The governance of Artificial Intelligence (AI) fundamentally depends on the implementation of risk management standards. Article 9 of the EU AI Act exemplifies this challenge, as it relies on indeterminate terms, such as “reasonably foreseeable risks” and “acceptability of risk”, to define the scope of the provision. This paper argues that such open risk management provisions require an economic framework in order to establish a coherent and innovation-friendly standard of care.

Drawing on the theoretical parallels between risk management and tort law, the analysis demonstrates the importance of cost-benefit and risk-utility models in transforming ambiguous legal standards into actionable ones. However, a purely quantitative approach proves insufficient for several reasons, including the risk of “metrics shopping” and the protection of fundamental rights. Consequently, the paper proposes a hybrid approach to risk management that integrates quantitative metrics with qualitative safeguards. Furthermore, in addressing the challenge of hindsight and outcome biases in ex-post enforcement, the analysis recommends applying the Business Judgment Rule (BJR) logic from corporate law. By limiting the standard of review to the quality of ex ante decision-making, this framework can be applied more widely to the management of AI risks.