Managing AI Risk in Production: Lessons from Operating Healthcare Systems Across Four Countries

Most AI risk management frameworks look impressive on paper. Comprehensive matrices. Sophisticated taxonomies. Multi-layered governance structures.
Then you try to deploy an AI diagnostic tool across Ghana, Nigeria, Kenya, and Egypt simultaneously—each with different data protection laws, varying infrastructure reliability, inconsistent data quality, and populations underrepresented in your training data.
Reality hits hard.

As CTO of CarePoint, I was responsible for healthcare systems operating across four African countries. I didn't have the luxury of theoretical risk management. I had to manage actual AI risks affecting real patients, navigate four different regulatory regimes, and build systems that worked despite infrastructure challenges that Western frameworks never anticipated.

Here's what I learned: AI risk management isn't about perfect frameworks. It's about identifying what can actually go wrong in your specific context, implementing controls that work with your constraints, and monitoring continuously because AI systems don't stay static.

This pillar is about real AI risk management—the kind you need when you're actually responsible for AI systems in production, not just presenting to a board.

Traditional IT Risk vs. AI Risk

I hold the CISA certification. I understand traditional IT risk management. But AI introduces fundamentally different risk categories that caught me off guard as CTO:

Through operating AI healthcare systems across four countries, I encountered AI risks that fell into four main categories:

1. Data Quality & Fragmentation Risk
The Problem:
Health data was inconsistent across facilities and countries. Poor data quality directly impacted model performance, especially for diagnostic-support models.
What This Looked Like:

• Missing fields in patient records
• Inconsistent coding systems across facilities
• Unstructured data variability (doctors' notes in different formats)
• Language differences affecting natural language processing

The Impact:
Data quality issues weren't just technical problems—they directly affected model accuracy, which affected clinical decisions.

How I Managed It:

• Implemented data quality scoring before training
• Built data validation pipelines with human review for critical datasets
• Established minimum data quality thresholds for model deployment
• Created country-specific data preprocessing workflows

I expected traditional security risks. I planned for compliance complexity. What caught me less prepared was bias and fairness risks when deploying AI models across diverse African populations.

Real Example: Skin Condition ClassifierWe tested a dermatology AI model for BlackSkinAcne.com. The model performed significantly worse for darker skin tones.
Why? The training dataset was Eurocentric—predominantly lighter skin tones. The model had learned patterns that didn't generalize to African populations.

This wasn't just a technical failure. It was an equity and patient safety issue.

Real Example: Diabetes Risk Prediction

A diabetes risk prediction model overestimated risk in one region due to data skew between urban and rural populations. The model had learned patterns from predominantly urban patients and wasn't calibrated for rural health indicators.

How I Address Bias Risk Now:

1. Dataset Representation Audits

• Verify training data represents actual patient populations
• Actively seek African-representative datasets
• Document demographic composition of training data

2. Fairness Metrics During Evaluation

• Test model performance across population subgroups
• Measure fairness metrics (equal opportunity, demographic parity)
• Establish fairness thresholds before deployment

3. Post-Deployment Bias Monitoring

• Continuous monitoring of model performance by demographic groups
• Quarterly fairness audits
• Clinical validation with local specialists

4. Retraining and Recalibration

• Expand datasets when bias is detected
• Recalibrate decision thresholds for specific populations
• Retrain models with representative data

After managing AI risk across four countries, I developed a hybrid approach combining established frameworks with custom extensions for healthcare AI in African markets:

The biggest lesson from managing production AI systems: Risk assessment isn't a one-time activity.

AI systems change even when code doesn't:

• Data distributions shift
• Model performance drifts
• New attack vectors emerge
• Regulatory requirements evolve

• Monitor prediction distribution changes
• Track model performance metrics over time
• Alert when accuracy falls below thresholds

• Clinical experts review AI outputs for critical decisions
• Feedback loops to identify model failures
• Regular clinical validation studies

• Review model performance across demographic groups
• Test for emerging bias patterns
• Document fairness metrics trends

• SIEM integration for AI system access
• Anomaly detection for unusual model behaviour
• Monitoring for adversarial probing patterns

• Document where training data originated
• Track data transformations and preprocessing
• Maintain chain of custody for datasets

• Monitor regulatory changes in all operating jurisdictions
• Assess compliance impact of new regulations
• Update controls as requirements evolve

Real Example:
We were far advanced in implementing automated drift detection for AI models in our SIEM application that would alert us when our diabetes risk model's prediction distribution shifted in one region. The investigation revealed the demographic change I mentioned earlier. Without continuous monitoring, we wouldn't have caught it until clinical outcomes showed the problem—too late.

