Papers
Topics
Authors
Recent
Search
2000 character limit reached

The Eticas AI Risk Taxonomy: Open Infrastructure for Operationalizing AI Audits

Published 2 Jul 2026 in cs.CY and cs.AI | (2607.02201v1)

Abstract: The rapid deployment of AI systems across high-stakes domains has created urgent demand for standardized evaluation, yet the field remains fragmented across competing risk taxonomies that catalog risks without showing how an audit is executed. At least 74 AI risk taxonomies exist, and almost all stop at the catalog. The hard part of auditing is not naming a risk but operationalizing it: turning it into a test run against a real system, a measured value, a calibrated severity, and a defensible grade. This paper leads with that bridge. We present the operationalization layer Eticas has built and run, shown end to end on a single risk (PII leakage) against a public benchmark, and then the open taxonomy that makes the method scale. On GPT-4-0314, a disclosure risk that seven external frameworks require be controlled is measured at 0%, 51%, and 84% disclosure as adversarial conditioning increases, mapping through calibrated severity bands to a subcategory grade of E with a SYSTEMIC pattern. Around this example, the Eticas AI Risk Taxonomy v2.0.0 organizes 76 active subcategories across 10 categories and 20 sub-groups, with mappings to 18 external frameworks across compliance, reference, and academic tiers. Its category and sub-group layer is published under CC BY 4.0 as open semantic infrastructure with stable URIs and SKOS/JSON-LD distributions, and a worked subcategory example shows the operational layer down to its severity thresholds. The contribution is the demonstrated bridge from concept to graded finding, anchored by a clean separation of risks from the mechanisms by which they surface, and framed by an open-core model in which the conceptual scaffold is open and the methodology calibration is the practitioner layer. This is the infrastructure the AI auditing field needs: shared, open, and demonstrably operable.

Summary

  • The paper introduces an operationalization layer that transforms abstract AI risks into actionable, empirical audit findings.
  • The paper details a four-layer architecture that separates risk concepts from mechanisms to ensure transparent, reproducible evaluations.
  • The paper demonstrates interoperability with a concrete audit of PII leakage in LLMs using calibrated severity grades.

The Eticas AI Risk Taxonomy: Open Infrastructure for Operationalizing AI Audits

Motivation and Context

The proliferation of AI systems in high-stakes, regulated domains has highlighted the acute need for standardized, interoperable, and truly operational frameworks for risk assessment and audit. Existing risk taxonomies provide lengthy catalogs of risk concepts but lack pathways for translating these abstractions into actionable, empirical audits. Eticas' AI Risk Taxonomy v2.0.0 addresses this deficit, introducing an ontologically disciplined, open-core infrastructure designed to support and scale audit practice through formal separation of risks and mechanisms, multi-framework mapping, and calibrated operationalization. The taxonomy targets practitioners, regulators, and developers who require end-to-end traceability from regulatory obligation to empirical finding, rather than conceptual enumeration alone.

Operationalization Layer: From Risk Identification to Graded Findings

The operationalization layer represents the crucial methodological advancement in the taxonomy: it transforms named risks into reproducible audit findings, grounded in empirical measurement, severity calibration, and aggregation.

This process is illustrated concretely through an audit of PII leakage in LLMs, specifically GPT-4-0314, using DecodingTrust Privacy Scenario 2. The risk is mapped to seven major frameworks, demonstrating high interoperability at the conceptual level. The methodology distinguishes mechanisms of PII leakage, operationalizes disclosure and memorization separately, and assigns severity grades based not only on metric values but on their qualitative context (e.g., user-injected PII versus memorized training-corpus PII).

For the disclosure mechanism, disclosure rates under escalating adversarial conditioning are measured as 0%, 51%, and 84%, mapping to severities 1, 4, and 5, and aggregating to a subcategory grade of E with a SYSTEMIC pattern. Figure 1

Figure 1: End-to-end operationalization of PII leakage risk through external framework mapping, mechanism decomposition, empirical testing on GPT-4-0314, and calibrated severity aggregation.

The methodology constrains aggregation to avoid flattening diagnostically significant variations and preserves worst-case signals over means. Distinct probe protocols and severity bands are methodologically justified and published as part of the open scaffold. This structure creates a transparent, reproducible pipeline from probe to grade, which is central for compliance defensibility in regulatory and audit contexts.

