When Cromford Mills in Derbyshire appeared on Historic England's 2025 Heritage at Risk Register, it made the news. The register works because it names assets, tracks their condition annually, and forces action. That discipline is exactly what a project risk register is supposed to do -- and most UK contractors are still running lists that were designed before AI tools became a fixture in their workflows.
This article covers what the register needs to contain in 2026, now that AI sits inside project delivery. It covers NEC4 contractual obligations, the Building Safety Act 2022 duty holder requirements, and the RICS Responsible Use of AI standard -- mandatory for all RICS members and regulated firms since 9 March 2026. Then it gets practical: which AI-specific risks belong on the register right now?
What is a risk register, and what is it not?
What is a risk register? It is a live document that identifies project risks, assesses their likelihood and impact, assigns ownership, and records mitigations. It is not a cover-the-bases exercise done at tender and filed away. Used well, it is the central tool through which a project team manages uncertainty -- and it needs regular review, not an annual glance.
The NEC4 situation is instructive. Under NEC4, the contractual mechanism is the Early Warning Register (EWR), which replaced the NEC3 equivalent. The EWR is maintained by the Project Manager and updated after each Early Warning Meeting. It requires only a description of the matter and the actions to be taken to avoid or reduce it. Crucially, it does not determine risk allocation -- it is a management tool, not a commercial one.
Most contractors running NEC4 projects need two things: the EWR for contractual purposes, and a supplementary register for strategic, reputational, regulatory, and technology risks. A register that covers only time, cost, and quality misses the category of risk most likely to create professional liability in 2026. AI risks almost certainly belong in the supplementary document, not the EWR.
Building Safety Act 2022: risk is now a duty holder matter
The Building Safety Act 2022 fundamentally changed accountability for higher-risk buildings. From 1 October 2023, Principal Designers and Principal Contractors became legal dutyholders under the Building Regulations. They must demonstrate competence, plan compliance throughout the project lifecycle, and maintain clear documentation of decisions.
For buildings over 18 metres or seven storeys with at least two residential units, a properly maintained risk register is part of the evidence base that duty holders need to show the Building Safety Regulator (BSR) that they have planned, managed, and monitored the project. If a Principal Contractor cannot demonstrate how risks were identified and managed, that is a compliance gap. The BSR can issue compliance notices and stop notices where Building Regulations are breached.
The Act also introduces the Accountable Person for occupied higher-risk residential buildings. Construction phase documentation feeds into the building safety case the Accountable Person inherits. Incomplete records from construction create ongoing liability after handover. Thin documentation is not just an administrative gap -- it is a legal one.
The built environment has its own model for naming risk
The buildings at risk register maintained by Historic England is a model of what disciplined annual tracking looks like at scale. Published each year, it covers every type of designated asset and forces owners, local authorities, and funders to confront specific conditions. It names the thing at risk -- not just the category.
In 2024, the buildings at risk register recorded 792 Grade I and II* listed buildings at risk, representing 3.5% of all such assets in England. There were 2,206 scheduled monuments at risk, 969 listed places of worship, and 475 conservation areas in the same position. In November 2025, Historic England published its 2025 edition, showing 138 new additions, with 129 sites saved, including Bruce Grove Public Toilets in Tottenham and the Old School Coffee House in Devon, converted to affordable housing.
The lesson for project teams is direct: a document that does not name specific things is a category list, not a risk register. Writing "AI tool risk" as a single line is as useless as writing "listed buildings" on the buildings at risk register. Each AI tool on a project deserves a named entry, with specific risks assessed against it.
Construction sites have long used hazard boards to make risk visible to everyone on site. The risk register does the same job across the whole project team and programme.
What the RICS AI standard requires of your risk register
The RICS Responsible Use of AI standard, mandatory for all RICS members and regulated firms since 9 March 2026, explicitly requires firms to maintain risk registers covering their AI use. According to RICS, the standard provides a structured framework that includes requirements for risk registers, responsible use policies, and procurement due diligence.
