This page is still being polished. If you have thoughts, please share them via the feedback form.
Data on this page is preliminary and may change. Please do not share or cite these figures publicly.
Unclassifiable mitigations.
[Not a mitigation] Key risk metric/focus: Authenticity and consent. (Preventing deceptive or harmful manipulations of media; ensuring subjects’ rights are respected in generated content.)
Reasoning
Item explicitly marked "Not a mitigation"—describes risk focus, not mechanism or action.
Implement content filters
1.2.1 Guardrails & FilteringWatermarking of synthetic media
1.2.5 Provenance & WatermarkingDetection of deepfakes
1.2.5 Provenance & WatermarkingEnforce usage policies
No non-consensual image generation, user identity verification for sensitive uses
2.3.2 Access & Security ControlsRefrain from malicious use or unwarranted trust in unverified media
99.9 OtherKnowledge-level output
[Not a mitigation] Key risk metric/focus: Accuracy and veracity. (Maximizing truthfulness of outputs; minimizing false or misleading information.)
99.9 OtherKnowledge-level output > Improve model training and prompting
In order to reduce hallucinations, bias, and errors
1.1 ModelKnowledge-level output > Incorporate citation and fact-checking in the AI
1.2 Non-ModelKnowledge-level output > Scope the application to appropriate domains
2.2.1 Risk AssessmentKnowledge-level output > Provide disclosures or warnings
e.g. “AI generated content may be incorrect"
2.4.2 Design StandardsKnowledge-level output > Facilitate user verification
E.g. linking to sources
1.2.5 Provenance & WatermarkingA First-Principles Based Risk Assessment Framework and the IEEE P3396 Standard
Tong, Richard J.; Cortês, Marina; DeFalco, Jeanine A.; Underwood, Mark; Zalewski, Janusz (2025)
Generative Artificial Intelligence (AI) is enabling unprecedented automation in content creation and decision support, but it also raises novel risks. This paper presents a first-principles risk assessment framework underlying the IEEE P3396 Recommended Practice for AI Risk, Safety, Trustworthiness, and Responsibility. We distinguish between process risks (risks arising from how AI systems are built or operated) and outcome risks (risks manifest in the AI system's outputs and their real-world effects), arguing that generative AI governance should prioritize outcome risks. Central to our approach is an information-centric ontology that classifies AI-generated outputs into four fundamen-tal categories: (1) Perception-level information, (2) Knowledge-level information, (3) Decision/Action plan information, and (4) Control tokens (access or resource directives). This classification allows systematic identification of harms and more precise attribution of responsibility to stakeholders (developers, deployers, users, regulators) based on the nature of the information produced. We illustrate how each information type entails distinct outcome risks (e.g, deception, misinformation, unsafe recommendations, security breaches) and requires tailored risk metrics and mitigations. By grounding the framework in the essence of information, human agency, and cognition, we align risk evaluation with how AI outputs influence human understanding and action. The result is a principled approach to AI risk that supports clear accountability and targeted safeguards, in contrast to broad application-based risk categorizations. We include example tables mapping information types to risks and responsibilities. This work aims to inform the IEEE P3396 Recommended Practice and broader AI governance with a rigorous, first-principles foundation for assessing generative AI risks while enabling responsible innovation. © 2025 IEEE.
Unable to classify
Could not be classified to a specific lifecycle stage
Unable to classify
Could not be classified to a specific actor type
Unable to classify
Could not be classified to a specific AIRM function
