Act. European Journal of Risk Regulation, 16(2), 684703. https://doi.org/10.1017/err.2024.78CrossRefGoogle Scholar
Ebers, M., & Streitbörger, C. (2024). Die regulierung von hochrisiko-KI-Systemen in der KI-Verordnung. Recht Digital, 9, 393460.Google Scholar
EU Commission (2021). Commission Implementing Decision, Standardisation request M/593 of 22.5.2023 on a standardisation request to the European Committee for Standardisation and the European Committee for Electrotechnical Standardisation in support of Union policy on artificial intelligence, C(2023)3215.Google Scholar
European Maritime Safety Agency (EMSA) (2015). Risk acceptance criteria and risk based damage stability. Final Report, part 1: Risk Acceptance Criteria, EMSA/OP/10/2013.EU Commission, Proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on Artificial Intelligence (AI Act) and amending certain Union Legislative Acts, COM/2021/206 final.Google Scholar
Fernández, M. Á. (2025). Risk management system (Article 9). In Lora, A. H. & Díaz González, G. M. (Eds.), The EU regulation on Artificial Intelligence: A commentary (1st ed., pp. 139181). Wolters Kluwer.Google Scholar
Ferrigno, B., Rotolo, A., Godinez, J., Novelli, C., & Sartor, G. (2025). Foundations for risk assessment of AI in protecting fundamental rights, arXiv-Preprint. https://doi.org/10.48550/arXiv.2507.18290.CrossRefGoogle Scholar
Fischhoff, B. (1975). Hindsight ≠ foresight, the effect of outcome knowledge on judgment under uncertainty. Journal of Experimental Psychology: Human Perception and Performance, 1, 288299. https://doi.org/10.1037/0096-1523.1.3.288Google Scholar
Floridi, L., Cowls, J., Beltrametti, M., Chatila, R., Chazerand, P., Dignum, V., Luetge, C., Madelin, R., Pagallo, U., Rossi, F., Schafer, B., Valcke, P., & Vayena, E. (2018). AI4People – An ethical framework for a good AI society, Opportunities, risks, principles, and recommendations. Minds and Machines, 28(4), 689707. https://doi.org/10.1007/s11023-018-9482-5CrossRefGoogle ScholarPubMed
Fraser, H., & Bello y Villarino, J.-M. (2024). Acceptable risks in Europe’s proposed AI Act: reasonableness and other principles for deciding how much risk management is enough. European Journal of Risk Regulation, 15(2), 431446. https://doi.org/10.1017/err.2023.57CrossRefGoogle Scholar
French, S., Bedford, T., & Atherton, E. (2005). Supporting ALARP decision making by cost benefit analysis and multiattribute utility theory. Journal of Risk Research, 8(3), 207223. https://doi.org/10.1080/1366987042000192408CrossRefGoogle Scholar
Gornet, M., & Maxwell, W. (2024). The European approach to regulating AI through technical standards. Internet Policy Review, 13(3), https://doi.org/10.14763/2024.3.1784CrossRefGoogle Scholar
Goudkamp, J. (2017). Restating the common law? the social action, responsibility and heroism Act 2015. Legal Studies, 37(4), 577598. https://doi.org/10.1111/lest.12158CrossRefGoogle Scholar
Grother, P. (2022). Face Recognition Vendor Test (FRVT), Part 8: Summarizing Demographic Differentials, Nist Interagency Report. National Institute of Standards and Technology Interagency Report. 8429. ipd. https://doi.org/10.6028/NIST.IR.8429.ipdCrossRefGoogle Scholar
Haines, F. (2017). Regulation and Risk. In Drahos, P. Ed., Regulatory theory: Foundations and applications (1sted., pp. 181196). ANU Press. https://doi.org/10.22459/RT.02.2017CrossRefGoogle Scholar
Haskel, M. A. (2007). A proposal for addressing the effects of hindsight and positive outcome biases in medial malpractice cases. Tort Trial & Insurance Practice Law Journal, 42(3), 895940.Google Scholar
Hawkins, S. A., & Hastie, R. (1990). Hindsight: Biased judgments of past events after the outcomes are known. Psychological Bulletin, 107(3), 311327. https://doi.org/10.1037/0033-2909.107.3.311CrossRefGoogle Scholar
Hoffmann, A. L. (2019). Where fairness fails: Data, algorithms, and the limits of antidiscrimination discourse. Information, Communication & Society, 22(7), 900915. https://doi.org/10.1080/1369118X.2019.1573912CrossRefGoogle Scholar
Hupont, I., Micheli, M., Delipetrev, B., Gómez, E., & Soler Garrido, J. (2023). Documenting high-risk AI: A European regulatory perspective. Computer, 56(5), 1827. https://doi.org/10.1109/MC.2023.3235712CrossRefGoogle Scholar
