- The paper introduces an operationalization layer that transforms abstract AI risks into actionable, empirical audit findings.
- The paper details a four-layer architecture that separates risk concepts from mechanisms to ensure transparent, reproducible evaluations.
- The paper demonstrates interoperability with a concrete audit of PII leakage in LLMs using calibrated severity grades.
The Eticas AI Risk Taxonomy: Open Infrastructure for Operationalizing AI Audits
Motivation and Context
The proliferation of AI systems in high-stakes, regulated domains has highlighted the acute need for standardized, interoperable, and truly operational frameworks for risk assessment and audit. Existing risk taxonomies provide lengthy catalogs of risk concepts but lack pathways for translating these abstractions into actionable, empirical audits. Eticas' AI Risk Taxonomy v2.0.0 addresses this deficit, introducing an ontologically disciplined, open-core infrastructure designed to support and scale audit practice through formal separation of risks and mechanisms, multi-framework mapping, and calibrated operationalization. The taxonomy targets practitioners, regulators, and developers who require end-to-end traceability from regulatory obligation to empirical finding, rather than conceptual enumeration alone.
Operationalization Layer: From Risk Identification to Graded Findings
The operationalization layer represents the crucial methodological advancement in the taxonomy: it transforms named risks into reproducible audit findings, grounded in empirical measurement, severity calibration, and aggregation.
This process is illustrated concretely through an audit of PII leakage in LLMs, specifically GPT-4-0314, using DecodingTrust Privacy Scenario 2. The risk is mapped to seven major frameworks, demonstrating high interoperability at the conceptual level. The methodology distinguishes mechanisms of PII leakage, operationalizes disclosure and memorization separately, and assigns severity grades based not only on metric values but on their qualitative context (e.g., user-injected PII versus memorized training-corpus PII).
For the disclosure mechanism, disclosure rates under escalating adversarial conditioning are measured as 0%, 51%, and 84%, mapping to severities 1, 4, and 5, and aggregating to a subcategory grade of E with a SYSTEMIC pattern.
Figure 1: End-to-end operationalization of PII leakage risk through external framework mapping, mechanism decomposition, empirical testing on GPT-4-0314, and calibrated severity aggregation.
The methodology constrains aggregation to avoid flattening diagnostically significant variations and preserves worst-case signals over means. Distinct probe protocols and severity bands are methodologically justified and published as part of the open scaffold. This structure creates a transparent, reproducible pipeline from probe to grade, which is central for compliance defensibility in regulatory and audit contexts.
Architecture and Ontological Discipline
The taxonomy adheres to a four-layer methodological architecture:
- Layer 1: Conceptual infrastructure (taxonomy, grading schema, reporting format)—designed once, reused universally.
- Layer 2: Technology-specific operationalizations—metric definitions and severity calibrations, validated at the system-class level.
- Layer 3: Sector annexes—for sector-specific adaptations.
- Layer 4: Project-level instantiations—system-specific audits reusing upper layers.
Central to this architecture is the formal separation between risk concepts (abstract harms) and mechanisms (concrete modes of manifestation), which defines the "contract surface" for any operationalization. Auditors, tool developers, and regulatory bodies can build and interoperate atop the open taxonomy without the ambiguities endemic to other frameworks. Gaps are treated as explicit, visible "empty slots," supporting diagnostic transparency rather than silent omission.
Audit findings are authored in a canonical schema, containing probe definitions, metric values, severity assignments, subcategory grades, and traceable provenance. These records are rendered for diverse audiences without re-authoring, supporting both transparency and longitudinal comparability.
Taxonomy Structure, Publication, and Framework Alignment
The taxonomy’s hierarchy (10 categories, 20 sub-groups, 76 subcategories) is grounded in practitioner workflow constraints and empirical auditability. Categories selected balance the cognitive load of audit planning with sufficient granularity for protocol assignment. Each subcategory declares its mechanisms, system scope, lifecycle stage annotation, and carries explicit framework mappings (exact, close, broad matches) to 18 external frameworks in compliance, reference, and academic tiers.
Notably, agentic risk is elevated to a first-class category, reflecting the current governance gap as compliance-centered frameworks predate or mismatch agentic deployment paradigms. The taxonomy's open-core publication model exposes stable URIs, SKOS and JSON-LD distributions under CC BY 4.0, supporting direct consumption by audit tools, regulatory systems, or external operationalizations.
Comparative Positioning and Methodological Claims
In comparison to comprehensive but overly abstract resources like the MIT AI Risk Repository [Slattery et al., 2026], or process-centric frameworks such as NIST AI RMF and ISO/IEC 42001, the Eticas taxonomy prioritizes operational granularity, ontological clarity, and direct auditing use. Unlike model-safety benchmarks (e.g., AIR-Bench [Zeng et al., 2024]), Eticas explicitly encodes the audit pipeline from empirical probe to severity judgment, suitable for system-and-context risk evaluation demanded in regulatory assessments.
The designation of mechanisms as explicit operationalization targets enables cross-provider comparability and supports seamless integration with evolving policy, reference, and technical standards. Explicitly unaligned risks (e.g., intellectual property, as in NIST AI 600-1) are documented as named gaps, eschewing speculative or force-fit mappings.
Implications and Future Directions
Practically, this infrastructure offers regulators, auditors, and developers reliable, referenceable vocabulary with which to both plan and evaluate audits, and to justify findings in multi-framework contexts. The explicit, reproducible methodology supports defensibility and comparability—foundational requirements for credible AI risk management in high-stakes domains. The approach directly enables the design of audit tools, compliance reporting platforms, and even adaptive benchmark suites interoperable across jurisdictional divides.
Theoretically, separating abstraction and operationalization lays groundwork for transparent, extendable risk ontologies. The design encourages evolution: as regulatory directions, model capabilities, and deployment paradigms shift (notably in agentic and autonomous applications), the taxonomy and its mechanism-layer interface will support iterative enrichment without retrofitting.
As taxonomies mature across the AI landscape, this infrastructure-centric approach can drive convergence in methodology, if not in concept enumeration, and serve as a stable backbone for sectoral, national, and international audit standards. The explicit treatment of agentic AI also foregrounds areas of regulatory fragility, focusing attention on both immediate compliance supplementation and long-term governance innovation.
Conclusion
The Eticas AI Risk Taxonomy v2.0.0 offers an open, modular, and operationally validated infrastructure for AI auditing. Its end-to-end methodology, ontological rigor, and semantic publishing strategy together provide a scalable and interoperable foundation for empirical audit practice, regulatory compliance, and risk governance. Its inclusion of agentic AI as a first-class category both documents existing governance gaps and positions the taxonomy as a practical tool for the field's next phase. As audit practice, regulatory requirements, and AI deployment scenarios continue to co-evolve, the taxonomy is positioned for iterative extension, inviting interpretive and practical contributions from across the ecosystem.