AI Risk Management18 min read

AI Risk in the Caribbean: What It Is, the Warning Signs, and How to Mitigate It Across CARICOM

Q: What are the warning signs of unmanaged AI risk?

Key warning signs include the inability to inventory AI in use, unexplainable customer decisions, vendor-controlled silent model updates, no local data testing, customer complaints referencing inexplicable outcomes, vague board-level understanding, regulated AI use without approval, no incident process for AI failures, untrained users, and absence of second-line oversight.

Q: How can a Caribbean organisation start mitigating AI risk?

Start with an AI inventory, classify each system by risk tier, assign named risk owners, apply tiered controls, establish an AI committee, train staff, and re-validate high-risk systems annually.

Q: Does the EU AI Act apply to CARICOM businesses?

Yes, where the AI system is placed on the EU market or its outputs affect persons in the EU. Caribbean exporters, tourism operators with European visitors, and financial institutions with European correspondent relationships should assess their exposure.

Q: Which AI risk frameworks should Caribbean organisations follow?

Use NIST AI RMF as the structural backbone, align high-risk controls with the EU AI Act, follow ISO/IEC 42001 as a management system, and overlay each jurisdiction's data protection law. CAIRMC offers a regional adaptation built for CARICOM.

Q: How is AI bias tested in a Caribbean context?

Bias testing compares model outputs across demographic subgroups. For Caribbean organisations, test on Caribbean data wherever possible, define fairness metrics aligned to regulated outcomes, and repeat testing on a defined cycle.

Q: What does the board need to know about AI risk?

The board needs a plain-language view of which AI systems are in use, what they do, who is accountable, what could go wrong, what controls exist, and what would happen if a high-risk system failed.

Q: What is shadow AI and why does it matter?

Shadow AI is unsanctioned AI use inside an organisation. It matters because confidential data may leak to unauthorised tools, outputs may enter regulated work undisclosed, and the organisation cannot govern what it cannot see. Mitigation is providing sanctioned, governed alternatives.

Q: Can AI be used in regulated decisions like credit, insurance, and AML?

Yes, with controls. The human signatory remains responsible, the decision must be explainable, the model must be validated, the data must be governed, and the use must be approved through governance.

Q: How long does it take to build an AI risk management programme?

A baseline programme can be implemented in three to six months. A mature programme typically reaches steady state in twelve to eighteen months.

By Adrian Dunkley, President·May 5, 2026

By Adrian Dunkley, President, Caribbean AI Risk Management Council. Published 5 May 2026. Region: Caribbean. Coverage: CARICOM.

Aerial view of a Caribbean coastline with turquoise water and white sand, no people visible — Caribbean coastline. The region's economic exposure to AI risk is concentrated in tourism, finance, energy, and agriculture. Image: Unsplash.

TL;DR: AI risk is the chance that an artificial intelligence system causes financial, legal, ethical, or operational harm to the organisation that uses it or to the people it affects. In the Caribbean, the risk profile is shaped by small markets, imported models, fragmented regulation, and dependence on a narrow set of foreign vendors. Every CARICOM country, from Antigua and Barbuda to Trinidad and Tobago, faces a sector-specific exposure tied to its dominant industry. This guide explains what AI risk is, how to spot it early, how to mitigate it, and what it looks like in each CARICOM member state.

What Is AI Risk?

AI risk is the probability that an artificial intelligence system produces an outcome that harms the organisation that deployed it, the customer it served, the regulator that supervises it, or the wider public. The harm can be financial, legal, reputational, ethical, or operational. It can be sudden, as when a fraud detection model fails during a peak transaction window, or slow, as when a credit scoring model gradually drifts away from the population it was trained on and starts producing systematically poor decisions. The word "risk" matters here. AI risk is not a guarantee of harm. It is a probability that needs to be measured, controlled, and monitored, in the same way that credit risk, market risk, or operational risk is managed inside any well-run institution.

In a Caribbean context, AI risk has a few distinguishing features. The vast majority of AI tools used in the region are built outside the region, trained on populations that do not look like ours, and supplied through contracts that were not negotiated with Caribbean regulators in mind. The supplier sets the model. The Caribbean buyer absorbs the consequences. That asymmetry is the central reason why AI risk management in the Caribbean cannot simply borrow the playbook from London, New York, or Brussels. The risk surface is shaped by who supplies the technology, not only by who uses it.