Hurst, J., McIntyre, J., Tamauchi, Y., Kinuhata, H., & Kodama, T. (2019). A summary of the ‘ALARP’ principle and associated thinking. Journal of Nuclear Science and Technology, 56(2), 241253. https://doi.org/10.1080/00223131.2018.1551814CrossRefGoogle Scholar
Hwang, K. (2016). Cost-benefit analysis: Its usage and critiques. Journal of Public Affairs, 16(1), 7580. https://doi.org/10.1002%2Fpa.1565CrossRefGoogle Scholar
Hylton, K. (2016). Tort Law: A Modern Perspective (1st ed.) Cambridge University Press.CrossRefGoogle Scholar
Jedličková, A. (2024). Ethical considerations in Risk management of autonomous and intelligent systems. Ethics & Bioethics, 14(1–2), 8095. https://doi.org/10.2478/ebce-2024-0007CrossRefGoogle Scholar
Jedlińska, L. (2024). The origins and essence of the business judgment rule. European Company Case Law, 2, 165178.Google Scholar
Kaeber, D., & Roth-Isigkeit, D. (2025). Risikoermittlung für Hochrisiko-KI-Systeme nach der KI-VO. Legal Tech, 4(1), 310.Google Scholar
Kaminski, M.E. (2023). Regulating the Risks of AI Boston University Law Review, 103, 13471411.Google Scholar
Koessler, L., Schuett, J., & Anderljung, M. (2024). Risk thresholds for frontier AI. https://doi.org/10.48550/arXiv.2406.14713CrossRefGoogle Scholar
Kraakman, R., Armour, J., Davies, P., Enriques, L., Hansmann, H., Hertig, G., Hopt, K., Kanda, H., Pargendler, M., Ringe, W.‐G. & Rock, E. (2017). The anatomy of corporate law – A comparative and functional approach (3rd ed.) Oxford University Press.10.1093/acprof:oso/9780198739630.001.0001CrossRefGoogle Scholar
Lara, F., & Deckers, J. (2023). Ethics of Artificial Intelligence (1st ed.) Springer Nature.10.1007/978-3-031-48135-2CrossRefGoogle Scholar
Laux, J., Wachter, S., & Mittelstadt, B. (2024). Three pathways for standardisation and ethical disclosure by default under the European union Artificial Intelligence Act. Computer Law & Security Review, 53(1), 59. https://doi.org/10.1016/j.clsr.2024.105957CrossRefGoogle ScholarPubMed
Law, P. M., Malik, S., Du, F., & Sinha, M. (2020). Designing tools for semi-automated detection of machine learning biases: an interview study. Proceedings of the CHI 2020 Workshop on Detection and Design for Cognitive Biases in People and Computing Systems. https://doi.org/10.48550/arXiv.2003.07680.CrossRefGoogle Scholar
Luhmann, N. (2002). Risk: A sociological theory (communication and social order). Routledge.Google Scholar
Mahler, T. (2007). Defining legal risk. Conference Proceedings “Commercial Contracting for Strategic Advantage – Potentials and Prospects,” Turku University of Applied Science, 1031.Google Scholar
Mahler, T. (2022). Between risk management and proportionality: the risk-based approach in the EU’s Artificial Intelligence Act proposal. Nordic Yearbook of Law and Informatics 2020-2021, 247270. https://doi.org/10.53292/208f5901.38a67238Google Scholar
Mantelero, A. (2022). Beyond Data (1st ed.) Springer.10.1007/978-94-6265-531-7CrossRefGoogle Scholar
McMillan, L. (2013). The business judgment rule as an immunity doctrine. William & Mary Business Law Review, 4(2), 521574.Google Scholar
Meding, K. (2025). It’s complicated: The relationship of algorithmic fairness and the non-discrimination provisions for high-risk systems in the EU AI Act. ArXiv-Priprint. https://doi.org/10.48550/arXiv.2501.12962CrossRefGoogle Scholar
Meding, K., & Hagendorff, T. (2024). Fairness hacking: the malicious practice of shrouding unfairness in algorithms. Philosophy & Technology, 37(4), 122. https://doi.org/10.1007/s13347-023-00679-8CrossRefGoogle Scholar
Miceli, T. J. (1997). Economics of the Law (1st ed.) Oxford University Press.10.1093/oso/9780195103908.001.0001CrossRefGoogle Scholar
Mulheron, R. (2017). Legislating dangerously: bad samaritans, good society, and the heroism Act 2015. The Modern Law Review, 80(1), 88109.10.1111/1468-2230.12243CrossRefGoogle Scholar
Novelli, C, Casolari, F, Rotolo, A, Taddeo, M and Floridi, L. (2024). AI Risk Assessment: A Scenario-Based, Proportional Methodology for the AI Act. DISO, 3(1), https://doi.org/10.1007/s44206-024-00095-1CrossRefGoogle Scholar
