DARR
1 · Provenance

From the MIT AI Risk Repository to 82 risks.

Three filters cut 1,835 MIT AI Risk Repository entries (V4, 74 source frameworks) to 61 canonical risks; ISO, MITRE ATLAS, and the EU AI Act add 21 more. Ribbon width shows how many source entries fed each risk; colour marks the originating MIT domain.

Provenance funnel The MIT AI Risk Repository filtering funnel from 1,835 entries to 61 canonical risks, then an alluvial flow from the seven MIT domains into the register risks. Excluded and uncoded entries branch off to a grey stream; ISO, MITRE ATLAS and EU enter as separate inflows; and MITRE ATLAS additionally connects to the 12 risks it decomposes into 61 technique sub-risks. 1,835 discrete MIT risk entries − 197 excluded 1,638 pass Filter 1 (deployer relevance) − 55 excluded 1,583 pass Filter 2 (measurability) 61 canonical risks after Filter 3 (dedup) Discrimination 224 entries Privacy & sec. 199 entries Misinformation 80 entries Malicious use 268 entries HCI 106 entries Socioecon/env 299 entries Safety/fails 421 entries Uncoded (X) 238 entries ISO 23894/42001 MITRE ATLAS EU AI Act + CoP MR-001 Biased or discriminatory outputs and decisions MR-002 Stereotyping and representational harm MR-003 Toxic, hateful, or harassing content generation MR-004 Violent or extremist content generation MR-008 Sexual content and non-consensual intimate imagery MR-005 Child sexual abuse material and child-safety harm MR-006 Disparate performance across groups and languages MR-007 Self-harm, suicide and dangerous-behavior promotion MR-009 Leakage of personal or sensitive data MR-010 Prompt injection and jailbreaking MR-014 Data and model poisoning and backdoors MR-011 Unlawful or non-consensual collection and processing of personal data MR-018 AI supply-chain and infrastructure vulnerabilities MR-016 Model theft, extraction and weight leakage MR-013 Disclosure of confidential or proprietary information MR-012 Adversarial examples and evasion attacks MR-015 Residual AI system security and availability weaknesses MR-017 Privacy-invasive inference and re-identification MR-019 Insecure or vulnerable code generation MR-021 Hallucination and fabricated output MR-023 Contribution to misinformation and information-ecosystem degradation MR-025 Overconfidence, sycophancy and poor calibration MR-026 Disinformation and influence operations MR-031 Impersonation, deepfakes and synthetic media MR-032 Deliberate misuse and repurposing for harm MR-028 AI-enabled fraud, scams and social engineering MR-029 Facilitation of weapons, CBRN and serious physical harm (capability uplift) MR-027 AI-enabled cyberattacks and offensive cyber operations MR-033 Mass surveillance and censorship enablement MR-041 Academic and professional dishonesty MR-024 Defamation and false statements about people MR-035 Erosion of human agency and autonomy MR-034 Overreliance and automation bias MR-036 Anthropomorphism, emotional dependence and psychological harm MR-037 Environmental footprint of AI MR-038 Workforce displacement and job-quality decline MR-039 Intellectual property and copyright infringement MR-046 Inadequate evaluation, testing and benchmarking MR-040 Regulatory non-compliance and legal liability MR-043 Inadequate AI governance and oversight processes MR-042 Unclear accountability and responsibility for AI decisions MR-045 Insufficient documentation, transparency and data provenance MR-044 Exploitative labor in the AI supply chain MR-047 Vendor/model concentration, monoculture and correlated failure MR-048 AI competence and skills gaps in the organization MR-052 Emergent dangerous capabilities MR-057 Multi-agent interaction risks MR-050 Inaccuracy and poor predictive performance MR-053 Goal misspecification, specification gaming and reward hacking MR-051 Ethical or value misalignment in outputs and decisions MR-030 Manipulation, persuasion and dark patterns MR-055 Lack of explainability and interpretability MR-059 Poor data quality and representativeness MR-054 Loss of meaningful human oversight and control MR-022 Unsafe or incorrect advice in high-stakes domains MR-056 Lack of robustness to distribution shift and edge cases MR-058 Model performance drift and degradation over time MR-020 Insecure integration with external tools, plugins and APIs MR-060 Use outside intended scope MR-061 Over-refusal and excessive safety filtering MR-049 Physical safety harm and accidents Excluded / uncoded (413) MR-062 Shadow AI and unsanctioned use of AI tools MR-063 AI inventory blind spots MR-064 Embedded AI introduced through procurement MR-065 Vendor model version churn and undisclosed updates MR-066 Change deployed without revalidation MR-067 Absence of AI impact assessment MR-068 Inadequate AI incident response and communication MR-069 Inadequate logging, record-keeping and traceability MR-070 Inadequate AI decommissioning and retirement MR-071 Autonomous agent hijacking and excessive-agency abuse MR-072 Failure to conduct a fundamental rights impact assessment MR-073 Failure to inform workers before workplace deployment MR-074 Failure to register a high-risk system or verify its registration MR-075 Failure to inform individuals subject to high-risk AI decisions MR-076 Failure to monitor operation and meet incident-reporting and suspension duties MR-077 Deploying or repurposing a system into a prohibited practice MR-078 Failure to meet AI transparency and disclosure obligations MR-079 Non-compliance with the AI literacy obligation MR-080 Provider fails to supply adequate GPAI model documentation MR-081 Provider's inadequate copyright compliance exposes the deployer to IP liability MR-082 Provider's inadequate systemic-risk safety and security management, with no deployer visibility Ribbon width = domain-coded MIT source entries. Colour = originating MIT domain. Grey = 413 excluded and uncoded entries (no MIT domain, not mapped to a risk). Dashed bronze = MITRE ATLAS decomposing 12 risks into 61 technique sub-risks.
2 · Structure