For the purposes of this guide, AI risk includes machine learning models, large language models, generative AI tools, computer vision systems, predictive analytics, robotic process automation with embedded AI, and any third-party software whose features are powered by AI under the hood. If a system makes a prediction, generates content, classifies inputs, or supports a decision based on patterns learned from data, it falls inside the AI risk perimeter.

Why AI Risk Is Different in the Caribbean

The textbook frameworks for AI risk, the NIST AI Risk Management Framework, the ISO/IEC 42001 standard, and the OECD AI Principles, all assume an environment where regulators have published binding guidance, model developers and deployers are often the same organisation, and the local market is large enough to support specialist auditors and assurance providers. The Caribbean does not match those assumptions. Most CARICOM jurisdictions have data protection laws but no AI-specific legislation. Most regional banks, insurers, and government agencies are deployers, not developers, of AI. Most of the audit and assurance ecosystem for AI sits in North America, the United Kingdom, and Europe.

This creates four practical consequences. First, Caribbean buyers carry vendor risk that is heavier than their counterparts in larger markets, because their bargaining power to demand transparency, indemnification, or retraining is limited. Second, model performance gaps are wider, because foreign training data does not reflect Caribbean demographics, languages, dialects, climate, or financial behaviour. Third, regulatory ambiguity is higher, because supervisors are still developing positions on AI as the technology is being deployed. Fourth, recovery is slower when something goes wrong, because the technical specialists needed to remediate live in a different time zone and answer to other clients first.

None of this means AI should not be used in the Caribbean. It means AI must be governed with these structural realities in mind, not against a generic global benchmark.

The Five Categories of AI Risk Every Caribbean Leader Should Know

Technical risk arises from the model itself. It includes inaccuracy, instability, data drift, bias, hallucinations in generative systems, adversarial attacks, and security vulnerabilities introduced by AI components. Technical risk is the kind of risk most people picture when they hear "AI risk." It is also the most measurable, because it produces metrics that can be tested.

Governance risk arises from the absence of clear accountability, policies, and oversight inside the organisation. Who approved the AI tool? Who owns the model in production? Who decides when to retire it? In Caribbean organisations where AI deployments often start as informal experiments by a single department, governance risk is frequently the largest unmanaged risk.

Operational risk arises from how the AI system interacts with people, processes, and other systems. It includes integration failures, workflow gaps where humans assume the AI did the work and the AI assumes the humans did, vendor outages, and the operational consequences of model errors propagating downstream.

Ethical and reputational risk arises from outputs that are technically correct but socially harmful, or that violate the trust customers place in the organisation. A bank's AI that legally declines a loan but does so in a way that disproportionately rejects applicants from certain parishes, neighbourhoods, or districts faces an ethical and reputational exposure regardless of whether a regulator notices.

Regulatory and legal risk arises from non-compliance with laws that apply to the use of AI, including data protection legislation across the region, sector-specific rules for banking, insurance, and telecommunications, consumer protection statutes, and the extraterritorial reach of foreign frameworks such as the EU AI Act and the UK AI assurance regime.

The Warning Signs of Unmanaged AI Risk

AI risk rarely arrives without warning. The signals are visible to anyone willing to look. The organisations that suffer the worst outcomes are usually the ones that ignored, dismissed, or did not know how to interpret the early signs. The following are the most reliable warning indicators that an AI deployment is heading toward harm.

You cannot produce an inventory of the AI in your organisation. If a request for a list of every AI tool, model, and AI-powered feature in use across the business cannot be answered within two weeks, the organisation has lost visibility. Shadow AI, employees using free-tier generative tools on personal accounts, is now common across the region. An organisation that does not know what it runs cannot govern what it runs.

Decisions are being made without explanation. A loan officer in Kingston, an underwriter in Bridgetown, or a benefits adjudicator in Castries who tells a customer "the system declined" without being able to articulate the reasons is operating a black box. Black box decisions are a regulatory and reputational time bomb. They are also frequently illegal under existing data protection legislation in the region, which grants data subjects rights to meaningful information about automated decisions.

The vendor controls the upgrade cycle and you do not. If the AI tool can be retrained, repriced, or reconfigured by the supplier without notice to the deployer, the deployer has surrendered model risk control. Standard SaaS contracts allow exactly this in many cases. The warning sign is contract language that uses phrases such as "the provider may update the service from time to time" without notification or rollback rights for AI components.

