EU AI Act Article 9 risk management system: how do teams map technical controls to the required risk framework?

Our team is preparing a high-risk AI system (biometric categorization) for EU AI Act compliance. Article 9 requires a risk management system that covers the entire lifecycle — but the regulation is deliberately framework-agnostic. We're trying to map our existing engineering processes (threat modeling, hazard analysis, failure mode tracking) to the Article 9 requirements: - 9(2): risk identification and estimation - 9(3): risk evaluation and mitigation measures - 9(4): residual risk assessment - 9(6): continuous post-market monitoring The gap we see: traditional software risk frameworks (ISO 27005, NIST RMF) don't address AI-specific risks like dataset drift, emergent behavior, or feedback-loop amplification. We're building a hybrid approach that extends ISO 27005 with AI-specific hazard categories, but it feels like we're inventing the taxonomy from scratch. For teams further along: did you adopt an existing framework and extend it, or build your own from the regulation text? What's your risk register structure look like? Jurisdictions: EU (primary), DE (national implementation tracking).