82 risks, seven families, enterprise risk domains.

The 82 canonical risks group into seven deployer families, each reconciled with an enterprise risk domain. The ribbons trace how many risks came from each MIT research domain into each family.

Sources flowing into the Deployer AI Risk Register Each source is a card on the left: the MIT AI Risk Repository with its seven research domains (steps 1 and 2), then the ISO, EU AI Act and MITRE ATLAS gap-analysis additions (step 3). Ribbons flow from every card into the register’s seven deployer-facing families on the right; bronze marks the MITRE ATLAS second tier of 61 technique sub-risks. Both sides balance at 143. SOURCES THE DEPLOY AI RISK REGISTER 82 canonical risks · 61 technique sub-risks · 7 deployer families 1 MIT AI Risk Repository 2 1,835 risk entries → three filters → 61 canonical risks counts = canonical risks per MIT risk domain 1. Discrimination & Toxicity 8 2. Privacy & Security 11 3. Misinformation 3 4. Malicious Actors & Misuse 9 5. Human-Computer Interaction 3 6. Socioeconomic and Environmental 11 7. AI System Safety, Failures, & Limitations 16 3 ADDED BY GAP ANALYSIS ISO/IEC 23894 and 42001 66 clauses and controls reviewed by hand +9 EU AI Act and GPAI CoP 21 deployer obligations extracted +11 MITRE ATLAS 170 techniques reviewed: 101 top-level, 69 sub-techniques 40 of 101 are attack-chain context, recorded, not added +1 canonical risk: the agentic gap +61 technique sub-risks, a second tier under 12 security-family risks 29 Model & system behaviour +5 13 Governance & process 12 Regulatory compliance 10 Human & usage 7 Security & adversarial +43 6 Data, privacy & content liability +5 5 Third party & supply chain +8
Register tier Risk 82 Sub-risk 61
Ribbon width = risks. Colours trace the MIT research domains.
3 · Enrichment · security

Enriched with MITRE ATLAS: 12 risks into 61 sub-risks.

Twelve canonical risks are decomposed into technique-level sub-risks anchored to MITRE ATLAS v5.6.0. Each sub-risk on the right links to its entry on the parent risk page.

