AI Model Risk Catalog
- AI model risk catalogs are structured systems that classify and organize risks in AI model development and deployment.
- They integrate frameworks from developer disclosures, researcher taxonomies, and incident reports to harmonize risk evaluations.
- Recent catalogs evolve from descriptive taxonomies to operational tools with measurable metrics, audit readiness, and mitigation mapping.
Searching arXiv for the cited papers and closely related risk-catalog frameworks to ground the article in current literature. AI model risk catalogs are structured systems for naming, organizing, comparing, and operationalizing the risks associated with AI models and AI-enabled systems across development, deployment, and governance contexts. In the recent literature, the term spans several partially overlapping artifacts: taxonomies of harms, incident-grounded repositories, disclosure templates, internal-use reporting frameworks, scoring systems, audit ontologies, and mitigation taxonomies. A central motivation is that risk discussion has been fragmented across developers, researchers, auditors, regulators, and incident trackers, producing inconsistent terminology and uneven coverage. Recent work therefore converges on catalog-style representations that classify risks by domain, causal structure, lifecycle stage, operational threat vector, or mitigation type, and that support reporting, evaluation, and governance workflows (Rao et al., 21 Aug 2025, Slattery et al., 2024, Bagehorn et al., 26 Feb 2025).
1. Concept and scope
An AI model risk catalog is not a single standardized artifact. In the literature, it appears at least in five forms. First, there are domain taxonomies that classify harms into stable top-level categories such as discrimination, privacy, misuse, misinformation, overreliance, socioeconomic harms, and system safety (Slattery et al., 2024). Second, there are developer-facing catalogs extracted from model documentation, intended to improve model cards and related disclosures (Rao et al., 21 Aug 2025). Third, there are operational risk frameworks that score vulnerabilities, assign tiers, or connect catalog entries to audits and control workflows (Muhammad et al., 24 Aug 2025, Clavell et al., 2 Jul 2026). Fourth, there are internal deployment reporting schemas focused on frontier developers’ own use of unreleased models (Delaney et al., 27 Apr 2026). Fifth, there are mitigation catalogs that organize countermeasures rather than harms, allowing risks to be linked to governance, technical, operational, and transparency controls (Saeri et al., 12 Dec 2025).
A common thread is the attempt to provide a “common frame of reference” or interoperable scaffold for risk identification and management (Slattery et al., 2024, Saeri et al., 12 Dec 2025). The AI Risk Repository constructs a living database of 777 risks extracted from 43 taxonomies and classifies them with a high-level Causal Taxonomy and a mid-level Domain Taxonomy (Slattery et al., 2024). The AI Model Risk Catalog derived from Hugging Face model cards instead begins from developer-authored risk statements and compares them with researcher taxonomies and real-world incidents (Rao et al., 21 Aug 2025). Risk Atlas, AIR 2024, and similar efforts further expand the catalog concept into ontology- and policy-oriented structures (Bagehorn et al., 26 Feb 2025, Zeng et al., 2024).
This plurality matters because “risk” is represented at different levels of abstraction. Some frameworks catalog harms such as “Fraud, scams, and targeted manipulation” or “Lack of capability or robustness” (Slattery et al., 2024). Others catalog failure modes such as “Prompt Injection / Prompt Manipulation,” “Deployment Drift,” or “Model Release / IP Leakage” (Muhammad et al., 24 Aug 2025). Others still catalog audit targets such as “pii-leakage” with explicit probes, metrics, severity bands, and grades (Clavell et al., 2 Jul 2026). A plausible implication is that AI model risk catalogs are evolving from descriptive taxonomies toward executable governance infrastructure.
2. Core taxonomic architectures
Several taxonomic backbones recur across the literature, but they emphasize different organizing principles.