Performance has not been tested on local data. If the only evidence of model accuracy is the vendor's published benchmarks, the deployer does not actually know how the model performs on Caribbean users. An AI sentiment analysis tool that reads English fluently may misread Trinidadian, Jamaican, Bajan, or Guyanese expressions and produce unreliable results.

Customer complaints reference inexplicable outcomes. A spike in complaints that include phrases such as "no one could tell me why," "the system rejected me even though I qualified," or "the chatbot gave me wrong information" is a leading indicator of AI failure long before regulators or auditors notice.

Senior leaders cannot describe the AI risks without using the word "complicated." If the conversation ends with an executive saying "it is complicated, the IT team handles it," AI risk is not being managed at the level required. Boards in the region need to be able to explain, in plain language, what AI is doing inside their organisations and what the failure modes are.

The AI is being used in regulated processes without specific approval. Suspicious transaction reporting, credit scoring, claims handling, candidate screening, customer onboarding, and tax assessment all sit inside regulated processes. AI use in any of these without a documented approval, a risk assessment, and a set of controls is a regulatory finding waiting to happen.

There is no incident process for AI failures. If an AI system produces a damaging output today, who escalates? Who notifies the regulator? Who notifies the customer? Who decides to take the model offline? In most Caribbean organisations, these questions do not yet have documented answers.

Training and awareness are absent. Staff who use AI tools without any training on appropriate inputs, verification requirements, or confidentiality obligations are a major source of risk. The most common breach scenarios involve employees pasting confidential client data into consumer chatbots.

The AI sits outside the second line of defence. Risk and compliance functions that have not been formally engaged in AI deployment decisions are not in a position to challenge them. If the conversation about the AI is happening only between the business and the vendor, the second line is missing.

Server racks in a data centre with blue indicator lights, no people in frame — Most AI tools used in the Caribbean run on infrastructure operated outside the region. Image: Unsplash.

How to Mitigate AI Risk: A Practical Framework

Mitigation is the work of reducing the likelihood and the severity of harm. For Caribbean organisations, the path is not to invent a new framework. It is to adapt established global frameworks to the structural realities of the region. The following six steps form a practical, sequenced programme that any Caribbean institution can follow regardless of size.

1. Build the AI Inventory

The first deliverable is a complete and accurate inventory of every AI system in use, including AI-powered features inside larger software products, AI use by employees on personal accounts, and AI embedded in vendor services. The inventory should record the vendor, the purpose, the data inputs, the decision outputs, the level of human oversight, and the regulatory regime that applies to the use case. A well-maintained spreadsheet is sufficient for most organisations in the region. The discipline matters more than the tool.

2. Classify by Risk Tier

Not all AI systems carry the same risk. A classification scheme of three tiers works well in practice. Low-risk systems include internal productivity aids and content drafting tools where outputs are reviewed by humans before any external use. Medium-risk systems include customer-facing chatbots, marketing personalisation, and analytics that inform but do not determine regulated decisions. High-risk systems include credit scoring, fraud detection, claims adjudication, biometric identification, candidate screening, and any AI that materially affects the rights, finances, or access of an individual. Each tier carries a corresponding set of control requirements.

3. Establish Governance and Accountability

Every AI system in production should have a named risk owner, a documented purpose, and an approved policy. Governance should include board-level visibility for high-risk deployments. The Caribbean AI Risk Management Council recommends an AI committee or working group that includes risk, compliance, technology, legal, data, and business representatives, meeting at minimum quarterly and reviewing the AI inventory at every meeting.

4. Apply Tiered Controls

Controls scale with the risk tier. For low-risk systems, an acceptable use policy and basic logging are typically sufficient. For medium-risk systems, controls should include a formal risk assessment, vendor due diligence, data handling agreements, defined human review checkpoints, and documented monitoring. For high-risk systems, controls should add bias testing, performance validation on local data, explainability capabilities, model documentation, independent review, incident response procedures, and regular re-validation. Where regulatory expectations are still evolving, controls should align to the most stringent applicable benchmark, which today is typically the EU AI Act for high-risk systems.

