272 experts ranked AI risk by sector. Information, finance, and national security came out most exposed.

In 2026 a team led by researchers at the University of Queensland and MIT FutureTech published a three-round expert study on which risks from AI matter most. The method is a Delphi study: a panel rates each risk, sees how peers rated it, and revises over rounds. It captures expert judgment rather than a calibrated forecast. That's the tool you reach for when evidence is thin and the field is moving quickly.

One finding is useful if you are accountable for AI in a regulated business. An international panel of 272 AI-risk experts judged information, finance, and national security the sectors most exposed to AI risk, with health care close behind. The reason given is plain: these are the sectors where AI sits in critical decisions and where a failure lands immediately and at scale.

The more pointed finding is about what is missing. The panel separated who is exposed to AI risk from who is responsible for addressing it, and concluded the two do not line up:

“Comparable mechanisms for AI are nascent or absent. Without them, vulnerable parties have little recourse and responsible parties face little pressure to act.”

The panel found the governance instruments that would close the gap, including transparency, monitoring, and liability, remain nascent or absent for AI. It also pointed to how mature industries handle this: operational, monitoring, and audit functions each carry part of the load. The study frames that monitoring and audit layer as part of societal resilience.

On accountability, the study is direct. Responsibility for AI risk concentrates on model developers and governments, and it warns that responsibility shared across many actors can become “responsibility held by none.” For an organization using AI rather than building it, that is the trap: a written policy, several teams that touch AI, and no single place that records what was actually allowed.

The scale the panel attached to this is sobering. Experts judged 18 of 24 AI-risk domains at 10% or higher probability of catastrophic harm by 2030 under business as usual. That is expert opinion under one scenario, not a prediction. The point for a practitioner is narrower: a panel this size treats the gap between exposure and control as material, not hypothetical.

Where Mandate fits, and where it does not

Measured against our own product, here is where Mandate fits and where it doesn't. Mandate is one control layer, not the whole program. It governs the data-centric risks an organization can control at the point of use, and it supplies the monitoring and audit record. It does not build or align models, and it does not claim to reduce the upstream risks the panel ranks most severe, such as dangerous capabilities, weapons, or the concentration of AI power.

What it does cover lines up with the gap the study names. The sectors judged most exposed are the sectors Mandate is built for. The instruments judged missing, monitoring and a transparent, tamper-evident record, are what Mandate produces. And the accountability the study says goes missing is the question Mandate's audit trail answers: which AI tool received which data, the policy that applied, and who decided. For the full risk-by-risk breakdown, including the ones we leave out of scope, see the FAQ on how Mandate maps to AI-risk frameworks.