The AI Risk Repository defines a high-level Causal Taxonomy in which every risk is classified by Entity, Intentionality, and Timing:
Its Domain Taxonomy uses seven domains and 23 subdomains: Discrimination & toxicity; Privacy & security; Misinformation; Malicious actors & misuse; Human-computer interaction; Socioeconomic & environmental; and AI system safety, failures, & limitations (Slattery et al., 2024). This structure is directly reused by the AI Model Risk Catalog study comparing model cards, repository risks, and incidents (Rao et al., 21 Aug 2025).
By contrast, AIR 2024 uses a four-tier hierarchy with four top-level categories: System & Operational Risks, Content Safety Risks, Societal Risks, and Legal & Rights Risks, organized into 16 families, 45 subfamilies, and 314 leaf nodes (Zeng et al., 2024). Risk Atlas organizes “DefinitionBoxes” under four lifecycle-oriented types—Training-Data Risks, Inference-Time Risks, Output-Quality & Content Risks, and Non-Technical & Governance Risks—and annotates each item with a “Descriptor” of “traditional,” “amplified,” or “specific” (Bagehorn et al., 26 Feb 2025).
The “AI Risk Spectrum” paper proposes a different organizing logic around three causal categories: misuse risks, misalignment risks, and systemic risks, plus risk amplifiers including competitive pressures, accidents, corporate indifference, and coordination failures (Grey et al., 19 Aug 2025). Misuse risks include creating bioweapons, launching cyberattacks, adversarial AI attacks or deploying lethal autonomous weapons. Misalignment risks include specification gaming, scheming and power-seeking tendencies. Systemic risks include concentrating power, accelerating political and economic disempowerment, creating overdependence that leads to human enfeeblement, or irreversibly locking in current values (Grey et al., 19 Aug 2025).
These architectures are not identical, but they overlap substantially. Misuse in the spectrum view corresponds closely to malicious actors & misuse in the repository and to multiple AIR 2024 families under deception, political usage, and criminal activities (Slattery et al., 2024, Zeng et al., 2024). Human agency and overreliance recur in the repository, Risk Atlas, and the spectrum paper’s systemic category (Slattery et al., 2024, Bagehorn et al., 26 Feb 2025, Grey et al., 19 Aug 2025). This suggests that the field is converging on a shared set of risk surfaces, while diverging on whether the primary axis should be causal mechanism, harm domain, lifecycle location, or governance use case.
3. Empirical catalogs from model cards, repositories, and incidents
A major empirical contribution comes from the AI Model Risk Catalog study, which analyzed nearly 460,000 AI model cards from Hugging Face (Rao et al., 21 Aug 2025). In July 2024, the authors downloaded a snapshot of model repositories, of which approximately contained model cards. They identified cards with risk-related text, noted that 96% were exact duplicates of risk sections, and reduced the corpus to unique cards by choosing the most-downloaded version in each duplicate group. After extraction, standardization, near-duplicate merging, and manual pruning, the final catalog size was risk mentions (Rao et al., 21 Aug 2025).
The extraction pipeline used GPT-4o in zero-temperature mode to locate and extract distinct “verb–object” risk mentions. On 10% held-out cards, zero-shot extraction achieved 90% agreement with human annotations over a 50-card sample. Classification into the MIT Risk Repository taxonomy and the DeepMind taxonomy used three prompts per mention with majority voting and achieved accuracy = 83% and macro-F1 = 81% on a 50-item test set (Rao et al., 21 Aug 2025).
The most consequential result is the divergence between developer-reported risks, researcher taxonomies, and incident distributions. Developers concentrated on Discrimination & Toxicity and AI System Safety, while underrepresenting misuse, privacy, overreliance, and socioeconomic harms (Rao et al., 21 Aug 2025). The paper reports:
- , ,
- 0, 1, 2
- 3, 4, 5
- 6, 7, 8
- 9, 0, 1 (Rao et al., 21 Aug 2025).
The paper highlights 2 with 95% CI 3 as a marked developer blind spot on malicious use (Rao et al., 21 Aug 2025). It also reports that model cards with risk sections fell from 17% in 2022 to 14% in 2024, and that unique risk content remains less than 1% of all cards (Rao et al., 21 Aug 2025). RiskRAG reports the same structural pattern: only 14% of model cards mention risks, and 96% copy content from a small set of cards (Rao et al., 11 Apr 2025).