5. Test, Monitor, and Re-Validate

AI systems are not static. Models drift, data distributions change, vendors update their products, and the populations being served evolve. Mitigation is a continuous activity. Performance metrics should be tracked. Thresholds should trigger review. High-risk systems should be revalidated at least annually and after every material change. Bias and fairness testing should be repeated on a defined schedule. Where a system materially affects customers, the fairness testing should be on Caribbean data, not on global benchmark datasets.

6. Train the Humans

The strongest control in any AI risk programme is the trained human in the loop. Staff need to understand what AI tools they are authorised to use, what data they may not input, how to verify outputs, and how to escalate concerns. Boards and executives need education on AI risk in language they can use. The Caribbean AI Risk Management Council's certification programme is built around exactly this need, but the principle applies regardless of the training provider chosen. Untrained users are the largest residual risk in most Caribbean AI deployments.

Open notebook and pen on a desk with documents, no people in frame — Documentation is the backbone of AI risk management. Image: Unsplash.

AI Risk Across CARICOM: A Country-by-Country Snapshot

AI risk is not uniform across the region. The risk profile of any CARICOM member state reflects the structure of its economy and the industries where AI is being deployed first. The following snapshots cover all 15 CARICOM member states, with examples tied to each country's dominant sectors. They are illustrative, not exhaustive, and they are intended to help leaders in each jurisdiction recognise the AI risks most relevant to their environment.

Antigua and Barbuda

Antigua and Barbuda's economy is anchored by tourism, financial services, and online gaming. AI risk in tourism shows up in dynamic pricing engines that may produce discriminatory rates across customer segments, and in chatbot concierge services that hallucinate information about hotel policies, immigration requirements, or local laws. In the gaming sector, AI-powered fraud detection and player-protection tools deployed by international operators are a regulatory question for local supervisors, since model behaviour is not always transparent to the licensing authority. Citizenship by Investment programmes face AI risk in due diligence screening, where false negatives expose the country to reputational consequences and false positives expose qualified applicants to wrongful rejection.

The Bahamas

The Bahamas' economy is dominated by tourism and international financial services, with a growing digital assets sector under the DARE Act. AI risk in financial services is acute in correspondent banking, where automated transaction monitoring tools supplied by foreign vendors are screening Bahamian institutions' flows in ways that can result in de-risking decisions that the local bank cannot challenge. In the digital asset space, AI-driven wallet screening and address risk scoring are being applied to Bahamian users by tools designed for North American populations, with predictable false positive rates. In tourism, AI-driven booking and pricing platforms create the same dynamic pricing and personalisation risks seen elsewhere in the region.

Barbados

Barbados has a diversified economy with strengths in tourism, international business, financial services, and an emerging technology sector. AI risk in the international business sector includes the use of generative AI in legal and accounting work, where confidentiality of client information and accuracy of regulatory references are immediate concerns. The Data Protection Act 2019 imposes obligations that apply directly to AI processing of personal data. In tourism, AI-driven sentiment analysis on visitor reviews, destination marketing personalisation, and revenue management systems all create exposure if they have not been validated on Caribbean visitor populations. In the financial services sector, AI in anti-money laundering screening and credit assessment is a live regulatory question.

Belize

Belize's economy is built on tourism, agriculture (sugar, citrus, bananas), aquaculture, and offshore financial services. AI risk in agriculture shows up in precision farming tools and crop disease prediction models trained largely on North American or European cropping systems, which may misclassify pests and diseases prevalent in Central American and Caribbean conditions. In aquaculture, AI-driven feed optimisation and disease detection systems carry similar localisation risk. In tourism and eco-tourism, AI-powered booking and recommendation engines may underweight smaller, locally owned providers in favour of larger international brands. In the offshore financial sector, AI screening tools applied by correspondent banks create the same de-risking exposure that affects other small jurisdictions.

Dominica

Dominica's economy combines agriculture, eco-tourism, citizenship by investment, and a growing geothermal energy ambition. AI risk in agriculture is particularly relevant to banana, root crop, and specialty produce growers, where pest and disease detection tools may not have been trained on the conditions specific to the island. In eco-tourism, AI-driven content moderation on global booking platforms can affect listing visibility in ways that small Dominican providers struggle to challenge. The citizenship by investment programme faces AI screening risks similar to those in Antigua and Saint Kitts. In geothermal development, AI in resource modelling and infrastructure monitoring will become a more prominent risk surface as projects scale.

