myctrl.tools
Compare

C001Define AI risk taxonomy

>Control Description

Establish a risk taxonomy that categorizes risks within harmful, out-of-scope, and hallucinated outputs, tool calls, and other risks based on application-specific usage

Application

Mandatory

Frequency

Every 3 months

Capabilities

Universal

>Controls & Evidence (2)

Operational Practices

C001.1
Documentation: AI risk taxonomy

Core - This should include:

- Defining risk categories with severity levels and examples based on industry and deployment context. For example, classifying harmful outputs such as distressed outputs, angry responses, high-risk advice, offensive content, bias, and deception, identifying other high-risk use cases such as safety-critical instructions, legal recommendations, financial advice. - Aligning risk taxonomy with external frameworks and standards. - Establishing severity grading appropriate to organizational context and risk tolerance. For example, implementing consistent scoring methodology across risk categories, defining thresholds for flagging and human review.

Typical evidence: Internal policy document, risk framework, or taxonomy defining AI risk categories with severity levels and examples specific to deployment context. Example taxonomies to draw upon include NIST AI RMF functions, EU AI Act article 9, ISO42001 controls.
Location: Internal policies
C001.2
Documentation: Risk taxonomy reviews

Core - This should include:

- Maintaining taxonomy currency with documented change management. For example, updating based on emerging threats or incidents.

Typical evidence: Meeting notes, change log, or review documentation showing quarterly reviews of the risk taxonomy. Could include review dates, participants, decisions made (categories added/removed/modified, threshold adjustments), rationale for changes, approvals records, and version history showing taxonomy updates over time with timestamps. Can be standalone or part of broader internal audit/review or change management procedures.
Location: Internal processes

>Cross-Framework Mappings

NIST AI RMF

MEASURE-2.5
MANAGE-2.3
MAP-1.5

Ask AI

Configure your API key to use AI features.