AI RISK REPOSITORY

AI failure modes. Mapped, classified, evidenced.

A structured taxonomy of AI risks aligned with the MIT AI Risk Repository v4, mapped to ISO/IEC 42001, EU AI Act and NIST AI RMF obligations.

Every AI governance framework requires the organization to identify, assess and mitigate AI-related risks. None of them tell you what those risks are.

The MIT AI Risk Repository is the most comprehensive structured taxonomy of AI risks published to date: 7 domains, 24 subdomains, and hundreds of specific risk families extracted from published incidents, academic literature and regulatory frameworks.

We map every entry to the standards, regulations and audit criteria that require you to address it — so the same risk taxonomy that satisfies your internal governance also produces the evidence trail that auditors need.

Why a structured taxonomy of AI risk matters

ISO/IEC 42001 clause 6.1.2 requires "AI risk assessment" but does not enumerate risks. The EU AI Act mandates "risk management system" (Article 9) without defining a specific taxonomy. NIST AI RMF references the MIT Repository as an authoritative source but does not adopt it as normative.

Using a shared, published taxonomy makes your risk assessment defensible: auditors can verify that your process was systematic, regulators can see the mapping to their obligations, and comparable organizations can benchmark their coverage.

FREQUENTLY ASKED QUESTIONS

Frequently asked questions

Is the MIT AI Risk Repository accepted by ISO 42001 auditors?

It is not required by the standard but it is accepted as a valid basis for the "AI risk identification" process required by clauses 6.1.2 and Annex B.2.1. Zertia audits recognize any structured taxonomy that can be traced to a published, peer-reviewed source.

How does this map to the EU AI Act risk categories?

The AI Act uses risk categories (unacceptable, high, limited, minimal) defined by intended use, not by failure mode. The MIT taxonomy is orthogonal: it describes what can go wrong. Both are needed — one for legal classification, the other for the risk management system that classification triggers.

Do you help implement the taxonomy in our existing risk register?

Yes. Most of our engagements start by mapping the client's existing risk register against this taxonomy. It usually reveals a 40-60% coverage gap that translates directly into audit findings if not addressed before certification.

ANAB-accredited · UKAS in process · ENAC in process · AIUC-1 European authorized auditor · EU AI Pact signatory

Risk you cannot name is risk you cannot manage.

Map your AI portfolio against this taxonomy. Talk to us.