Novelli, C., Governatori, G., & Rotolo, A. (2023). Automating business process compliance for the EU AI act. In Sileno, G., Spanakis, J. & van Dijck, G. (Eds.), Legal knowledge and information systems (pp. 125130). IOS Press BV.Google Scholar
EU Parliament. (2023). Amendments adopted by the European Parliament on 14 June 2023 on the proposal for a regulation of the European Parliament and of the Council on laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) and amending certain Union legislative acts (COM(2021)0206 - C9-0146/2021 - 2021/0106(COD)), amendment 263.Google Scholar
Peer, E., & Gamliel, E. (2013). Heuristics and biases in judicial decisions. Court Review: The Journal of the American Judges Association, 49, 114118.Google Scholar
Peters, P. G., Jr. (1999). Hindsight bias and tort liability: avoiding premature conclusions. Arizona State Law Journal, 31(4), 12771314.Google Scholar
Roth, M. (2012). Business judgment rule. In Basedow, J., Hopt, K. J. & Zimmermann, R. (Eds.), Max planck encyclopedia of European private law (pp. 129133). Oxford University Press.Google Scholar
Sartor, G. (2018). Defeasibility in Law. In Bongiovanni, G., Postema, G., Rotolo, A., et al., Handbook of legal reasoning and argumentation (pp. 315364). Springer. https://doi.org/10.1007/978-90-481-9452-0_21.Google Scholar
Sayles, J. (2024). Principles of AI governance and model risk management (1st ed.) Apress.10.1007/979-8-8688-0983-5CrossRefGoogle Scholar
Schneeberger, D. M., Hötzendörfer, W., & Tschohl, C. (2025). Article 9 risk management. In Pehlivan, C. N., Forgó, N. & Valcke, P. (Eds.), The EU Artificial Intelligence (AI) Act, A commentary (1st ed., pp. 233258). Wolters Kluwer.Google Scholar
Schuett, J. (2024). Risk management in the Artificial Intelligence Act. European Journal on Risk Regulation, 15(2), 367385. https://doi.org/10.1017/err.2023.1CrossRefGoogle Scholar
Schultz, M. D., & Seele, P. (2023). Towards AI ethics’ institutionalization: Knowledge bridges from business ethics to advance organizational AI ethics. AI and Ethics, 3, 99111.10.1007/s43681-022-00150-yCrossRefGoogle Scholar
Shavell, S. (1987). Economic Analysis of Accident Law (1st ed.) Harvard University Press.10.4159/9780674043510CrossRefGoogle Scholar
Shevlane, T., Farquhar, S., Garfinkel, B., Phuong, M., Whittlestone, J., Leung, J., … Dafoe, A. (2023). Model evaluation for extreme risks. https://doi.org/10.48550/arXiv.2305.15324.CrossRefGoogle Scholar
Soler Garrido, J., Fano Yela, D., Panigutti, C., Junklewitz, H., Hamon, R., Evas, T., André, A., Scalzo, S. (2023). Analysis of the preliminary AI standardisation work plan in support of the AI Act. JRC Technical Report. https://doi.org/10.2760/5847Google Scholar
Strohmeier, N., Pluut, H., van den Bos, K., Adriaanse, J., & Vriesendorp, R. (2021). Hindsight bias and outcome bias in judging directors’ liability and the role of free will beliefs. Journal of Applied Social Psychology, 51(3), 141158. https://doi.org/10.1111/jasp.12722CrossRefGoogle Scholar
Tartaro, A. (2024). Value-laden challenges for technical standards supporting regulation in the field of AI. Ethics and Information Technology, 26(4), 112. https://doi.org/10.1007/s10676-024-09809-yCrossRefGoogle Scholar
Tartaro, A., Panai, E., & Cocchiaro, M. Z. (2024). AI risk assessment using ethical dimensions. AI and Ethics, 4(1), 105112. https://doi.org/10.1007/s43681-023-00401-6CrossRefGoogle Scholar
Told, J. (2015). Business judgement rule: A generally applicable principle. European Business Law Review, 26(5), 713732. https://doi.org/10.54648/eulr2015035CrossRefGoogle Scholar
Veale, M., & Zuiderveen Borgesius, F. (2021). Demystifying the draft EU Artificial Intelligence act. Computer Law Review International, 22(4), 97112.10.9785/cri-2021-220402CrossRefGoogle Scholar
Vranckaert, K. (2025). Article 40 harmonised standards and standardization deliverables. In Pehlivan, C. N., Forgó, N. & Valcke, P. (Eds.), The EU Artificial Intelligence (AI) Act, A commentary (1st ed., pp. 233258). Wolters Kluwer.Google Scholar
Wendehorst, C. (2022). Liability for Artificial Intelligence. In Voeneky, S., Kellmeyer, P., Mueller, O., & Burgard, W. (Eds.), The cambridge handbook of responsible Artificial Intelligence (pp. 187209). Cambridge University Press. https://doi.org/10.1017/9781009207898.016CrossRefGoogle Scholar