advanta

HomeModule LibraryStrategy

Module STR-03 sigil: Strategy pillar, Strategy layer, maturity bands 1 to 3.Deterministic sigil for Module STR-03. The Pillar geometry encodes Strategy (Pillar 1); the top-right marker S encodes the Strategy layer; the baseline meter encodes maturity bands 1 to 3.SSTR-03
P1· L-S· Bands FoundationalOperationalIntegrated

· STR-03

Risk Matrix — Use Case × Risk Taxonomy 2026 × Likelihood

AI risk-scoring without structure produces governance theatre — either every use case is treated equivalently (the high-risk cases under-controlled, the low-risk cases over-restricted), or scoring becomes anecdotal and unreviewable. The Risk Matrix gives the firm a structured three-dimensional scoring frame: each AI use case is positioned against the nine-class Risk Taxonomy 2026 and a likelihood-of-occurrence axis, producing a defensible composite score that drives governance attention, controls calibration, and STR-07 escalation thresholds. Methodology v2026.1.

Foundational

·

Per-engagement

·

3–6 hours per use case; 2–3 days for full portfolio review

Methodology v2026.1·Verified 23 May 2026·Reviewed 23 May 2026

Executive Summary

This module provides a structured, defensible methodology for assessing AI use cases in legal functions using a five‑dimension risk matrix aligned to Risk Taxonomy 2026. It combines weighted impact scores across legal/professional, technical/operational, regulatory/compliance, security/privacy, and reputational/business dimensions with a likelihood score to generate a final risk level per use case. Supplemental modifiers capture bias, supply chain, shadow AI, and IP risks that sit outside the core dimensions. The framework requires an AI Bill of Materials (AI BoM) pre‑assessment, maps each use case to the nine canonical risk classes, and defines decision authority, governance requirements, and GOV‑03 Risk Register triggers by score band. High‑risk and Agentic Tier deployments are automatically escalated to the STR‑07 AI Task Force and, at the highest levels, to the Board Risk Committee. The module includes a reusable worksheet, reference profiles by use case category, and mitigation strategies, and it produces DPS‑grade evidence for Defensible AI programmes.

Defensibility Evidence Produced

Completed use case risk assessments with Risk Taxonomy 2026 class mapping and documented mitigation strategies constitute DPS Defensibility lens evidence; mandatory GOV-03 Risk Register entries for High Risk scores (≥10.0); STR-07 AI Task Force approval of High Risk use cases = DPS Defensibility governance checkpoint; AI BoM Metric 0 = DPS Defensibility prerequisite.

Elements:

Evidence frameworkGovernance posture

STR-03 · Risk Matrix — Use Case × Risk Taxonomy 2026 × Likelihood

Purpose

Provide a systematic, repeatable framework to evaluate AI adoption opportunities in legal functions by quantifying risk across five weighted dimensions and mapping each use case to Risk Taxonomy 2026. The matrix produces a composite risk score (Weighted Impact × Likelihood), applies supplemental modifiers, and converts the result into clear governance actions and adoption recommendations.

Use cases with scores ≥10.0 (High Risk) automatically generate GOV-03 Risk Register entries and require STR-07 AI Task Force approval before implementation or material change.

When to Use

  • Before any new AI pilot or production deployment
  • During quarterly risk reviews for active AI use cases
  • During annual strategic planning and portfolio reprioritisation
  • Whenever a Risk Taxonomy 2026 class is affected by a material change (e.g. new regulation, new vendor, new use case category)

Metric 0: AI BoM Pre-Assessment

Complete the AI Bill of Materials (AI BoM) checks before scoring any use case. An incomplete AI BoM invalidates STR-03 results.

| AI BoM Check | Status | Action if Incomplete |

|—|—|—|

| All approved AI tools registered in AI BoM | | Complete AI BoM inventory via STR-07 AI Task Force |

| Shadow AI survey completed (USE-05 Metric 0) | | Run USE-05 Shadow AI baseline before proceeding |

| All vendors under evaluation have provided AI model inventory | | Require AI model inventory per VEN-01 Pass/Fail Criterion 1 and VEN-02 Section 3 |

| Agentic Tier AI in use identified and flagged | | Mark agenticTier: true in AI BoM; apply +2 risk modifier in Section 3 |

Section 1: Five-Dimension Risk Framework

The composite weighted impact score combines five dimensions, each mapped to one or more Risk Taxonomy 2026 canonical classes.

| Dimension | Weight | Primary Risk Taxonomy 2026 Class(es) | Scale |

|—|—|—|—|

| D1: Legal and Professional Responsibility | 35% | Class 2: Privilege and confidentiality; Class 3: Bias and fairness | 1 (Minimal) → 5 (Critical) |

| D2: Technical and Operational | 25% | Class 1: Hallucination and accuracy; Class 9: Operational resilience | 1 (Minimal) → 5 (Critical) |

| D3: Regulatory and Compliance | 20% | Class 7: Regulatory compliance drift; Class 4: Privacy and data protection | 1 (Minimal) → 5 (Critical) |

| D4: Security and Privacy | 15% | Class 4: Privacy and data protection; Class 2: Privilege and confidentiality | 1 (Minimal) → 5 (Critical) |

| D5: Reputational and Business | 5% | Class 6: Shadow AI; Class 5: Supply chain and vendor dependency | 1 (Minimal) → 5 (Critical) |

