What specific risks should individuals, businesses, and governments consider when using AI systems or writing the rules that govern their use? This is not an easy question to answer. AI that controls critical infrastructure clearly poses risks to human safety. But what about AI designed to grade exams, organize resumes, or check travel documents at border crossings? Each of these carries its own unique set of risks that, while just as serious, are entirely different categories of risk.
In crafting AI regulatory laws like the EU AI Act and California's SB 1047, policymakers have struggled to reach consensus on which risks should be covered by law. To provide guidance to them and other stakeholders in the AI industry and academia, MIT researchers have developed what they call an AI “risk repository,” a sort of database of AI risks.
“This is an attempt to rigorously curate and analyze AI risks and compile them into a publicly accessible, comprehensive, extensible, categorized database of risks that anyone can copy and use, and that will be kept up to date over time,” Peter Slattery, a researcher in MIT's FutureTech group and lead on the AI Risk Repository project, told TechCrunch. “We're creating this now because we needed it for our project, and because we know many others will need it too.”
The AI Risk Repository contains more than 700 AI risks grouped by causal factor (such as intent), domain (such as discrimination), and subdomain (such as disinformation or cyberattacks), and was born out of a desire to understand overlaps and gaps in AI safety research, Slattery said. While other risk frameworks exist, they cover only a fraction of the risks identified in the repository, and these gaps could have major implications for AI development, use, and policymaking, Slattery said.
“You might think there's a consensus on AI risks, but our findings show that this is not the case,” Slattery added. “We found that the average framework only mentioned 34% of the 23 risk subdomains we identified, and almost a quarter covered less than 20%. No document or overview mentioned all 23 risk subdomains, and the most comprehensive only covered 70%. When the literature is so fragmented, we shouldn't assume that everyone has the same view on these risks.”
To build the repository, MIT researchers worked with colleagues from the University of Queensland, the nonprofit Future of Life Institute, KU Leuven, and AI startup Harmony Intelligence to scour academic databases to retrieve thousands of documents on AI risk assessments.
The researchers found that the third-party frameworks they examined mentioned certain risks more frequently than others. For example, more than 70% of the frameworks addressed the privacy and security impacts of AI, while only 44% addressed misinformation. And while more than 50% discussed forms of discrimination and misrepresentation that AI can perpetuate, only 12% mentioned “information ecosystem pollution,” or the rise of AI-generated spam.
“The lesson for researchers, policymakers, and everyone working with risk is that this database can serve as a foundation from which to do more specific work,” Slattery said. “Until now, people like us had two options: either spend significant time reviewing the scattered literature to create a comprehensive overview, or use a limited number of existing frameworks that may miss relevant risks. Now that we have a more comprehensive database, our repository will hopefully save time and increase oversight.”
But would anyone use it? The fact is that AI regulation around the world today is at best a patchwork, a collection of different approaches with no unified goals. If an AI risk repository like MIT had existed earlier, would it have made a difference? Would it have? It's hard to say.
Another natural question is whether mere agreement about the risks posed by AI can spur appropriate regulation of AI: Safety assessments of AI systems often have significant limitations, and a database of risks does not necessarily solve the problem.
But the MIT researchers are going to give it a try: Neil Thompson, director of the FutureTech Institute, told TechCrunch that the group plans to use the repository in the next phase of its research to evaluate how well various AI risks are being addressed.
“Our repository will help inform the next phase of research to assess how well we are responding to different risks,” Thompson said. “We plan to use it to identify gaps in organizations' responses. For example, if everyone is focused on one type of risk and overlooking other risks of similar importance, that's something we should notice and address.”