Architecture and Ontological Discipline

The taxonomy adheres to a four-layer methodological architecture:

  • Layer 1: Conceptual infrastructure (taxonomy, grading schema, reporting format)—designed once, reused universally.
  • Layer 2: Technology-specific operationalizations—metric definitions and severity calibrations, validated at the system-class level.
  • Layer 3: Sector annexes—for sector-specific adaptations.
  • Layer 4: Project-level instantiations—system-specific audits reusing upper layers.

Central to this architecture is the formal separation between risk concepts (abstract harms) and mechanisms (concrete modes of manifestation), which defines the "contract surface" for any operationalization. Auditors, tool developers, and regulatory bodies can build and interoperate atop the open taxonomy without the ambiguities endemic to other frameworks. Gaps are treated as explicit, visible "empty slots," supporting diagnostic transparency rather than silent omission.

Audit findings are authored in a canonical schema, containing probe definitions, metric values, severity assignments, subcategory grades, and traceable provenance. These records are rendered for diverse audiences without re-authoring, supporting both transparency and longitudinal comparability.

Taxonomy Structure, Publication, and Framework Alignment

The taxonomy’s hierarchy (10 categories, 20 sub-groups, 76 subcategories) is grounded in practitioner workflow constraints and empirical auditability. Categories selected balance the cognitive load of audit planning with sufficient granularity for protocol assignment. Each subcategory declares its mechanisms, system scope, lifecycle stage annotation, and carries explicit framework mappings (exact, close, broad matches) to 18 external frameworks in compliance, reference, and academic tiers.

Notably, agentic risk is elevated to a first-class category, reflecting the current governance gap as compliance-centered frameworks predate or mismatch agentic deployment paradigms. The taxonomy's open-core publication model exposes stable URIs, SKOS and JSON-LD distributions under CC BY 4.0, supporting direct consumption by audit tools, regulatory systems, or external operationalizations.

Comparative Positioning and Methodological Claims

In comparison to comprehensive but overly abstract resources like the MIT AI Risk Repository [Slattery et al., 2026], or process-centric frameworks such as NIST AI RMF and ISO/IEC 42001, the Eticas taxonomy prioritizes operational granularity, ontological clarity, and direct auditing use. Unlike model-safety benchmarks (e.g., AIR-Bench [Zeng et al., 2024]), Eticas explicitly encodes the audit pipeline from empirical probe to severity judgment, suitable for system-and-context risk evaluation demanded in regulatory assessments.

The designation of mechanisms as explicit operationalization targets enables cross-provider comparability and supports seamless integration with evolving policy, reference, and technical standards. Explicitly unaligned risks (e.g., intellectual property, as in NIST AI 600-1) are documented as named gaps, eschewing speculative or force-fit mappings.

Implications and Future Directions

Practically, this infrastructure offers regulators, auditors, and developers reliable, referenceable vocabulary with which to both plan and evaluate audits, and to justify findings in multi-framework contexts. The explicit, reproducible methodology supports defensibility and comparability—foundational requirements for credible AI risk management in high-stakes domains. The approach directly enables the design of audit tools, compliance reporting platforms, and even adaptive benchmark suites interoperable across jurisdictional divides.

Theoretically, separating abstraction and operationalization lays groundwork for transparent, extendable risk ontologies. The design encourages evolution: as regulatory directions, model capabilities, and deployment paradigms shift (notably in agentic and autonomous applications), the taxonomy and its mechanism-layer interface will support iterative enrichment without retrofitting.

As taxonomies mature across the AI landscape, this infrastructure-centric approach can drive convergence in methodology, if not in concept enumeration, and serve as a stable backbone for sectoral, national, and international audit standards. The explicit treatment of agentic AI also foregrounds areas of regulatory fragility, focusing attention on both immediate compliance supplementation and long-term governance innovation.

Conclusion

The Eticas AI Risk Taxonomy v2.0.0 offers an open, modular, and operationally validated infrastructure for AI auditing. Its end-to-end methodology, ontological rigor, and semantic publishing strategy together provide a scalable and interoperable foundation for empirical audit practice, regulatory compliance, and risk governance. Its inclusion of agentic AI as a first-class category both documents existing governance gaps and positions the taxonomy as a practical tool for the field's next phase. As audit practice, regulatory requirements, and AI deployment scenarios continue to co-evolve, the taxonomy is positioned for iterative extension, inviting interpretive and practical contributions from across the ecosystem.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 0 likes about this paper.