Composite Weighted Impact Score

(D1 × 0.35) + (D2 × 0.25) + (D3 × 0.20) + (D4 × 0.15) + (D5 × 0.05)

Supplemental Risk Taxonomy 2026 Modifiers

Four canonical classes are assessed as +1 modifiers to the Composite Impact Score when the condition is met.

| Class | Trigger | Modifier |

|—|—|—|

| Class 3: Bias and fairness | Vendor has no documented bias testing protocol | +1 |

| Class 5: Supply chain and vendor dependency | Vendor sub-processor list not disclosed or data portability not contractually guaranteed | +1 |

| Class 6: Shadow AI and policy circumvention | Shadow AI usage detected for this use case category at USE-05 baseline | +1 |

| Class 8: IP and licensing | Vendor IP ownership terms for AI-generated outputs not explicitly documented in DPA | +1 |

Dimension 1: Legal and Professional Responsibility (35%)

Score 1–5 based on:

  • Attorney–client privilege violations or waiver risk
  • Professional malpractice exposure from AI errors
  • ABA Model Rules and state bar ethical compliance (Rules 1.1, 1.6, 5.3, 3.1, 1.5)
  • Client consent and disclosure requirements (GOV-06)
  • Work product and confidentiality protections
  • Competence and supervision requirements

Dimension 2: Technical and Operational (25%)

Score 1–5 based on:

  • AI hallucinations producing false or misleading information (Class 1)
  • System downtime affecting critical legal processes (Class 9)
  • Data quality issues leading to poor AI performance
  • Vendor dependency and potential lock-in (Class 5)
  • Model drift and performance degradation over time (Class 1)

Dimension 3: Regulatory and Compliance (20%)

Score 1–5 based on:

  • EU AI Act requirements for high-risk AI systems (Class 7)
  • GDPR and state privacy law exposure from AI data processing (Class 4)
  • US state AI disclosure and bias audit requirements (Class 7)
  • Court rules regarding AI usage in litigation (Class 7)
  • ABA guidance and state bar ethics opinions on AI (Class 7)

Dimension 4: Security and Privacy (15%)

Score 1–5 based on:

  • Client data exposure through AI processing or storage (Class 4)
  • Unauthorised model training on confidential information (Class 2)
  • Cross-client data contamination or leakage (Class 2)
  • Shadow AI creating unmanaged security risks (Class 6)
  • Third-party vendor data handling practices (Class 5), mitigated by DAT-03 DPA execution

Dimension 5: Reputational and Business (5%)

Score 1–5 based on:

  • Client confidence erosion from AI failures (Class 9)
  • Competitive disadvantage from poorly implemented AI (Class 5)
  • Talent attraction and retention challenges (Class 6)

Section 2: Likelihood Assessment

Final Risk Level = Adjusted Composite Impact Score × Likelihood Score

| Likelihood Score | Probability (12 months) | Indicators |

|—|—|—|

| 5 — Very High | 90–100% | Experimental tech; unvetted vendor; no governance; no legal track record |

| 4 — High | 60–89% | Emerging tech; limited legal adoption; evolving regulation |

| 3 — Moderate | 30–59% | Established tech; some legal implementations; standard controls |

| 2 — Low | 10–29% | Mature tech; proven legal applications; governance frameworks established |

| 1 — Very Low | 0–9% | Well-established tech; deep legal expertise; advanced monitoring |

Likelihood is informed by:

  • Technology maturity (40%)
  • Vendor and market risk (25%)
  • Implementation complexity (20%)
  • Regulatory environment (10%)
  • Organisational readiness (5%)

Section 3: Use Case Risk Profiles and Decision Rights

Operational Signals

str-03.use-case-scoring-coverage

Defensibility Posture Statement

Every approved AI use case scored on the three-dimensional Risk Matrix — DE-3 Evidence framework record.

On change

str-03.escalation-trigger-events

Annual Legal AI OS Index

Composite-score escalations routed to STR-07 feed Annual Index governance-discipline signal.

Quarterly

str-03.matrix-rebalance-cadence

Console

Quarterly matrix rebalance against taxonomy shifts logged for Console intelligence substrate.

Quarterly

Inputs · Outputs

Inputs

  • · USE-01 Use Case Prioritization Matrix (ranked use case list defines assessment scope)
  • · GOV-02 AI Use Policy (approved use categories constrain eligible use cases)
  • · STR-02 AI Strategy Canvas (ambition level and risk appetite from Section 2)
  • · AI BoM inventory (all tools currently in use require re-assessment at each review cycle)
  • · VEN-01 Weighted Vendor Evaluation Scorecard outputs (vendor risk scores feed Dimension 2)

Outputs

  • · Composite risk score per use case (Weighted Impact × Likelihood) with Risk Taxonomy 2026 class mapping
  • · GOV-03 Risk Register entries for all use cases scoring ≥10.0 (High Risk) — mandatory
  • · STR-07 AI Task Force referral package for High Risk assessments and all Agentic Tier deployments
  • · DPS Defensibility lens evidence bundle: completed assessments with documented mitigation strategies

Framework Crosswalk

NIST AI Risk Management Framework

NIST

STR-03 operationalises NIST AI RMF risk identification, analysis, and treatment steps for legal use cases, with explicit likelihood and impact scoring.

