AI doesn’t know your project. But it knows every risk pattern that’s ever been written about. Here’s how to combine what it knows with what you know.
Risk identification is one of the most important things a PM does—and one of the easiest to do incompletely.
The problem isn’t effort. Most PMs work hard at risk identification. The problem is perspective. You know your project well, which means you also have blind spots. You think about the risks that are top of mind, the ones that burned you before, the ones your stakeholders keep raising. The risks you haven’t thought of don’t make the list—because you haven’t thought of them.
This is exactly where AI helps. Not because it knows your project, but because it doesn’t. It brings patterns from thousands of projects, industries, and failure modes that have nothing to do with your current context—and some of them will apply.
In my 5 PM Tasks AI Does Surprisingly Well post, I listed risk identification as one of the top use cases. This post goes deeper: how to actually do it, how to prompt effectively, and—critically—how to evaluate what comes back.
How AI Risk Identification Works
AI doesn’t analyze your project and identify its specific risks. It pattern-matches against what it knows about projects like yours and generates a list of risks that are plausible given the context you’ve provided.
That distinction matters. The output is a starting point, not an assessment. Your job is to take the list and apply your judgment: Which of these are real for this project? Which can I dismiss? What’s missing that the AI didn’t surface?
The PM who gets the most value from AI risk identification is the one who uses it to stress-test their own thinking—not the one who pastes the AI output into the risk register and calls it done.
Prompting for Risk Identification
The quality of AI risk output depends almost entirely on the quality of context you provide. A generic prompt gets a generic list. A specific prompt gets something you can actually work with.
Start with project context
Don’t just ask “what are the risks for my project.” Give the AI enough to work with:
Weak prompt:
“What are the risks for a software implementation project?”
Stronger prompt:
“I’m managing a 6-month ERP implementation for a mid-sized manufacturing company. We’re replacing a 15-year-old legacy system. The project team is internal IT plus one external vendor. We have a hard go-live date driven by a contract renewal. What risks should I be thinking about?”
The stronger prompt produces risks that are specific to the constraints that actually matter: legacy migration complexity, vendor dependency, hard deadline, internal vs. external team dynamics.
Ask by risk category
After your initial list, probe specific categories:
- “What technical risks am I likely missing for this type of project?”
- “What are common people and change management risks in ERP implementations?”
- “What vendor-related risks should I include given that our go-live is fixed?”
- “What risks are specific to replacing a legacy system that’s been in place for 15+ years?”
Each prompt surfaces a different angle. The combination gives you a much fuller picture than any single query.
Ask for the risks nobody talks about
This is one of my favorite prompts:
“What are the risks for this project that teams often overlook or underestimate until it’s too late?”
AI is particularly good at surfacing the “we’ve seen this before” failure modes that experienced practitioners know but that don’t always make it into formal risk training. Data migration problems. End-user adoption failures. Scope creep disguised as approved change requests. Vendor knowledge transfer that doesn’t happen before go-live.
Ask it to challenge your existing list
Once you have a draft risk register, use AI to pressure-test it:
“Here’s my current risk register for this project: [paste list]. What risks am I missing? What risks on this list might be more serious than I’ve rated them? What assumptions am I making that could be wrong?”
This turns AI into a reviewer, not just a generator.
Evaluating What Comes Back
AI-generated risk lists need to be filtered, not accepted. Here’s how to work through the output:
Keep risks that are real for your project. “Vendor delivery delays may impact the critical path” is a real risk if you’re vendor-dependent. It’s not a real risk if all the work is internal.
Discard risks that don’t apply. AI will generate plausible-sounding risks that don’t fit your context. “Regulatory changes may require scope adjustments” is a legitimate risk for some projects and completely irrelevant for others. Use your judgment.
Flag risks that sound right but feel vague. “Stakeholder misalignment” is on every AI risk list. That’s not a risk — it’s a category. Push for specificity: which stakeholders, misaligned on what, with what consequence?
Watch for risks that reveal an assumption. Sometimes an AI-generated risk surfaces something worth thinking about even if the risk itself isn’t quite right. “Key personnel turnover during the project” might make you realize you haven’t thought through what happens if your one expert on the legacy system leaves.
Add what the AI missed. AI doesn’t know the politics of your organization, the history between teams, or the specific constraints that aren’t in any document. The risks you add from your own knowledge are often the most important ones.
Building the Risk Register
Once you’ve filtered the AI output and added your own risks, you have a raw list. From here, standard PM practice applies: assess probability and impact, assign ownership, define response strategies.
AI can help here too:
- “For each of these risks, suggest a mitigation strategy” — useful for getting started, needs review
- “What would an effective contingency plan look like for [specific risk]?” — good for high-priority risks you’re not sure how to handle
- “How have other projects typically responded to [specific risk]?” — useful for building response options
The same principle applies: AI gives you a starting point. Your judgment determines what goes in the register and what your team commits to doing about it.
What AI Can’t Do
AI cannot assess the actual likelihood or impact of risks on your specific project. It can generate probability and impact ratings, but those ratings are generic — they reflect what’s typical across many projects, not what’s true for yours.
You know things AI doesn’t: that your sponsor has done three projects like this and is unusually decisive, that your vendor relationship has been rocky, that the team has strong change management experience, that the regulatory environment in your industry is unusually stable right now. All of that affects the real risk profile of your project.
AI expands your list. You assess the list. Don’t outsource the assessment.
A Practical Workflow
Here’s how I use AI for risk identification on a new project:
- Draft initial context prompt — project type, duration, team structure, key constraints, hard deadlines, dependencies
- Run the initial prompt — get the broad list
- Run category prompts — technical, people/change, vendor, schedule, scope
- Run the “what teams overlook” prompt — surface the less obvious risks
- Filter the combined list — keep what’s real, discard what doesn’t apply, note what’s vague
- Add my own risks — the ones that come from knowing the organization, team, and politics
- Use AI to pressure-test the result — paste the list back and ask what’s missing
- Assess and assign — standard risk register work from here
The AI steps take 20-30 minutes. The filtering and assessment take longer — because that’s the actual PM work.
Links & References
Related Monday Business Posts:
- 5 PM Tasks AI Does Surprisingly Well — risk identification in context with other high-value AI use cases
- A PM’s Guide to Choosing an AI Tool — which tool to use for this kind of work
- AI Ethics for PMs — why you can’t just accept the AI’s risk assessment
- Better Status Reports with AI — applying the same expand-then-judge approach to project reporting
AI gives you the list you didn’t know to make. Your job is to make it real.