MITRE ATLAS security map The twelve canonical risks that carry MITRE ATLAS technique sub-risks, on the left, each connected to its technique-level sub-risks on the right. MR-071 Autonomous agent hijacking and excessive-agency abuse 13 sub-risks MR-010 Prompt injection and jailbreaking 10 sub-risks MR-015 Residual AI system security and availability weaknesses 9 sub-risks MR-018 AI supply-chain and infrastructure vulnerabilities 8 sub-risks MR-012 Adversarial examples and evasion attacks 4 sub-risks MR-014 Data and model poisoning and backdoors 4 sub-risks MR-009 Leakage of personal or sensitive data 3 sub-risks MR-016 Model theft, extraction and weight leakage 3 sub-risks MR-013 Disclosure of confidential or proprietary information 2 sub-risks MR-028 AI-enabled fraud, scams and social engineering 2 sub-risks MR-031 Impersonation, deepfakes and synthetic media 2 sub-risks MR-027 AI-enabled cyberattacks and offensive cyber operations 1 sub-risks MR-071.1 AML.T0053 AI Agent Tool Invocation MR-071.2 AML.T0080 AI Agent Context Poisoning MR-071.3 AML.T0081 Modify AI Agent Configuration MR-071.4 AML.T0082 RAG Credential Harvesting MR-071.5 AML.T0083 Credentials from AI Agent Configuration MR-071.6 AML.T0086 Exfiltration via AI Agent Tool Invocation MR-071.7 AML.T0098 AI Agent Tool Credential Harvesting MR-071.8 AML.T0099 AI Agent Tool Data Poisoning MR-071.9 AML.T0100 AI Agent Clickbait MR-071.10 AML.T0101 Data Destruction via AI Agent Tool Invocation MR-071.11 AML.T0103 Deploy AI Agent MR-071.12 AML.T0108 AI Agent MR-071.13 AML.T0110 AI Agent Tool Poisoning MR-010.1 AML.T0051 LLM Prompt Injection MR-010.2 AML.T0054 LLM Jailbreak MR-010.3 AML.T0061 LLM Prompt Self-Replication MR-010.4 AML.T0067 LLM Trusted Output Components Manipulation MR-010.5 AML.T0068 LLM Prompt Obfuscation MR-010.6 AML.T0070 RAG Poisoning MR-010.7 AML.T0071 False RAG Entry Injection MR-010.8 AML.T0092 Manipulate User LLM Chat History MR-010.9 AML.T0093 Prompt Infiltration via Public-Facing Application MR-010.10 AML.T0094 Delay Execution of LLM Instructions MR-015.1 AML.T0012 Valid Accounts MR-015.2 AML.T0029 Denial of AI Service MR-015.3 AML.T0034 Cost Harvesting MR-015.4 AML.T0046 Spamming AI System with Chaff Data MR-015.5 AML.T0048 External Harms MR-015.6 AML.T0049 Exploit Public-Facing Application MR-015.7 AML.T0078 Drive-by Compromise MR-015.8 AML.T0105 Escape to Host MR-015.9 AML.T0112 Machine Compromise MR-018.1 AML.T0010 AI Supply Chain Compromise MR-018.2 AML.T0058 Publish Poisoned Models MR-018.3 AML.T0060 Publish Hallucinated Entities MR-018.4 AML.T0074 Masquerading MR-018.5 AML.T0076 Corrupt AI Model MR-018.6 AML.T0104 Publish Poisoned AI Agent Tool MR-018.7 AML.T0109 AI Supply Chain Rug Pull MR-018.8 AML.T0111 AI Supply Chain Reputation Inflation MR-012.1 AML.T0015 Evade AI Model MR-012.2 AML.T0031 Erode AI Model Integrity MR-012.3 AML.T0041 Physical Environment Access MR-012.4 AML.T0043 Craft Adversarial Data MR-014.1 AML.T0018 Manipulate AI Model MR-014.2 AML.T0019 Publish Poisoned Datasets MR-014.3 AML.T0020 Poison Training Data MR-014.4 AML.T0059 Erode Dataset Integrity MR-009.1 AML.T0057 LLM Data Leakage MR-009.2 AML.T0077 LLM Response Rendering MR-009.3 AML.T0085 Data from AI Services MR-016.1 AML.T0024 Exfiltration via AI Inference API MR-016.2 AML.T0035 AI Artifact Collection MR-016.3 AML.T0044 Full AI Model Access MR-013.1 AML.T0025 Exfiltration via Cyber Means MR-013.2 AML.T0056 Extract LLM System Prompt MR-028.1 AML.T0011 User Execution MR-028.2 AML.T0052 Phishing MR-031.1 AML.T0073 Impersonation MR-031.2 AML.T0088 Generate Deepfakes MR-027.1 AML.T0102 Generate Malicious Commands
4 · Enrichment · standards & regulation