This empirical literature thus distinguishes between three evidentiary sources for catalog construction: developer disclosures, researcher taxonomies, and incident logs. The recommendation to require reference to all three sources in impact assessments under the EU AI Act or NIST AI RMF follows directly from that triangulation (Rao et al., 21 Aug 2025).
4. From catalog entries to reporting artifacts
A risk catalog becomes operational when it structures reporting. The pre-deployment “AI Risk Profiles” proposal organizes disclosures around nine categories: Abuse & Misuse, Compliance, Societal Impact (including Environmental), Explainability & Transparency, Fairness & Bias, Long-Term & Existential Risk, Performance & Robustness, Privacy, and Security (Sherman et al., 2023). The template includes a cover and executive summary, system description and context, risk and mitigation analysis for each category, evaluations and benchmarks, and a compliance and certifications checklist (Sherman et al., 2023). The paper explicitly frames the profile as a template-based methodology for triaging further risk assessment, informing procurement and deployment, and directing regulatory frameworks (Sherman et al., 2023).
RiskRAG extends this reporting logic with a Retrieval Augmented Generation workflow. Its five design requirements are: identification of diverse model-specific risks; clear presentation and prioritization; contextualization for real-world use cases; actionable mitigation strategies; and system usability by developers (Rao et al., 11 Apr 2025). It retrieves top-4 similar model-card sections and top-5 incident descriptions using cosine similarity over Linq-Embed-Mistral embeddings,
6
then generates risks, use cases, and mitigations and assigns a priority score
7
with typical weights 8, 9 (Rao et al., 11 Apr 2025). In a preliminary user study with 50 AI developers, the paper reports improvements on AIMQ scale dimensions including R1 coverage from 3.40 to 4.46 and R4 mitigations from 3.08 to 4.08, with 74% favoring RiskRAG (Rao et al., 11 Apr 2025).
Internal deployment introduces a more specific reporting problem. “Risk Reporting for Developers’ Internal AI Model Use” focuses on the period in which frontier models are deployed internally for safety testing, evaluation, and iteration before possible release (Delaney et al., 27 Apr 2026). The framework is structured around two threat vectors—autonomous AI misbehavior and insider threats—and three risk factors for each: means, motive, and opportunity (Delaney et al., 27 Apr 2026). This yields six risk categories, each with scenarios, metrics, and safeguards. For example, autonomous AI misbehavior–means includes “Steganographic exfiltration success rate (0)” and
1
while autonomous AI misbehavior–opportunity includes Mean Time To Detect and
2
(Delaney et al., 27 Apr 2026). The paper also provides a standardized internal use risk report template with sections for executive summary, model description, threat vectors, risk factor analysis, metrics dashboard, safeguards and residual risk, regulatory mapping, and a confidential annex (Delaney et al., 27 Apr 2026).
Together, these frameworks show that the catalog is increasingly treated as the data model behind disclosure. A plausible implication is that the future standard artifact is neither the traditional model card nor the pure taxonomy, but a structured report whose fields are populated from catalogs, incidents, benchmarks, and mitigation registries.
5. Operationalization, scoring, and audit execution
A defining development in recent work is the shift from cataloging risks to turning them into measurable findings.
CORTEX presents a five-layer scoring architecture over 29 technical vulnerability groups derived from over 1,200 incidents in the AI Incident Database (Muhammad et al., 24 Aug 2025). It combines utility-transformed likelihood × impact, contextual and governance modifiers, technical surface modifiers, environmental and residual modifiers, and probabilistic modeling via Bayesian aggregation and Monte Carlo simulation (Muhammad et al., 24 Aug 2025). The utility function is
3
and the final composite score is
4
subject to
5
Default weights are 6, 7, 8, 9, 0, 1 (Muhammad et al., 24 Aug 2025). The resulting score is mapped into five tiers from Minimal to Critical (Muhammad et al., 24 Aug 2025).
