Transitioning from a successful AI proof-of-concept to a scalable product brings significant challenges, including accuracy, bias, data security, and regulatory compliance. Risk Atlas Nexus from IBM Research is an open-source initiative designed to help organizations structure, assess, and mitigate AI risks through a shared ontology, AI-assisted governance tools, and knowledge graphs linking industry standards like NIST and OWASP. As part of the AI Alliance Trust and Safety Evaluation initiative, this project fosters a collaborative ecosystem to make AI governance more accessible and actionable. Join us in shaping the future of AI governance!
You have done a proof-of-concept for an AI system using multiple AI Models, some of them off-the-shelf, some of them tuned in-house; it is showing great results and now you want to move to product.
AI systems come with lots of potential for embarrassing risks or unsafe behaviors. Even if we don’t have a dedicated risk officer looking for sign-off, can we catch them beforehand and do something to address them? Do you know how to address the risk of the system being inaccurate, which was the purpose of the PoC after all, and what about the system being biased, or generating abusive text? If the system was fine-tuned on your own data, what is the possibility of data leakage? Was permission obtained for all the data the model was trained on? Even for third party models?
This is the AI Risk Labyrinth, a major obstacle preventing many large companies from effectively adopting Generative AI, as they struggle to find a clear path forward.
Risk Atlas Nexus
To tackle these challenges, IBM Research is pleased to introduce Risk Atlas Nexus, a collaborative effort to structure and mitigate AI risks. Given the rapidly evolving landscape of capabilities and governance policies, no single product or company can serve as the sole source of truth on all dimensions. As a result, we need to foster a community-driven approach to creating, linking and curating these resources in a way that supports end users to operationalize these safeguards as part of their processes. We are releasing Risk Atlas Nexus as a first step in this vision to help create and foster such a community based effort.
One Combined Vocabulary: to have a clear view of a model’s risks there is a need to combine data from disparate sources (structured and unstructured). Often the data is derived from textual documentation which is highly interconnected and multi-disciplinary ranging from reporting F1 scores of models on specific benchmarks to regulations about the CO2 emissions of the model and specific regulations that apply to the proposed use-case in the proposed geography.
Knowledge Graphs can provides a unified structure that can link and contextualize data when it is complex, ambiguous and covers multiple domains. Putting that data and specifically their risks in context helps AI system designers manage those risks using a common, open ontology defining important entities and relationships.
We have been working on just such an ontology that we are releasing as part of this open source project. The ontology uses and links multiple risk taxonomies, NIST, OWASP and in particular IBM’s Risk Atlas. (See this starter notebook).
AI Assisted Information Gathering: Questionnaires are one way to start to put structure onto fragmented data and can create a governance trail for projects. We help users with suggested answers to questionnaires such as the Stanford Transparency index or questions relating to the EU AI Act taking into account free-text, use-case descriptions and default policies defined through examples. (Example auto question notebook).
What risks do I need to care about? We need to know which risks are the most important to your use case, we help judge which ones you might start to think about. (Example risk identification notebook).
How can I measure them? Once we know which risks then we can start gathering the appropriate datasets, metrics and benchmarks. We help there by connecting risks to benchmarks and the mitigations such as Granite Guardian.
What actions do I need to take? Not all risks can be addressed by technical mitigations, some might mean collecting additional documentation, others might just be checking in with stakeholders. We mined these suggestions from NIST and you can now go from risks to recommended actions.
Just the start… We started this open source project after prototyping a system that lowers the barrier for entry to provide AI governance of a system. Watch our demo of Usage Governance Advisor to be presented at AAAI’25 and read more about our vision for AI assisted governance here, which will be presented at AAAI’25 Workshop on AI Governance: Alignment, Morality and Law.
We are releasing Risk Atlas Nexus which will be part of the AI Alliance Trust and Safety Evaluation initiative. It is a first step in the vision to help create and foster such a community based effort.
Risk Atlas Nexus is just the beginning. We invite the community to join us in shaping the future of AI governance.
See our GitHub repo for more information: https://github.com/IBM/risk-atlas-nexus