Grenada

Grenada's economy is anchored by agriculture (nutmeg, cocoa, spices), tourism, and education, with St. George's University drawing significant international student flows. AI risk in spice and agricultural exports includes the use of AI in grading, traceability, and supply chain analytics, where errors translate directly into pricing and acceptance at international markets. In tourism, AI-driven platform pricing and review aggregation affect smaller properties disproportionately. In the education sector, AI tools used in admissions screening, plagiarism detection, and assessment carry significant fairness and accuracy implications for an internationally diverse student body, with consequences for accreditation and reputation.

Guyana

Guyana is the fastest-growing economy in CARICOM, driven by oil and gas alongside long-standing strengths in mining (gold, bauxite), agriculture (rice, sugar), and forestry. AI risk in the energy sector is the most material in the region, since AI is now deeply embedded in seismic interpretation, drilling optimisation, predictive maintenance, and HSE monitoring. Failures in any of these systems can have catastrophic consequences. Vendor concentration is severe, with a small number of global oilfield services providers supplying the AI components. In mining, AI in resource estimation and operational safety carries similar exposure. In agriculture, AI-driven yield prediction and irrigation optimisation tools require validation against local soil and climate conditions to be reliable.

Haiti

Haiti's economy includes agriculture, textiles and apparel manufacturing, remittances, and a substantial humanitarian and development sector. AI risk in apparel manufacturing centres on AI-driven quality inspection, production scheduling, and labour analytics tools imported by international buyers, with implications for both efficiency and worker treatment. In the remittances sector, AI-driven fraud detection and sanctions screening can result in legitimate Haitian transactions being delayed or blocked, with material consequences for households dependent on those flows. In the humanitarian sector, AI in beneficiary targeting, needs assessment, and cash transfer programming requires careful governance to avoid exclusion errors that harm the most vulnerable. Language and Kreyòl coverage in AI tools remains a significant risk surface.

Jamaica

Jamaica's economy is led by tourism, mining (bauxite and alumina), agriculture, business process outsourcing, and a growing financial technology sector. AI risk is unusually broad here. In tourism, dynamic pricing and review-based reputation systems shape demand. In BPO, AI-driven workforce analytics, quality monitoring, and increasingly AI-augmented customer service create a complex risk surface for the island's largest private-sector employer. In financial services, AI in credit scoring, fraud detection, anti-money laundering, and customer onboarding is an active regulatory concern, and the Bank of Jamaica has signalled increasing supervisory attention to model risk. In the cannabis and licensed agriculture sector, AI in cultivation analytics and supply chain traceability is emerging. The Data Protection Act 2020 applies in full to AI processing of personal data.

Montserrat

Montserrat's small economy is built on tourism, geothermal development, and public services, with a population shaped by ongoing volcanic risk management. AI risk in this context concentrates around two areas. In disaster risk management and volcanology, AI-driven seismic monitoring, gas emission analysis, and evacuation modelling have direct life-safety implications and must be validated and explainable. In public services, AI tools imported through UK or regional government partnerships need to be assessed against the specific demographic and operational conditions of the territory. The smaller scale also means a single misstep with a third-party AI vendor can disrupt a much larger share of national operations than in larger jurisdictions.

Saint Kitts and Nevis

Saint Kitts and Nevis combines tourism, financial services, and the original Citizenship by Investment programme. AI risk in the CBI sector is significant. Due diligence screening tools, identity verification systems, and source of funds analytics provided by external vendors materially affect approval and rejection decisions. False positives create unfair denials. False negatives create programme integrity exposure that the global financial system increasingly notices. In tourism, AI-driven hospitality platforms create the same dynamic pricing and review-aggregation risks as elsewhere. The financial services sector faces AI-driven correspondent banking screening with the de-risking consequences common across small jurisdictions.

Saint Lucia

Saint Lucia's economy is driven by tourism, agriculture (notably bananas and tropical produce), and offshore financial services. AI risk in the tourism sector includes the same booking and pricing exposures seen across the region, as well as AI-driven content moderation that affects how Saint Lucian providers appear on global platforms. In agriculture, banana and tropical fruit producers face AI in supply chain traceability and quality grading deployed by international buyers, where decisions about acceptance are made by models the producer never sees. In financial services and BPO, AI-driven workforce and compliance analytics carry the standard set of bias, accuracy, and explainability risks.