Eticas AI Risk Taxonomy v2.0.0 makes the operationalization layer even more explicit. It organizes 76 active subcategories across 10 categories and 20 sub-groups, with public SKOS/JSON-LD distributions and mappings to 18 external frameworks (Clavell et al., 2 Jul 2026). Its central claim is that auditing requires bridging from a named risk to “a test run against a real system, a measured value, a calibrated severity, and a defensible grade” (Clavell et al., 2 Jul 2026). The worked example is PII leakage on GPT-4-0314, measured at 0%, 51%, and 84% disclosure as adversarial conditioning increases, with the metric
2
Disclosure severity bands are piecewise defined: severity 1 at 3, severity 2 at 4, severity 3 at 5, severity 4 at 6, and severity 5 at 7 (Clavell et al., 2 Jul 2026). The 51% and 84% cases therefore map to severities 4 and 5, producing subcategory grade E with pattern SYSTEMIC (Clavell et al., 2 Jul 2026).
PRISM offers another operational model, but aimed at behavioral risk rather than direct content harms (Lee, 13 Apr 2026). It defines 27 hierarchy-based risk signals across value hierarchy, evidence hierarchy, and source hierarchy, with a dual-threshold principle using absolute rank and relative win-rate gap. The basic win-rate is
8
and risk classification distinguishes Confirmed Risk, Watch Signal, and Compound Risk (Lee, 13 Apr 2026). The method is demonstrated using approximately 397,000 forced-choice responses from 7 AI models (Lee, 13 Apr 2026).
These frameworks differ in object of analysis—technical vulnerability, privacy subcategory, or reasoning hierarchy—but they share a common pattern: catalogs become operational when each entry can be bound to probes, metrics, thresholds, and aggregation rules. This suggests that the most durable risk catalogs will be those that preserve both semantic interoperability and measurement contracts.
6. Mitigation mapping and governance integration
Risk catalogs alone do not specify how organizations should respond. This gap motivates mitigation taxonomies and layered control mappings.
The preliminary AI Risk Mitigation Taxonomy organizes 831 extracted mitigations into four top-level categories and 23 subcategories: Governance & Oversight; Technical & Security; Operational Process; and Transparency & Accountability (Saeri et al., 12 Dec 2025). Governance & Oversight includes Board Structure & Oversight, Risk Management, Conflict of Interest Protections, Whistleblower Reporting & Protection, Safety Decision Frameworks, Environmental Impact Management, and Societal Impact Assessment. Technical & Security includes Model & Infrastructure Security, Model Alignment, Model Safety Engineering, and Content Safety Controls. Operational Process includes Testing & Auditing, Data Governance, Access Management, Staged Deployment, Post-Deployment Monitoring, and Incident Response & Recovery. Transparency & Accountability includes System Documentation, Risk Disclosure, Incident Reporting, Governance Disclosure, Third-Party System Access, and User Rights & Recourse (Saeri et al., 12 Dec 2025).
The taxonomy construction classified 815 of 831 mitigations, giving
9
(Saeri et al., 12 Dec 2025). The paper also emphasizes terminology ambiguities, especially around “risk management” and “red teaming,” and resolves them by separating end-to-end organizational processes from Testing & Auditing and Post-Deployment Monitoring (Saeri et al., 12 Dec 2025).
Other frameworks connect risks directly to management measures. The GPAI risk-source catalog groups risks into Technical, Operational, and Societal categories and organizes controls by lifecycle stage: Development, Training, and Deployment (Gipiškis et al., 2024). It includes dataset documentation and datasheets, data cleaning and poisoning diagnosis, adversarial training, calibration techniques, instruction-tuning safeguards, structured access and API-based deployment, red teaming and dynamic testing, and ongoing monitoring and incident reporting (Gipiškis et al., 2024). It also supplies quantitative forms such as the ISO 31000-style expression
0
and the standard adversarial training objective (Gipiškis et al., 2024).
