Who is responsible for establishing risk appetite and tolerance in AI risk management?

Setting risk appetite and tolerance is a governance responsibility. It involves defining how much AI-related risk the organization is willing to accept in order to pursue its objectives, and establishing thresholds that guide policies, controls, and decision-making across the organization. The governing body—such as the board or an equivalent oversight group—defines these levels, approves the risk framework, and ensures management translates the appetite into concrete actions, monitoring, and reporting. This top‑level authority ensures alignment with strategy, regulatory expectations, and stakeholder interests. IT operations focus on day-to-day systems and control implementation, not on setting overall appetite. External regulators may impose requirements but do not establish the organization’s internal risk thresholds. End users influence outcomes but do not set the organization’s risk tolerance.