prEN 18228 — AI risk management (harmonised standard)

prEN 18228 is the draft harmonised standard developed by CEN/CENELEC JTC 21 for AI risk management. Once adopted as a definitive EN, it will give presumption of conformity with EU AI Act Art. 9 to providers that apply it. The correspondence with Art. 9 is tabulated clause by clause in its Annex ZA.

Paradigm: product-safety versus ISO 23894

The most important conceptual difference between prEN 18228 and ISO 23894 — the other standard implemented in the engine — is the risk paradigm:

Dimension	prEN 18228	ISO 23894
Paradigm	Product-safety (lineage: ISO 14971 / IEC Guide 63)	Risk management process (lineage: ISO 31000)
Unit of risk	Hazard → hazardous situation → harm	Risk event → consequence (likelihood × impact)
Acceptability criterion	Acceptable risk: top management policy + objective evidence	Evaluation against declared risk appetite
Measures order	Mandatory hierarchy: inherently safe design ▸ protective measures ▸ information	No prescribed hierarchy
Residual	Overall residual risk of the system	Per-risk residual (hybrid: declared + control confirmation)

Venturalítica implements the ISO 23894 paradigm as the primary engine. prEN 18228 is projected on top via clause catalogues (pren-18228-clauses.yaml): sei conformance --standard eu/pren-18228@2026 evaluates clause coverage without rewriting the underlying process.

Clauses in the engine

The internal catalogue (crates/seigarrena-core/resources/standards/pren-18228-clauses.yaml) models the following clauses:

Clause	Title	Cycle phase	Art. 9 via Annex ZA
4.6	Risk management file	File	Art. 9(2)
6.2.1	Intended purpose	Analysis	Art. 9(2)
6.2.2	Reasonably foreseeable misuse	Analysis	Art. 9(2)(a)
6.3	Risk estimation	Estimation	Art. 9(2)(b)
7	Risk evaluation	Evaluation	Art. 9(2)(b)
8.1	Testing — acceptance criteria + objective evidence	Testing	Art. 9(6)
9.1.2	Applying the hierarchy of risk control	Control	Art. 9(5)(a)
9.2	Implementation and verification of risk control measures	Control	Art. 9(5)
9.3	Residual risk evaluation	Residual	Art. 9(5)
10	Evaluation of overall residual risk	Overall residual	Art. 9(5)
11	Risk management review	Review	Art. 9

Alignment: where Venturalítica performs well

The clause-by-clause analysis (based on projection of the loan scenario bundle) shows strong coverage in:

Cl. 4.6 — Risk management file: the signed evidence bundle (.sei/bundle.json) with ECDSA-P256+DSSE+in-toto signature is the risk management file. sei reconstruct converts it into the formal traceable cycle.

Cl. 7 — Risk evaluation: the risk evaluation against the declared appetite (evaluate(level, appetite)) covers this requirement.

Cl. 8.1 — Testing with acceptance criteria and objective evidence: AssuranceProgram controls include quantitative thresholds, and the power statistics (bootstrap with per-patient clustering) constitute the “objective evidence” the standard requires without specifying the method.

Cl. 9.2 — Verification of effectiveness of risk control measures: the hybrid residual (declared measure + confirmation from the blocking control) covers effectiveness verification. A discrepancy between declared and observed residual generates a Discrepancy status in the cycle.

Cl. 11 — Risk management review: sei approve --by records management approval in the bundle with evaluator identity.

Identified gaps

🟡 Partial — The engine implements the ISO 23894 paradigm with projection to prEN 18228. The complete product-safety chain and formal control hierarchy are not yet built. See Status & gaps.

Priority gaps, in order of value/effort:

Cl. 10 — Overall residual risk (already covered): the engine does aggregate an overall system residual risk verdict: evaluate_overall_residual() computes it and persists it in EvidenceBundle.overall_residual. The criterion exists in the catalogue (criterion: overall_residual) and sei conformance cl. 10 emits COVERED or GAP (it is not advisory). The only advisory part is the sei run gate: the aggregate residual is reported there, but the lifecycle block is applied by sei conformance/the cloud, not by the run gate.

Cl. 9.1.2 — Hierarchy of risk control: the catalogue models this criterion and AssuranceProgram measures have a control_tier field that classifies each measure at the appropriate hierarchy level. sei conformance evaluates cl. 9.1.2 via the control_hierarchy criterion. The current limitation is that the verification is informational/advisory: the engine detects and reports hierarchy inversions, but does not block the gate on them (no hard-enforcement of the ordering). Hard-blocking of hierarchy inversions is a future improvement.

Cl. 6.2.4 / hazard→harm chain: prEN 18228 follows a product-safety lineage where risk is defined as the combination of the probability that a hazard causes harm and the severity of that harm. The current model (ISO 23894, likelihood × impact by dimension) does not build that explicit chain.

Fundamental rights: prEN 18228 incorporates fundamental rights considerations (absolute, qualified, privately enforceable) and considerations for vulnerable populations and minors. This dimension is not modelled in the v1 AssuranceProgram.

How to use `sei conformance` with prEN 18228

# Evaluate conformance against prEN 18228 from the signed bundle
sei conformance --standard eu/pren-18228@2026

# With history (one line per iteration)
sei conformance --standard eu/pren-18228@2026 --history

# Export to .sei/conformance/
sei conformance --standard eu/pren-18228@2026 --out

The report emits COVERED / PARTIAL / GAP per clause. A single bundle produces reports for both prEN 18228 and ISO 23894 without re-annotation (conformance by projection). See Guide: Dual-standard conformance.

Relation to other standards

ISO 23894 — the risk management process implemented in the engine; see ISO 23894.
EU AI Act Art. 9 — the legal obligation that prEN 18228 is designed to give presumption of covering; see EU AI Act.
Standards crosswalk — correspondence table Annex IV ↔ prEN 18228 ↔ ISO 23894; see Reference: Crosswalk.