An Artificial Intelligence Value at Risk Approach: Metrics and Models
Artificial intelligence risks are multidimensional in nature, as the same risk scenarios may have legal, operational, and financial risk dimensions. With the emergence of new AI regulations, the state of the art of artificial intelligence risk management seems to be highly immature due to upcoming AI regulations. Despite the appearance of several methodologies and generic criteria, it is rare to find guidelines with real implementation value, considering that the most important issue is customizing artificial intelligence risk metrics and risk models for specific AI risk scenarios. Furthermore, the financial departments, legal departments, and government risk compliance teams seem to remain unaware of many technical aspects of AI systems, in which data scientists, machine learning engineers, and AI engineers emerge as the most appropriate implementers. It is crucial to decompose the problem of artificial intelligence risk in several dimensions: data protection, fairness, accuracy, robustness, and information security. Consequently, the main task is developing adequate metrics and risk models that manage to reduce uncertainty for decision-making in order to take informed decisions concerning the risk management of AI systems. The purpose of this paper is to orient AI stakeholders about the depths of AI risk management. Although it is not extremely technical, it requires a basic knowledge of risk management, quantifying uncertainty, the FAIR model, machine learning, large language models and AI context engineering.
Copyright© 2025 The Author(s). This article is distributed under the terms of the license CC-BY 4.0., which permits any further distribution in any medium, provided the original work is properly cited.
Article’s history: Received 25th of October, 2025; Received in revised form 29th of November, 2025; Accepted 18th of December, 2025; Available online: 30th of December, 2025. Published as article in the Volume XX, Winter, Issue 4(90), December, 2025.
Enríquez, L. (2025). An Artificial Intelligence Value at Risk Approach: Metrics and Models. Journal of Applied Economic Sciences, Volume XX, Winter, Issue 4(90), 817–833. https://doi.org/10.57017/jaes.v20.4(90).11
Acknowledgments/Funding: The author did not receive any kind of funding.
Conflict of Interest Statement: The author declares that this research was conducted in the absence of any potential conflict of interest.
Data Availability Statement: The data supporting the findings of this study are available from the corresponding author upon reasonable request.
Albina, O. (2021). Cyber risk quantification: Investigating the role of cyber value at risk. Risks, 9(10), 184. https://doi.org/10.3390/risks9100184
Chai, T., & Draxler, R. R. (2014). Root mean square error (RMSE) or mean absolute error (MAE)? Arguments against avoiding RMSE in the literature. Geoscientific Model Development, 7, 1247–1250. https://doi.org/10.5194/gmd-7-1247-2014
Chan, C.-P., Tsai, C.-H., Tang, F.-K. & Yang, J.-H. (2025) A SHAP-Based Comparative Analysis of Machine Learning Model Interpretability in Financial Classification Tasks. Journal of Applied Economic Sciences, Volume XX, Fall, 3(89), 385-400. https://doi.org/10.57017/jaes.v20.3(89).03
Cox, L. A. (2008). What’s wrong with risk matrices? Risk Analysis, 28(2), 497–512. https://doi.org/10.1111/j.1539-6924.2008.01030.x.
Cronk, R. J., & Shapiro, S. S. (2021). Quantitative privacy risk analysis. In 2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) Vienna, Austria, 2021, pp. 340-350. https://doi.org/10.1109/EuroSPW54576.2021.00043
Dewolf, N., De Baets, B., et al. (2020). Valid prediction intervals for regression problems (Version 4). arXiv. https://arxiv.org/abs/2107.00363.
Enríquez, L. (2024). A personal data value at risk approach. Journal of Research, Innovation and Technologies, 141–158. https://doi.org/10.57017/jorit.v3.2(6).05
Enríquez, L. (2024). Personal data breaches: Towards a deep integration between information security risks and GDPR compliance risks (Ph.D. thesis). Université de Lille, France. https://theses.hal.science/tel-04723327
Enríquez, L. (2024). Using the FAIR model as Swiss army knife of privacy uncertainty quantification for GDPR. FAIR Institute. https://www.fairinstitute.org/blog/fair-model-privacy-uncertainty-quantification-gdpr.
