Apart from enabling access for your collaborators, the AAI also has a role to play in protecting your collaboration and its data. "Bad things can happen to good science" (1), and while you may not think of it at first, the data, ways of working, and collections created in your collaboration are valuable and deserve protection. Identifying your 'primary assets' (or the 'crown jewels' of the collaboration, as MITRE would call them) helps you to identify where you need extra protections, and how to prevent deletion, changes, or loss of data ... and people. And protect your own peers in the collaboration: they should know how their name, email address, or roles that are used in the AAI are protected. And for some sensitive or high-profile research, also names and contact info needs to be protected!
There may also be legal and regulatory reasons to apply controls through your AAI. They can be in the research data itself, like medical and patient data, dual-use goods and knowledge, commercially confidential data, or ethical reasons on human research or in the Nagoya Protocol.
The challenge in risk management in AAI is to balance both aspects: enabling access and facilitating collaboration, making sure data and resources are available, as well as protecting the confidentiality and integrity of data, resources, and users. Finding out where that balance is means you have to know your primary assets: "why are we, the collaboration, infrastructure, or service, here"?
What should I think of when identifying primary assets?
They are not what you may think they are! Primary assets are not computing thing, nor even AAI things. It's your research data, research processes, and the people and their knowledge.
Once you know your primary assets, you can proceed with your risk assessment, identify any secondary (or supporting) assets like ICT services, storage systems, and the AAI platform, and conceive controls to address exposure and limit the impact of any risks you identify.