EU AI Act (risk-based approach)

European Union

The module’s risk bands and governance escalation align with the EU AI Act’s tiered obligations for minimal, limited, high-risk, and prohibited AI systems.

ISO/IEC 42001 AI Management System

ISO

STR-03 provides a structured risk assessment and monitoring process that can be embedded into an ISO 42001-compliant AI management system.

ABA Model Rules of Professional Conduct

American Bar Association

Dimension 1 explicitly maps to ABA Rules 1.1, 1.6, 3.1, 5.3, and 1.5, operationalising competence, confidentiality, supervision, and fee transparency for AI.

Operational Artefacts

  • STR-03 Risk Assessment Worksheet (per-use-case scoring sheet)

    xlsx · v2026.1

    Gated
  • STR-03 Risk Monitoring Dashboard Template

    html · v2026.1

    Gated
  • STR-03 Methodology Guide and Worked Examples

    pdf · v2026.1

    Gated

Diagnostic Relevance

Running the Risk Matrix strengthens the Defensibility lens — expected Band progression: Foundational → Operational.

Confidence: high

Key Takeaways

  • Quantify AI use case risk using a five-dimension weighted impact score plus likelihood.

  • Map every use case to all relevant Risk Taxonomy 2026 classes, including supplemental modifiers.

  • Enforce AI BoM and Shadow AI baselines as prerequisites for valid risk scoring.

  • Route High and Very High risk use cases to STR-07 and Board governance with mandatory GOV-03 entries.

  • Apply Agentic Tier modifiers and controls for autonomous AI executors.

  • Use the worksheet and dashboard to maintain a living, auditable AI risk register.

  • Generate DPS-grade defensibility evidence for regulators, clients, and insurers.

Run this Module

Operational artefacts available to Practitioner Membership members. Methodology v2026.1.

View Membership

Targeting

Audience

GC / CLOLegal OperationsRisk & Compliance

Strengthens

Defensibility lensSophistication lens

Module Details

Format
Methodology
Difficulty
Foundational
Pillar
P1
Owner
General Counsel (final sign-off), Legal Operations (assessment lead), Risk & Compliance (Dimension 3), STR-07 AI Task Force (High Risk approvals)
Access
Practitioner Membership
Certification
Practitioner

Maturity Bands

FoundationalOperationalIntegrated

Canonical Vocabulary

Terms this Module anchors

Risk Taxonomy 2026

The canonical nine-class AI risk classification system for legal functions, versioned at 2026.1. The nine classes are: (1) Hallucination, (2) Data leakage, (3) Model drift, (4) Vendor lock-in, (5) Regulatory non-compliance, (6) Professional conduct exposure, (7) Client confidentiality breach, (8) Shadow AI proliferation, and (9) Accountability dilution. Every AI use case in the legal function is assessed and registered against this taxonomy; every Risk Register entry maps to one of the nine classes. 'Risk framework', 'Risk model', and 'Risk register taxonomy' are forbidden synonyms.

Risk Register

The operational artefact in which every AI-related entry in the legal function maps to one of the nine classes of the Risk Taxonomy 2026. Paired with the Evidence Register, the Risk Register constitutes the minimum governance posture for institutional AI use: the Taxonomy is the inventory, and the Risk Register is the function's working record of exposure against it.

Agentic Tier

The classification layer for AI systems that operate with autonomous decision-making, multi-step reasoning, or action-taking capability without per-step human approval. Agentic Tier governs use policy, escalation thresholds, and oversight requirements for the most capable AI deployments in a legal function. Higher Agentic Tier designation requires stronger governance controls, explicit board awareness, and documented Defensibility Posture.

Shadow AI

AI tools or capabilities used by legal function staff without formal approval, governance oversight, or organisational awareness. Shadow AI creates undisclosed risk exposure — privilege breach, uncontrolled data processing, and audit gaps — regardless of individual intent. Detection, policy enforcement, and AI Inventory integration are P4 Governance priorities. 'Rogue AI' and 'Stealth AI' are forbidden synonyms.

Where this Module lives

The Risk Matrix is the foundational triage instrument that sits between use-case identification and governance commitment. It consumes the AI Use Policy (GOV-02) approved-use list as the universe of scoring targets and feeds the STR-07 (AI Task Force Charter) escalation rules with explicit composite scores. The Module produces DE-3 (Evidence framework) and DE-4 (Governance posture) records into the DPS. Without it, governance attention follows volume rather than risk.

Advisory

When this Module sits inside a Programme.

Modules are operated in-house by GC and Legal Operations teams. When the capability transformation is multi-Pillar — or when the regulator timeline tightens — Advanta operates the canonical Module sequence as a Programme.