Floridi, L., Holweg, M., et al. (2022). capAI: A procedure for conducting conformity assessment of AI systems in line with the EU Artificial Intelligence Act (Version 1.0). https://d110erj175o600.cloudfront.net/wp-content/uploads/2022/03/24144824/report.pdf
Freund, J., & Jones, J. (2015). Measuring and Managing Information Risk: A FAIR Approach. 2nd Edition. Elsevier. Paperback ISBN: 978-0443134845
Fuerriegel, S., Hartmann, J., et al. (2023). Generative AI. arXiv. https://arxiv.org/abs/2309.07930
Hubbard, D. W. & Seiersen, R. (2016). How to Measure Anything in Cybersecurity Risk. 2nd Edition, John Wiley & Sons, 368 pages. ISBN: 978-1-119-89230-4
ISO/IEC. (2022). ISO/IEC 22989:2022 Information technology - Artificial intelligence - Artificial intelligence concepts and terminology. International Organization for Standardization. https://www.iso.org/standard/74296.html
ISO/IEC. (2023). ISO/IEC 23894:2023 Information technology - Artificial intelligence - Risk management. International Organization for Standardization. https://www.iso.org/standard/77304.html
ISO/IEC. (2022). ISO/IEC 27005:2022 Information security, cybersecurity and privacy protection - Information security risk management. International Organization for Standardization. https://www.iso.org/standard/80585.html
Kahneman, D., Sibony, O., & Sunstein, C. R. (2021). Noise: A flaw in human judgment. HarperCollins, 464 pp., ISBN: 978-0316451406
Krishnan, N. (2025). AI agents: Evolution, architecture, and real-world applications (Version 1). arXiv. https://arxiv.org/abs/2503.12687
Lawlor, R. (1963). What computers can do: Analysis and prediction of judicial decisions. American Bar Association Journal, 49(4), 337.
Maleki, N., Padmanabhan, B., et al. (2024). AI hallucinations: A misnomer worth clarifying. arXiv. https://arxiv.org/abs/2401.06796.
Manokhin, V. (2023). Practical Guide to Applied Conformal Prediction in Python. Packt Publishing. https://www.oreilly.com/library/view/practical-guide-to/9781805122760/
McCarthy, J. (2007). What is artificial intelligence? Stanford University. http://jmc.stanford.edu/articles/whatisai/whatisai.pdf
McCarthy, A., Ghadafi, E., Andriotis, P., & Legg, P. (2023). Defending against adversarial machine learning attacks using hierarchical learning: A case study on network traffic attack classification. Journal of Information Security and Applications, 72, Article 103398. https://doi.org/10.1016/j.jisa.2022.103398.
Minsky, M. (Ed.). (1968). Semantic Information Processing. MIT Press. http://geca.area.ge.cnr.it/files/6570.pdf
Mirković, M. S. (2020). Triangular distribution and PERT method vs. payoff matrix for decision-making support in risk analysis of construction bidding: A case study. Facta Universitatis, Series: Architecture and Civil Engineering, 18(3), 287–307. https://doi.org/10.2298/FUACE201117020M
Ouyang, L., Wu, J., et al. (2022). Training language models to follow instructions with human feedback. arXiv. https://arxiv.org/abs/2203.02155
Regulation (EU) 2016/679. (2016). General Data Protection Regulation. Official Journal of the European Union, L 119. https://eur-lex.europa.eu/eli/reg/2016/679/oj
Regulation (EU) 2024/1689. (2024). Artificial Intelligence Act. Official Journal of the European Union. https://eur-lex.europa.eu/legal-content/ro/ALL/?uri=oj:L_202401689
Rockafellar, R. T., & Uryasev, S. (2002). Conditional value-at-risk for general loss distributions. Journal of Banking and Finance, 26(7), 1443–1471. https://doi.org/10.1016/S0378-4266(02)00271-6
Samarati, P., & Sweeney, L. (1998). Protecting privacy when disclosing information: k-anonymity and its enforcement through generalization and suppression (Technical Report). SRI International. https://epic.org/wp-content/uploads/privacy/reidentification/Samarati_Sweeney_paper.pdf
Shapiro, S. (2022). Time to modernize privacy risk assessment. Issues in Science and Technology, 38(1), 20–22. https://issues.org/wp-content/uploads/2021/10/20-22-Shapiro-Time-to-Modernize-Privacy-Risk-Assessment-Fall-2021.pdf
Sidorenko, A. (2017). Risk management used to be a science, then became an art, and now it’s just bullsh@t. Risk Academy Blog. https://riskacademy.blog/first-blog-post
Society of Actuaries. (2025). Fundamentals of actuarial practice. https://www.soa.org/49347f/globalassets/assets/ files/edu/edu-2012-c2-1.pdf
Vaswani, A., Shazeer, N., et al. (2017). Attention is all you need. arXiv. https://arxiv.org/abs/1706.03762