u/Typical-Look-1331

Launching a community to maintain and expand an open-source AI Risk Register for organizations deploying AI. Contributors welcome.

Launching a community to maintain and expand an open-source AI Risk Register for organizations deploying AI. Contributors welcome.

Organizations deploying AI still lack a shared, vendor-agnostic, enterprise-level AI risk taxonomy.

Most existing AI risk taxonomies are either written for model developers, focused on frontier AI labs, or structured as academic catalogs. The MIT AI Risk Repository, for example, is very useful, but it contains 1,835 entries across 74 source documents, which makes it hard to use directly inside an enterprise process.

So I started an open-source attempt at a deployer-side AI risk register.

The goal is to consolidate AI deployment risks into a practical taxonomy that organizations can use as basis to build their AI risk register.

What is already built:

- 82 canonical risks across 7 families, each mapped to an enterprise risk domain.
- 61 MITRE ATLAS-anchored sub-risks for the AI security tier.
- Mappings to ISO/IEC 42001, ISO/IEC 23894, the EU AI Act, and MITRE ATLAS.
1 Crosswalks to the IBM AI Risk Atlas, Cisco AI Security Framework, OWASP Top 10, NIST AI 100-2 on adversarial machine learning, and NIST AI 600-1 on the GenAI profile.

Where the community could help:

-Mapping review: governance, risk, security, audit, legal, and assurance practitioners to sanity-check the crosswalks.
-New frameworks: CSA AICM, AI Verify, sector-specific regulations, regional guidance, and other sources not yet covered.
-Maintenance: keeping the register current as MIT, ISO, OWASP, NIST, and other sources evolve.
-Tooling and adoption: wiring stable risk IDs into scanners, evals, GRC tools, model inventories, red-team workflows, or audit evidence libraries.

Link to live register: https://www.airiskdeployer.org/

u/Typical-Look-1331 — 17 hours ago
▲ 8 r/grc

How do you assess AI risks and set risks tolerance/ KRI/ KCI in your org?

Asking because there aren’t many references and recognized guidance on this topic. I’d like to better understand how GRC teams tackle this.

Most AI governance framework stop at the policy levels or give operational controls to put in place for developers of AI, not for organizations deploying AI in their operations and business processes. From an AI governance perpective, new risks should be identified, and residual risks maintained within risk tolerance. So my questions are:

1- what risk taxonomy do you use?
2- how do you set risk tolerance, KRI and KCI in practice?

Thanks a lot for sharing your feedback!

reddit.com
u/Typical-Look-1331 — 18 days ago
▲ 52 r/grc+1 crossposts

I mapped 50+ AI governance, security & safety frameworks into a GRC structure (interactive navigator)

The AI governance landscape is a mess of scattered documents. NIST, ISO, OWASP, MITRE, the EU AI Act, plus a pile of vendor frameworks, all published by different bodies, with no shared structure for figuring out which ones actually apply to your role or where they overlap.

So I built a navigator that organizes 51 of them inside one GRC structure: from organizational objectives (ORG) down through Governance, Risk, and Compliance layers. A few things it lets you do:

- Filter by role. CRO, CISO, CGRCO, CDO, CAIO, MLOps, AI Red Team. Pick yours and the matrix narrows to what’s relevant.
- Compare across four domains. General, Security, Safety, and Ethics get separate columns (security and safety are genuinely different disciplines and I didn’t want to collapse them).
- Trace cross-references. Click any framework to see what it covers, who published it, and how it connects to related docs.
- Filter by source. NIST AI, ISO/IEC, security/threat intel, vendor, regulatory, responsible AI/ethics.

It also flags where the landscape falls short. Quantitative risk measurement, deployment-specific risk translation (RAG/agentic/copilot), and continuous assurance are all underserved across the standards out there right now.

It’s a living reference, updated as new docs drop (latest entries include OWASP Top 10 for Agentic Apps 2026, the CISA/G7 AI SBOM guidance, and IMDA Singapore’s agentic AI framework).

Link: https://www.mind-xo.com/ai-governance-framework-navigator/

u/Typical-Look-1331 — 19 days ago