The Fraunhofer IAIS AI Assessment Catalog is yet another mitigation-integrated structure, though framed around trustworthiness dimensions rather than risk-only domains. It uses six dimensions—Fairness, Autonomy & Control, Transparency, Reliability, Safety & Security, and Data Protection—with risk areas, metrics, assessment procedures, and mitigation measures for each (Poretschkin et al., 2023). It does not prescribe a single global risk formula, but allows aggregation via weighted sums over residual risk levels (Poretschkin et al., 2023).
A plausible implication is that mature risk catalogs require a bidirectional mapping: from risks to mitigations and from mitigations back to auditable evidence. Without that linkage, a catalog remains descriptive rather than governable.
7. Persistent gaps, controversies, and future directions
The literature identifies several recurring blind spots. The first is the underdocumentation of human-interaction and misuse risks. Developers emphasize technical model issues, but incidents disproportionately involve fraud, scams, targeted manipulation, and other social uses of AI (Rao et al., 21 Aug 2025). The second is the difficulty of representing systemic and long-horizon harms. The AI Risk Spectrum explicitly includes overdependence, human enfeeblement, power concentration, and value lock-in, while cataloging work based on model cards tends to underweight such slow-burn risks (Grey et al., 19 Aug 2025, Rao et al., 21 Aug 2025).
The third is the distinction between naming risks and auditing them. Eticas argues that “almost all” taxonomies stop at the catalog, whereas the hard part is operationalizing risk into tests, metrics, calibrated severities, and grades (Clavell et al., 2 Jul 2026). PRISM similarly argues that case-level red lines are reactive and that hierarchy-level signals are anticipatory, comprehensive, and measurable (Lee, 13 Apr 2026). These positions imply a controversy over what a risk catalog should fundamentally contain: semantic categories, operational tests, or both.
A fourth issue is interoperability. The AI Risk Atlas and the standardized threat taxonomy for AI security, governance, and regulatory compliance both frame the problem as one of translation across technical, regulatory, and business vocabularies (Bagehorn et al., 26 Feb 2025, Huwyler, 26 Nov 2025). The latter maps nine threat domains and 53 operational sub-threats directly to five business loss categories—Confidentiality, Integrity, Availability, Legal, Reputation—and validates 100% classification coverage over 133 documented incidents from 2025 (Huwyler, 26 Nov 2025). This suggests that future catalogs may increasingly serve quantitative risk assessment, insurance, and capital-allocation functions, not only governance disclosures.
Finally, internal-use and frontier-risk settings are pushing catalogs toward more specialized structures. The internal deployment reporting framework centers on autonomous AI misbehavior and insider threats before public release (Delaney et al., 27 Apr 2026). The Frontier AI Risk Management Framework in Practice centers on seven frontier-risk areas and evaluates them with “red lines” and “yellow lines” under the “AI-1 Law,” placing current models into green, yellow, and red zones (Lab et al., 22 Jul 2025). In that report, risks include cyber offense, biological and chemical risks, persuasion and manipulation, uncontrolled autonomous AI R&D, strategic deception and scheming, self-replication, and collusion (Lab et al., 22 Jul 2025). This specialization indicates that a single universal catalog may be less useful than a layered ecosystem: general repositories for shared language, incident-aligned catalogs for empirical calibration, operational schemas for audits, and domain- or lifecycle-specific catalogs for high-stakes contexts.
In aggregate, the modern AI model risk catalog is best understood as an evolving knowledge infrastructure. Its functions now include taxonomy construction, empirical comparison, disclosure standardization, metric binding, severity calibration, mitigation mapping, and cross-framework interoperability. The field’s current trajectory suggests movement from static lists of harms toward living, machine-readable, audit-ready systems that connect risk concepts to evidence, thresholds, controls, and governance actions (Slattery et al., 2024, Rao et al., 21 Aug 2025, Clavell et al., 2 Jul 2026).