Risk Register
:::info Source
Sourced from services/assessment-service/SERVICE_RISK_REGISTER.md in the documentation repo.
:::
| ID | Risk | Sev | Impact | Mitigation | Owner |
|---|---|---|---|---|---|
| R-AS-01 | Answer key leak | S1 | Massive cheat; exam integrity destroyed | Encryption + scoped access; never in logs; CI grep | Assessment + Security |
| R-AS-02 | AI grading bias / disparate impact | S1 | Regulatory (EU AI Act); unfair grading | Quarterly bias eval; human override; confidence-threshold HITL | Assessment + AI + Compliance |
| R-AS-03 | AI-generated questions factually wrong | S2 | Misinformation; learner harm | HITL review before publish; eval suite; retraction workflow | Assessment + AI + Authoring |
| R-AS-04 | Branching scenario DAG cycle | S2 | Learner stuck | Publish-time validation; runtime defensive fallback | Assessment |
| R-AS-05 | Scoring tamper (offline) | S1 | Forged pass | Integrity hash in AttemptResult; server recompute; tamper events | Assessment + Content + Security |
| R-AS-06 | Cross-tenant quiz reuse attempt | S1 | Data leak | Tenant-scoped IDs; invariant; iso test | Assessment + Security |
| R-AS-07 | Appeal SLA missed | S3 | Learner frustration | 72h SLA; escalation to compliance officer | Assessment + Support |
| R-AS-08 | AI confidence threshold too low | S2 | Too many human reviews; operator burden | Tuned threshold per prompt; adjustable | Assessment + AI |
| R-AS-09 | AI provider PII leak | S1 | Privacy breach | Pre-call PII redaction; noTrain verified | Assessment + AI + Security |
| R-AS-10 | SCORM 2004 scoring regression | S2 | 3rd-party LMS breaks | Conformance in CI | Assessment + Content |
| R-AS-11 | GDPR erasure incomplete | S1 | Regulator | Saga participation; replay test | Assessment + Compliance |
| R-AS-12 | Quiz bank reorder breaks in-flight attempts | S3 | Unexpected scoring | Attempts snapshot quiz version at start | Assessment |
| R-AS-13 | Rubric criterion weight drift | S3 | Scores change mid-semester | Weight changes trigger new quiz version | Assessment |
| R-AS-14 | Randomization seed guessable | S3 | Learner games ordering | HMAC seed with tenant secret | Assessment + Security |