Saint Vincent and the Grenadines

Saint Vincent and the Grenadines has a diversified small economy spanning agriculture (bananas, arrowroot, root crops), fisheries, tourism, and an active film and yacht-charter sector. AI risk in agriculture and fisheries shows up in yield, weather, and stock prediction tools that may be poorly calibrated to the specific conditions of the islands. In the yachting and tourism sectors, AI-driven booking platforms and dynamic pricing create the same patterns of platform dependence and opacity seen elsewhere. The film sector exposes the country to generative AI risks around image, likeness, and content rights, particularly when international productions deploy AI tools in post-production work shot on the islands.

Suriname

Suriname's economy is shaped by mining (gold, bauxite), oil and gas development, agriculture, and forestry. AI risk in the extractive sectors is similar in profile to Guyana, with significant exposure in operational AI used for resource modelling, predictive maintenance, and safety monitoring. The Dutch and Sranan Tongo language environment introduces an additional layer of risk for AI tools that perform poorly outside English. In agriculture and forestry, AI-driven supply chain and traceability tools used by international buyers can affect access to premium markets. The financial services sector faces standard regional risks in compliance screening and credit assessment.

Trinidad and Tobago

Trinidad and Tobago has the most industrialised economy in CARICOM, anchored by oil and gas, petrochemicals, manufacturing, and a substantial financial services sector. AI risk in the energy and petrochemical industries is among the most material in the region. Predictive maintenance, process optimisation, safety monitoring, and emissions analytics all rely on AI components from a small number of global vendors, often deployed without local model validation. A failure in any of these systems can have safety, environmental, and financial consequences at scale. In financial services, the Central Bank of Trinidad and Tobago has signalled supervisory attention to AI in credit and AML processes. The manufacturing sector faces AI-driven quality control, supply chain, and workforce analytics risks. The Data Protection Act 2011 applies, although enforcement infrastructure continues to develop.

The Regulatory Backdrop in 2026

AI regulation across CARICOM is still emerging, but the direction of travel is clear. Data protection legislation in Jamaica, Barbados, Trinidad and Tobago, The Bahamas, and several OECS member states already imposes obligations that apply directly to AI processing of personal data. Sector regulators in banking, insurance, and telecommunications across the region are beginning to communicate expectations on model risk, explainability, and third-party risk in ways that map onto AI. The Caribbean Community has signalled interest in a regional AI policy approach, building on the Caribbean Telecommunications Union's earlier roadmap. The EU AI Act applies extraterritorially to organisations whose AI outputs affect persons in the European Union, which captures many Caribbean exporters, financial institutions with European correspondent relationships, and tourism operators serving European visitors.

Caribbean leaders should expect the regulatory environment to tighten over the next twenty-four months. The organisations that build AI governance now will adapt to that tightening with minor adjustments. The organisations that wait will be running remediation programmes under deadline pressure.

Frequently Asked Questions

What is AI risk in simple terms?

AI risk is the chance that an artificial intelligence system causes harm to your organisation, your customers, your regulator, or the public. The harm can be financial, legal, reputational, ethical, or operational. AI risk management is the work of identifying, measuring, and reducing those risks before they materialise.

What are the warning signs of unmanaged AI risk?

The most reliable warning signs are: an inability to produce a complete inventory of AI in use, customer-facing decisions that cannot be explained, vendor contracts that allow silent model updates, no testing on local Caribbean data, complaints referencing inexplicable outcomes, leaders who describe AI risks as "complicated," AI used in regulated processes without specific approval, no incident process for AI failures, no staff training on AI use, and AI deployments that have never been reviewed by the second line of defence.

How can a Caribbean organisation start mitigating AI risk?

Start with an inventory. List every AI tool in use, including AI-powered features inside larger products. Classify each by risk tier. Assign a named risk owner to each high-risk system. Apply controls proportionate to the tier. Establish an AI committee with risk, compliance, technology, legal, and business representation. Train staff on appropriate AI use. Re-validate high-risk systems at least annually. None of this requires a large team or expensive technology. It requires a clear mandate.

Does the EU AI Act apply to CARICOM businesses?

It can. The EU AI Act applies extraterritorially to any organisation that places an AI system on the EU market or whose AI outputs affect persons in the EU. CARICOM businesses with European clients, European vendors, or European-resident users may fall within scope. Caribbean exporters, tourism operators with European visitors, and financial institutions with European correspondent relationships should assess their exposure and request conformity documentation from European AI vendors.