Enriched with ISO/IEC 23894 & 42001 and the EU AI Act.

Two management-system standards and the EU AI Act were read backward into the register: obligations the MIT-derived risks did not cover became gap risks, and the rest attached as clause and article references. The solid bar marks risks each source added; the lighter bar marks existing risks it references.

ISO/IEC 23894 & 42001
management-system standards
70 of 82 risks touched · governance, lifecycle, and supply-chain gaps
+9 gap risks
EU AI Act 2024/1689
regulation, with the GPAI Code of Practice
36 of 82 risks touched · compliance, transparency, and oversight gaps
+11 gap risks
gap risks the source added existing risks it references
5 · Forward crosswalk

Crosswalk from the register out to 10 frameworks.

How many items in each external framework map to each risk, and to what: 674 item-level mappings across ISO/IEC 23894 and 42001, MITRE ATLAS, the EU AI Act, IBM, Cisco, NIST, and OWASP. Hover a cell for the item ids; each risk links to its full crosswalk.

1–2 3–4 5+ framework items mapped · 674 mappings across 531 items
Sources · contributed to the registerCross-checks · mapped in to test coverage
RiskISO 23894ISO 42001EU AI ActMITRE ATLASIBMCiscoNIST AMLNIST GenAIOWASP LLMOWASP Agenticitems
Model & system behaviour 29
MR-001Biased or discriminatory outputs and decisions1323110
MR-002Stereotyping and representational harm12216
MR-003Toxic, hateful, or harassing content generation2225112
MR-004Violent or extremist content generation12216
MR-005Child sexual abuse material and child-safety harm12115
MR-006Disparate performance across groups and languages2215
MR-007Self-harm, suicide and dangerous-behavior promotion111115
MR-008Sexual content and non-consensual intimate imagery12115
MR-019Insecure or vulnerable code generation11114
MR-021Hallucination and fabricated output2221119
MR-022Unsafe or incorrect advice in high-stakes domains22138
MR-023Contribution to misinformation and information-ecosystem degradation12115
MR-025Overconfidence, sycophancy and poor calibration213
MR-026Disinformation and influence operations121217
MR-027AI-enabled cyberattacks and offensive cyber operations111216
MR-028AI-enabled fraud, scams and social engineering118313
MR-029Facilitation of weapons, CBRN and serious physical harm (capability uplift)12115
MR-031Impersonation, deepfakes and synthetic media21121119
MR-049Physical safety harm and accidents123
MR-050Inaccuracy and poor predictive performance22116
MR-051Ethical or value misalignment in outputs and decisions1214
MR-052Emergent dangerous capabilities2114
MR-053Goal misspecification, specification gaming and reward hacking112
MR-055Lack of explainability and interpretability123511
MR-056Lack of robustness to distribution shift and edge cases11114
MR-057Multi-agent interaction risks2125
MR-058Model performance drift and degradation over time2114
MR-059Poor data quality and representativeness122510
MR-061Over-refusal and excessive safety filtering112
Data, privacy & content liability 6
MR-009Leakage of personal or sensitive data1352351222
MR-011Unlawful or non-consensual collection and processing of personal data1226112
MR-013Disclosure of confidential or proprietary information222661221
MR-017Privacy-invasive inference and re-identification12324113
MR-024Defamation and false statements about people112
MR-039Intellectual property and copyright infringement12231110
Security & adversarial 7
MR-010Prompt injection and jailbreaking121491952254
MR-012Adversarial examples and evasion attacks21917323
MR-014Data and model poisoning and backdoors1271610128
MR-015Residual AI system security and availability weaknesses1221912211242
MR-016Model theft, extraction and weight leakage116132115
