DARR
MR-082 Regulatory compliance Both scope

Provider's inadequate systemic-risk safety and security management, with no deployer visibility

The provider of a systemic-risk GPAI model does not adequately identify, analyze, and mitigate model-level safety and security risks, evaluate the model, secure its weights, or report incidents, and the deployer has no visibility into whether this was done.

Risk family
Regulatory compliance
MIT domain
n/a (EU-derived)
MIT subdomain
n/a
AI type
GPAI, Agentic
Scope
Both
Source standard
GPAI Code of Practice 2025 (gap analysis)

Provenance

Source standard
GPAI Code of Practice 2025 (gap analysis)
Source frameworks
GPAI Code of Practice 2025
GPAI Code of Practice
GPAI Code of Practice, Safety and Security Chapter, Commitments 1-10
Nearest MIT-derived risk
MR-065 Vendor churn / MR-052 Emergent dangerous capabilities / MR-046 Inadequate evaluation (deployer-side; not the provider safety-assurance dependency).

Framework crosswalk

Every framework item mapped to this risk. Items marked partial overlap only in part; definitions appear on hover where the source licence permits.

Sourcesframeworks that contributed to the register
EU AI Act1
  • CoP GPAI Code of Practice, Safety and Security Chapter, Commitments 1-10

Part of the Deployer AI Risk Register, an open-source resource developed by MindXO. Version 1.0, 3 July 2026. Derived from the MIT AI Risk Repository (V4, December 2025) under CC BY 4.0; an independent derivative work, not endorsed by or affiliated with MIT. Sub-risk decomposition references MITRE ATLAS™ v5.6.0 (© 2021-2026 The MITRE Corporation, reproduced and distributed with permission). ISO/IEC and EU AI Act references are by number only. License: CC BY 4.0. Full attribution and licensing.