Which AI risk frameworks should Caribbean organisations follow?

The NIST AI Risk Management Framework provides a strong structural foundation. ISO/IEC 42001 sets a management system standard for AI. The OECD AI Principles offer high-level commitments. For CARICOM organisations, the practical approach is to use NIST as the structural backbone, align controls with the EU AI Act for high-risk systems, and overlay the specific obligations from local data protection legislation in each operating jurisdiction. The Caribbean AI Risk Management Council provides a regional adaptation of these frameworks built specifically for CARICOM operating realities.

How is AI bias tested in a Caribbean context?

AI bias testing involves comparing model outputs across demographic subgroups to identify systematic disparities. For Caribbean organisations, the critical step is testing on Caribbean data wherever possible, since most AI models were trained on US or European populations. At minimum, request bias testing documentation from vendors, define fairness metrics that match the regulated outcomes (loan approval rates, claim acceptance rates, fraud flagging rates), and test across demographic subgroups relevant to the local population. Repeat the testing periodically, since model performance and population characteristics both change over time.

What does the board need to know about AI risk?

The board needs a plain-language understanding of which AI systems are in use, what they do, who is accountable for each, what could go wrong, what controls are in place, and what would happen if a high-risk system failed. The board does not need technical depth. It needs sufficient clarity to ask good questions, challenge management, and approve the risk appetite that governs how AI is deployed.

What is shadow AI and why does it matter?

Shadow AI refers to the use of AI tools inside an organisation that have not been sanctioned, assessed, or recorded by governance functions. Employees using free-tier generative AI tools on personal accounts is the most common pattern. Shadow AI matters because confidential information may be sent to unauthorised systems, AI outputs may end up in regulated work without disclosure, and the organisation cannot govern what it cannot see. The mitigation is not prohibition. It is providing sanctioned, governed alternatives that meet the legitimate need that drove the shadow use.

Can AI be used in regulated decisions like credit, insurance, and AML?

Yes, with appropriate controls. AI can be used in regulated decisions across the Caribbean, but the human signatory remains responsible for the outcome, the decision must be explainable, the model must be validated, the data must be governed, and the use must be approved through the organisation's governance process. Regulators are paying increasing attention to these areas. AI deployment in regulated decisions without these controls is a regulatory finding waiting to happen.

How long does it take to build an AI risk management programme?

A baseline programme covering inventory, classification, governance, controls, and training can be implemented in a Caribbean organisation in three to six months. A mature programme, including local bias testing, formal model validation, vendor risk processes specifically tuned for AI, and board-level reporting, typically takes twelve to eighteen months to reach a steady state. The earlier the programme starts, the lower the cost of catching up to regulatory expectations as they tighten.

The Path Forward

AI risk is not a future problem in the Caribbean. It is a present condition. AI tools are inside the region's banks, insurers, utilities, hospitals, government agencies, hotels, factories, mines, energy operations, and small businesses. Many of those deployments are unmanaged. The question facing every CARICOM leader is not whether AI risk applies to their organisation. It is whether they will get ahead of it before a customer complaint, a regulatory inquiry, or a public failure forces the issue.

The risk profile is different in every CARICOM country, but the work is the same. Build the inventory. Classify by risk. Assign accountability. Apply controls proportionate to the tier. Test on local data. Train the humans. Monitor continuously. Re-validate regularly. None of this is exotic. All of it is overdue in many parts of the region.

The Caribbean AI Risk Management Council exists to support this work across the region, with a regional standard, certification programmes, and practical guidance built for CARICOM realities. Wherever your organisation is on the journey, the next step is the one that matters.

About the author: Adrian Dunkley is the President of the Caribbean AI Risk Management Council (CAIRMC), a regional body dedicated to advancing AI risk and governance practice across CARICOM. He works with banks, insurers, regulators, and government agencies across the region on AI risk and AI governance.

Geographic coverage: Caribbean Community (CARICOM), including Antigua and Barbuda, The Bahamas, Barbados, Belize, Dominica, Grenada, Guyana, Haiti, Jamaica, Montserrat, Saint Kitts and Nevis, Saint Lucia, Saint Vincent and the Grenadines, Suriname, and Trinidad and Tobago.

All Articles