MR-020Insecure integration with external tools, plugins and APIs121412112
MR-071Autonomous agent hijacking and excessive-agency abuse1521811845
Third party & supply chain 5
MR-018AI supply-chain and infrastructure vulnerabilities121143221127
MR-044Exploitative labor in the AI supply chain112
MR-047Vendor/model concentration, monoculture and correlated failure1113
MR-064Embedded AI introduced through procurement213
MR-065Vendor model version churn and undisclosed updates224
Human & usage 10
MR-030Manipulation, persuasion and dark patterns12216
MR-032Deliberate misuse and repurposing for harm221319
MR-033Mass surveillance and censorship enablement12317
MR-034Overreliance and automation bias2121118
MR-035Erosion of human agency and autonomy11215
MR-036Anthropomorphism, emotional dependence and psychological harm121116
MR-038Workforce displacement and job-quality decline123
MR-041Academic and professional dishonesty1124
MR-048AI competence and skills gaps in the organization12115
MR-060Use outside intended scope12126
Governance & process 13
MR-037Environmental footprint of AI11316
MR-042Unclear accountability and responsibility for AI decisions1225
MR-043Inadequate AI governance and oversight processes16119
MR-045Insufficient documentation, transparency and data provenance1526115
MR-046Inadequate evaluation, testing and benchmarking113510
MR-054Loss of meaningful human oversight and control1225
MR-062Shadow AI and unsanctioned use of AI tools22
MR-063AI inventory blind spots224
MR-066Change deployed without revalidation213
MR-067Absence of AI impact assessment2114
MR-068Inadequate AI incident response and communication347
MR-069Inadequate logging, record-keeping and traceability123
MR-070Inadequate AI decommissioning and retirement22
Regulatory compliance 12
MR-040Regulatory non-compliance and legal liability13217
MR-072Failure to conduct a fundamental rights impact assessment11
MR-073Failure to inform workers before workplace deployment11
MR-074Failure to register a high-risk system or verify its registration33
MR-075Failure to inform individuals subject to high-risk AI decisions11
MR-076Failure to monitor operation and meet incident-reporting and suspension duties33
MR-077Deploying or repurposing a system into a prohibited practice11
MR-078Failure to meet AI transparency and disclosure obligations213
MR-079Non-compliance with the AI literacy obligation11
MR-080Provider fails to supply adequate GPAI model documentation11
MR-081Provider's inadequate copyright compliance exposes the deployer to IP liability11
MR-082Provider's inadequate systemic-risk safety and security management, with no deployer visibility11
6 · Reverse crosswalk

Every framework entry, mapped to the register.

The visualizations above read the register outward. This reads it inward: for each entry in a source framework, the canonical risk or risks it corresponds to, or the reason it falls outside a deployer risk register. 531 entries across ten frameworks. Pick a framework for its full table.

Mapped the entry corresponds to one or more canonical risks.
Out of scope the entry is accounted for but sits outside the register, with the reason in the note (mostly MITRE ATLAS attack-chain context).
Confidence an indicative grade of the match: Clear, Partial, or Weak.

Part of the Deployer AI Risk Register, an open-source resource developed by MindXO. Version 1.0, 3 July 2026. Derived from the MIT AI Risk Repository (V4, December 2025) under CC BY 4.0; an independent derivative work, not endorsed by or affiliated with MIT. Sub-risk decomposition references MITRE ATLAS™ v5.6.0 (© 2021-2026 The MITRE Corporation, reproduced and distributed with permission). ISO/IEC and EU AI Act references are by number only. License: CC BY 4.0. Full attribution and licensing.