As CTO, I had to enable innovation while ensuring patient safety and compliance. The tension is real.
Move too slowly, and you can't compete or deliver value. Move too fast, and you deploy unsafe systems or violate regulations.

• 1. Fast iteration
• 2. Minimal controls
• 3. Encourage creative exploration
• 4. No clinical or patient data

This enables innovation without compromising patient safety or compliance.

Through reviewing AI systems and evaluating vendor solutions, I see risks that vendors consistently underestimate or ignore:

AI risk profiles vary dramatically based on use case:

Risk Profile:

• Patient safety directly affected
• Regulatory scrutiny highest
• Liability exposure significant
• Errors have severe consequences

Required Controls:

• Extensive clinical validation
• Human-in-the-loop mandatory
• Continuous performance monitoring
• Explainability requirements
• Stringent data privacy controls
• Regular bias audits

Risk Profile:

• Operational efficiency focus
• Moderate regulatory requirements
• Privacy concerns present but lower stakes
• Errors are correctable

Required Controls:

• Standard security controls
• Privacy impact assessments
• Regular performance monitoring
• Data minimization
• Explainability for auditing

Risk Profile:

• General information provision
• Lower regulatory requirements
• Minimal patient safety impact
• Content accuracy important but not life-critical

Required Controls:

• Content accuracy validation
• Basic security controls
• Privacy for any collected data
• Disclaimer that AI doesn't replace medical advice

For Organizations New to AI Risk Management

1. 1. Document all AI/ML systems in use or development
2. 2. Classify by risk level (high/medium/low)
3. 3. Identify data sources and dependencies

• 1. Use NIST AI RMF or similar framework
• 2. Focus on your highest-risk systems first
• 3. Document identified risks and existing controls

• 1. Data quality validation
• 2. Basic security controls (encryption, access management)
• 3. Model performance monitoring
• 4. Documentation requirements

• Define roles and responsibilities
• Create approval processes for AI deployment
• Establish review cycles
• Build compliance review workflows

• Implement continuous monitoring
• Schedule regular risk reviews
• Update controls as needed
• Learn from incidents

For Organisations New to AI Risk Management

1. Document all AI/ML systems in use or development
2. Classify by risk level (high/medium/low)
3. Identify data sources and dependencies

1. Use NIST AI RMF or similar framework
2. Focus on your highest-risk systems first
3. Document identified risks and existing controls

1. Data quality validation
2. Basic security controls (encryption, access management)
3. Model performance monitoring
4. Documentation requirements

1. Define roles and responsibilities
2. Create approval processes for AI deployment
3. Establish review cycles
4. Build compliance review workflows

1. Implement continuous monitoring
2. Schedule regular risk reviews
3. Update controls as needed
4. Learn from incidents

• 1. Model poisoning and adversarial attacks
• 2. Training data privacy risks
• 3. Model extraction and IP theft
• 4. Bias and fairness issues

• 1. Your existing security controls still matter
• 2. But add AI-aware monitoring and testing
• 3. Consider AI-specific threat modeling.

1. 1. AI regulations are evolving rapidly
2. 2. Understand how AI changes compliance requirements
3. 3. Build relationships with compliance teams

Recommended Path:
→ AI Risk Management (this pillar)
→ Data Privacy & AI with country-specific focus
→ AI Regulatory Compliance for African markets

A. Infrastructure Constraints

1. 1. Intermittent connectivity
2. 2. Limited compute resources
3. 3. Power reliability issues

B. Regulatory Variations

1. 1. Each country has different data protection laws
2. 2. Understand local interpretations
3. 3. Build country-specific controls

C. Population Representation

1. 1. Ensure training data represents your users
2. 2. Test for bias on local populations
3. 3. Work with local clinical experts

Data Residency Requirements

1. 1. Many countries require data to stay local
2. 2. Plan infrastructure accordingly
3. 3. Understand cross-border transfer restrictions

I'm building comprehensive knowledge at the intersection of AI technology, risk management, and regulatory compliance.

