Standardized Threat Taxonomy for AI Security, Governance, and Regulatory Compliance

📅 2025-11-26
📈 Citations: 0
Influential: 0
📄 PDF

career value

158K/year
🤖 AI Summary
Rapid deployment of AI systems in regulated domains exposes a critical gap between technical security and legal compliance, as algorithmic vulnerabilities (e.g., those cataloged in MITRE ATLAS) lack systematic mapping to quantifiable financial impacts—undermining evidence-based decisions on contingency reserves and cyber-insurance pricing. Method: We propose the first cross-domain AI threat vector classification framework that directly links technical threats to five business loss dimensions: confidentiality, integrity, availability, legal liability, and reputational harm. Leveraging structured ontology modeling, we integrate MITRE ATLAS, the EU AI Act, NIST AI Risk Management Framework, and ISO/IEC 42001 to define 53 actionable sub-threats. Contribution/Results: The framework achieves 100% coverage across 133 real-world AI incidents reported in 2025, demonstrating both conceptual completeness and audit readiness for regulatory and economic risk assessment.

Technology Category

Application Category

📝 Abstract
The accelerating deployment of artificial intelligence systems across regulated sectors has exposed critical fragmentation in risk assessment methodologies. A significant "language barrier" currently separates technical security teams, who focus on algorithmic vulnerabilities (e.g., MITRE ATLAS), from legal and compliance professionals, who address regulatory mandates (e.g., EU AI Act, NIST AI RMF). This disciplinary disconnect prevents the accurate translation of technical vulnerabilities into financial liability, leaving practitioners unable to answer fundamental economic questions regarding contingency reserves, control return-on-investment, and insurance exposure. To bridge this gap, this research presents the AI System Threat Vector Taxonomy, a structured ontology designed explicitly for Quantitative Risk Assessment (QRA). The framework categorizes AI-specific risks into nine critical domains: Misuse, Poisoning, Privacy, Adversarial, Biases, Unreliable Outputs, Drift, Supply Chain, and IP Threat, integrating 53 operationally defined sub-threats. Uniquely, each domain maps technical vectors directly to business loss categories (Confidentiality, Integrity, Availability, Legal, Reputation), enabling the translation of abstract threats into measurable financial impact. The taxonomy is empirically validated through an analysis of 133 documented AI incidents from 2025 (achieving 100% classification coverage) and reconciled against the main AI risk frameworks. Furthermore, it is explicitly aligned with ISO/IEC 42001 controls and NIST AI RMF functions to facilitate auditability.
Problem

Research questions and friction points this paper is trying to address.

Bridges gap between technical security and legal compliance teams
Translates AI vulnerabilities into measurable financial impact categories
Provides standardized taxonomy for AI risk assessment and governance
Innovation

Methods, ideas, or system contributions that make the work stand out.

Structured ontology for AI risk translation
Maps technical threats to financial impact
Empirically validated with incident analysis
🔎 Similar Papers
2024-08-14AGI - Artificial General Intelligence - Robotics - Safety & AlignmentCitations: 27