On procurement, the standard requires firms to seek information from AI providers before using any AI system on a client project. If a provider cannot or will not supply the information requested, the firm must document the risks arising from that gap. This is a direct requirement to record AI procurement risk formally. It applies to RICS-regulated firms of all sizes, with no exemption for sole practitioners.
The standard also establishes that the chartered surveyor remains accountable for every piece of professional advice, regardless of which tools produced it. That accountability demands a paper trail.
"The standard provides a structured framework for firms to govern their AI use, including requirements for risk registers, responsible use policies, and procurement due diligence." RICS, First-ever standard on responsible AI use, March 2026
The four AI risks that belong on the register
Hallucination risk. Large language models produce confident outputs that are factually wrong. On a construction project, this matters when AI tools draft specifications, generate compliance statements, or summarise contract terms. A hallucinated regulation number or an incorrect structural load figure does not become acceptable because it came from a tool. What is a risk register entry for hallucination? It names each tool, the tasks it handles, and the verification process applied to its outputs. This is consistent with the NIST AI Risk Management Framework and ISO 42001, both of which treat output reliability as a core governance concern.
Training data drift. AI models are trained up to a specific date. They do not automatically reflect new regulations or updated standards. A tool trained before October 2023 will not know post-October 2023 Building Safety Act compliance requirements unless it has been updated. Each AI tool on the register should carry a note on when its training data was last refreshed -- and if the firm does not know, that is the risk to record.
Model failure and availability risk. AI tools are third-party services. They can be withdrawn, deprecated, or changed without notice. If a workflow depends on an AI tool for cost planning, programme analysis, or document review, that tool's sudden unavailability is an operational risk. Add it to the register with a contingency: what is the fallback if the tool goes dark for a week or more? This is basic business continuity thinking applied to a new class of dependency.
Vendor concentration risk. Many AI tools used in construction and surveying are built on a small number of foundation models from a handful of large US technology companies. Analysis of third-party risk from 2026 notes that companies increasingly depend on a relatively small number of critical providers and that concentration creates fragility. If your cost management tool, BIM analysis assistant, and document drafter all run on the same underlying model, a single outage, pricing change, or geopolitical event could affect all of them at once. This is an entry that most project teams have not yet written -- but should.
How to structure each AI entry on the register
A project risk register entry for an AI tool should include: the tool name; the tasks it handles on this project; the specific risk; a likelihood and impact score; a named owner; the mitigation in place; and a review date. This mirrors the NIST AI RMF's four-function approach: Govern, Map, Measure, Manage. It is also consistent with the RICS standard's requirements and the APM's Project Risk Analysis and Management (PRAM) guidance on what a well-maintained register should contain.
Under the Building Safety Act, Principal Contractors and Principal Designers should be able to show that AI tools in the project workflow were assessed and managed. That is not a theoretical requirement -- the BSR can and does conduct desktop reviews of compliance documentation. A project risk register that includes named AI tools with completed entries satisfies that requirement. A single line saying "technology risks: medium" does not.
Three things to do now
One. Audit your current register. List every AI tool in use on this project -- from scheduling tools to cost estimating software to specification drafters. If none appear as named entries, add them before the next review meeting.
Two. Check your AI procurement records against the RICS standard. For each tool, can you show what information you sought from the provider before using it on a client project? If not, document the risks arising from that gap. The standard makes no exemption by firm size.
Three. Review the NEC4 Early Warning Register for matters with an AI component. A cost estimate that relied heavily on AI output may carry embedded risks not yet surfaced as early warnings. The Early Warning Register and the project risk register serve different purposes, but both need to reflect the actual tools in use. If your AI tools are invisible to your risk process, that is where the next problem will come from.
The buildings at risk register does not save buildings by itself. It saves them by making the risk visible, named, and owned. A risk register works the same way. The AI risks are already present on most UK construction projects. The question is whether they are named on the document or not.
The Responsible with AI programme helps architects, designers, and other built environment professionals develop practical frameworks for integrating AI tools responsibly.