What's Available Now:

1. 1. Foundation articles on AI risk management frameworks
2. 2. Real-world case studies from healthcare AI
3. 3. Regulatory risk guidance for African markets
4. 4. Practical implementation guides

What's Coming:

1. 1. Deep dives into specific AI risk categories
2. 2. Industry-specific risk assessments
3. 3. Tool reviews for AI risk management
4. 4. Templates and checklists

I'm committed to quality over speed. Each article is grounded in practical experience and includes real-world examples, implementation guidance, and lessons learned.

AI Risk Management connects to all other pillars:

AI risk management isn't optional. If you're building, deploying, or operating AI systems, you're managing AI risk whether you realise it or not.

The question is: Are you managing it well, or are you waiting for an incident to expose gaps?

The professionals and organizations that thrive will be those who:

AI risk management isn't about achieving zero risk—that's impossible. It's about understanding your risks, implementing appropriate controls, and making informed decisions about acceptable risk levels.
Ready to build proper AI risk management capabilities?
Browse the comprehensive topic areas below, or start with the recommended learning path for your role.

Patrick Dasoberi brings executive healthcare technology leadership, technical depth, and hands-on teaching experience to AI risk management education.

Executive Healthcare Technology Leadership
Until recently, Patrick served as Chief Technology Officer of CarePoint (formerly African Health Holding), where he was responsible for healthcare systems operating across four countries: Ghana, Nigeria, Kenya, and Egypt. In this role, he managed AI risk across multiple regulatory jurisdictions, navigated infrastructure constraints, addressed model bias for African populations, and made strategic decisions affecting real patient care.

He dealt with actual AI risk incidents, including model drift, vendor control failures, regulatory compliance gaps, and infrastructure dependency cascades—bringing practical, battle-tested insights to AI risk management education.

Technical Education Background
Before moving into healthcare technology leadership, Patrick taught web development and Java programming in Ghana for seven years. This extensive teaching experience shapes his approach to content creation—he knows how to break down complex risk management concepts into understandable, actionable knowledge.

Current Operations & Focus
Patrick currently operates AI-powered healthcare platforms, including DiabetesCare. Today, MyClinicsOnline and BlackSkinAcne.com operate across Ghana, Nigeria, and South Africa. Through AI Security Info and the AI Cybersecurity & Compliance Hub, he shares practical insights from building, securing, and managing AI risk in real-world systems.
His unique expertise combines AI technology understanding, risk management frameworks (NIST AI RMF, ISO 31000, ISO 27001), and regulatory compliance across multiple African jurisdictions—bringing an executive-level perspective to AI risk management education.

Professional Certifications & Education:

1. 1. CISA (Certified Information Systems Auditor) – Risk-focused
2. 2. CDPSE (Certified Data Privacy Solutions Engineer)
3. 3. MSc Information Technology, University of the West of England
4. 4. BA Administration
5. 5. Postgraduate AI/ML Training (RAG Systems)
6. 6. RAG Engineer Certificate

Executive & Operational Experience:

• Former CTO: CarePoint (healthcare systems across Ghana, Nigeria, Kenya, Egypt)
• Teaching: 7 years of teaching web development and Java programming in Ghana
• Current Founder: AI Cybersecurity & Compliance Hub
• Current Operator: AI healthcare platforms across Ghana, Nigeria, South Africa
• Focus Areas: Healthcare AI Risk, African markets, Multi-jurisdictional compliance

Below you'll find the major topic areas within AI risk management. Content is being developed systematically based on real-world experience managing AI risk in production environments.

Ready to master AI risk management?

Start exploring topic areas based on your needs, or follow the recommended learning paths above.

Content updated: November 2025
Pillar 2 of 7 in the AI Security Info comprehensive framework