DARR
About

About the register.

The Deployer AI Risk Register is an open-source AI risk register developed by MindXO: a canonical register of AI risks for organizations that deploy AI systems, consolidated from the MIT AI Risk Repository and gap-analysed against ISO/IEC 23894 and 42001, MITRE ATLAS, and the EU AI Act with the GPAI Code of Practice, then coverage-checked against the IBM, Cisco, NIST, and OWASP taxonomies.

It is written for organizations that deploy AI systems rather than build them. Each of the 82 canonical risks has a stable identifier (MR-001 to MR-082) and a permanent page; 12 of them carry 61 technique-level sub-risks anchored to MITRE ATLAS. The methodology documents how every risk earned its place, and the source and data are on GitHub.

Frequently asked questions

What is a deployer AI risk register?

A deployer AI risk register is a catalogue of the AI risks that fall on an organization which runs or deploys AI systems, rather than the lab that builds them. The Deployer AI Risk Register (DARR) is an open, free version: 82 canonical risks across seven families, each with a stable identifier and a permanent page.

How is deployer AI risk different from developer AI risk?

Developer risk sits with the organization that trains and ships a model, at the level of pre-training data, architecture, and alignment. Deployer risk sits with the organization that procures, configures, operates, and monitors an AI system in production. Developer-stage issues such as training-data bias are kept where they still surface for the deployer as unfair outputs; risks a deployer cannot observe or measure are set aside.

What AI risks apply to an organization that deploys AI?

The register sorts them into seven families: model and system behaviour; data, privacy and content liability; security and adversarial attack; third-party and supply chain; human and usage; governance and process; and regulatory compliance. In total, 82 canonical risks, with 61 MITRE ATLAS-anchored sub-risks beneath the security-related ones.

How does the EU AI Act map to the register?

Deployer obligations in the EU AI Act (Regulation 2024/1689) and the GPAI Code of Practice were read backward into risks: 11 became dedicated compliance gap risks, and 36 risks in total carry EU article references. The EU AI Act crosswalk lists every mapping.

How does ISO/IEC 42001 map to the register?

ISO/IEC 42001 and 23894 management-system obligations were mapped the same way: 9 governance and lifecycle gaps were added, and 70 risks carry ISO clause references. The ISO/IEC 42001 crosswalk shows the item-level detail.

What is the MITRE ATLAS crosswalk?

MITRE ATLAS is an adversarial-technique taxonomy. The register decomposes 12 canonical security and misuse risks into 61 technique-level sub-risks anchored to MITRE ATLAS v5.6.0, and the reverse crosswalk maps all 170 ATLAS entries back to the register or records why they sit out of scope.

Is the register free to use, and how is it cited?

It is free and open under CC BY 4.0, for any use including commercial, with attribution. Cite it as: Deployer AI Risk Register, MindXO, version 1.0. The download page carries the plain-text and BibTeX citation and the full dataset.

How many AI risks does the register cover?

82 canonical risks and 61 MITRE ATLAS-anchored sub-risks, for 143 register rows across seven families, each consolidated from the MIT AI Risk Repository and cross-checked against ten external frameworks.

Versioning

This is a living register. This publication is version 1.0, 3 July 2026. Future versions will track new framework releases and register refinements; the changelog lives on this page.

  • 1.0 (3 July 2026): first public release. 82 canonical risks, 61 MITRE ATLAS-anchored sub-risks, 143 register rows.

Sources in this version

The exact editions this release was built and cross-checked against. When a source publishes a newer version, the difference becomes a candidate change for the next register release.

SourceVersion usedRole
MIT AI Risk RepositoryV4 (December 2025)Foundation
ISO/IEC 238942023Source
ISO/IEC 420012023Source
MITRE ATLASv5.6.0Source
EU AI ActRegulation (EU) 2024/1689Source
GPAI Code of PracticeFinal (10 July 2025)Source
IBM AI Risk AtlasAccessed July 2026Cross-check
Cisco Integrated AI Security and Safety FrameworkDecember 2025Cross-check
NIST AI 100-2 (Adversarial ML)e2025 (March 2025)Cross-check
NIST AI 600-1 (Generative AI Profile)2024Cross-check
OWASP Top 10 for LLM Applications2025Cross-check
OWASP Top 10 for Agentic Applications2026Cross-check

Attribution and licensing

Deployer AI Risk Register is derived from the MIT AI Risk Repository (V4, December 2025), used under CC BY 4.0. It is an independent derivative work and is not endorsed by or affiliated with MIT. The security decomposition references MITRE ATLAS™ (v5.6.0). © 2021-2026 The MITRE Corporation; this work is reproduced and distributed with the permission of The MITRE Corporation, under the non-exclusive, royalty-free license granted in the MITRE ATLAS Terms of Use for research, development, and commercial purposes. MITRE ATLAS™ is a trademark of The MITRE Corporation; its use here does not imply MITRE's endorsement. ISO/IEC 23894:2023, ISO/IEC 42001:2023, the EU AI Act (Regulation (EU) 2024/1689), and the GPAI Code of Practice are referenced by clause, control, article, and commitment number only; no licensed or official text is reproduced. Coverage checks reference the IBM AI Risk Atlas and the Cisco AI Security Framework (Apache 2.0), NIST AI 100-2 and AI 600-1 (US public domain), and the OWASP Top 10 for LLM and for Agentic Applications (CC BY-SA 4.0).

The open dataset on this site is published under CC BY 4.0. Attribute it as described on the download page.

AI-assistance disclosure

The register was produced with AI assistance under human direction, with a documented human review of the register content. The methodology page describes the process, including the validation and review steps.

Contact

Corrections, questions, or mapping requests: contact MindXO, or open an issue on GitHub.

Terms of use

The register content is open under CC BY 4.0 (see Attribution and licensing): free to use, share, and adapt, including commercially, with attribution. The build scripts are MIT-licensed. The register and this site are provided as is, without warranty of any kind, and are general information, not legal, regulatory, or professional advice.

Privacy

This is a static site. It sets no cookies of its own, runs no analytics, and has no accounts, logins, or forms, so it collects no personal information. Web fonts are served from this site rather than a third party; source logos are fetched from Brandfetch when a page loads. The host, Netlify, keeps standard server access logs, including IP addresses, to operate and secure the site. Nothing else is tracked.

Part of the Deployer AI Risk Register, an open-source resource developed by MindXO. Version 1.0, 3 July 2026. Derived from the MIT AI Risk Repository (V4, December 2025) under CC BY 4.0; an independent derivative work, not endorsed by or affiliated with MIT. Sub-risk decomposition references MITRE ATLAS™ v5.6.0 (© 2021-2026 The MITRE Corporation, reproduced and distributed with permission). ISO/IEC and EU AI Act references are by number only. License: CC BY 4.0. Full attribution and licensing.