This page is still being polished. If you have thoughts, please share them via the feedback form.
Data on this page is preliminary and may change. Please do not share or cite these figures publicly.
Structured analysis to identify, characterize, and prioritize potential harms and risks.
Also in Risk & Assurance
STPA is a method to assess the utility of implemented controls against a particular risk within a complex system. Unlike bow-tie analysis, STPA factors in the interactions between components as events that can cause the risk in question [107].
First, the system and its boundaries to the environment are defined. The system is primarily delineated from the environment because there is at least some partial control over it. Second, several items are enumerated, including (i) unwanted risk events (“losses”), (ii) system states that cause losses (“system-level hazards”), and (iii) system states that do not cause losses (“system-level constraints”). Third, a diagram mapping the system, environment, their different controls, and the interactions between these elements is created. This diagram must be comprehensive in listing the different losses and possible interactions that can cause each loss. Finally, the diagram can be used to identify “unsafe control actions” (UCAs), which are the causal pathways between a control and system-level hazards, including all interactions involved. For example, in the context of text-to-image models, losses may include ‘loss of diversity’ and ‘loss of quality’; hazards may include ‘low quality text-image pairs within training dataset’ and ‘harmful content within training dataset’; and the controls may include human controllers and automated controllers (e.g., annotators, data owners, data crawlers) [165]. Subsequent analysis may result in identification of UCAs such as ‘current data filtering actions’ and neglecting current filter thresholds’ which are linked to specific hazards. Specific actions that counter or prevent such UCAs can reduce the associated losses.
Reasoning
STPA systematically evaluates system hazards and safety requirements through structured analysis and testing methodology.
Risk Assessment
Model development
2.4 Engineering & DevelopmentModel development > Data-related
1.1 ModelModel evaluations
2.2.2 Testing & EvaluationModel evaluations > General evaluations
2.2.2 Testing & EvaluationModel evaluations > Benchmarking
3.2.1 Benchmarks & EvaluationModel evaluations > Red teaming
2.2.2 Testing & EvaluationRisk Sources and Risk Management Measures in Support of Standards for General-Purpose AI Systems
Gipiškis, Rokas; San Joaquin, Ayrton; Chin, Ze Shen; Regenfuß, Adrian; Gil, Ariel; Holtman, Koen (2024)
Organizations and governments that develop, deploy, use, and govern AI must coordinate on effective risk mitigation. However, the landscape of AI risk mitigation frameworks is fragmented, uses inconsistent terminology, and has gaps in coverage. This paper introduces a preliminary AI Risk Mitigation Taxonomy to organize AI risk mitigations and provide a common frame of reference. The Taxonomy was developed through a rapid evidence scan of 13 AI risk mitigation frameworks published between 2023-2025, which were extracted into a living database of 831 distinct AI risk mitigations.
Plan and Design
Designing the AI system, defining requirements, and planning development
Developer
Entity that creates, trains, or modifies the AI system
Measure
Quantifying, testing, and monitoring identified AI risks
Primary
7 AI System Safety, Failures & Limitations