You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add a structured AI risk assessment module based on IBM's AI Risk Atlas and MIT's AI Risk Repository taxonomies. This would let users run a guided risk evaluation against their AI models and get a scored report covering categories like fairness, explainability, robustness, privacy, and accountability — mapped to the regulatory frameworks FairMind already supports (EU AI Act, DPDP Act, NIST AI RMF, ISO 42001).
Problem Statement
FairMind currently detects bias and checks compliance against specific frameworks, but there's no unified risk assessment flow that evaluates an AI system holistically. Users have to piece together compliance checks, bias results, and monitoring data manually to understand their overall risk posture. Compliance teams and ML engineers need a single structured assessment that covers all risk dimensions — not just fairness — to prepare for audits and internal governance reviews.
Proposed Solution
A modular, questionnaire-driven risk assessment system:
Risk taxonomy — Define risk categories drawn from IBM AI Risk Atlas (hallucination, data privacy, fairness, explainability, robustness, security, accountability) and MIT AI Risk Repository (organized by causal factors and risk domains). Store as structured data, not hardcoded logic.
Assessment engine — A backend service that accepts questionnaire responses + existing FairMind data (bias detection results, compliance scores, model monitoring metrics) and computes a per-category risk score and an aggregate risk level (maps to the existing RiskLevel enum: LOW, MEDIUM, HIGH, CRITICAL).
Integration with existing compliance — Risk assessment results should feed into the existing ComplianceViolation and AIBOMAnalysis models. If a risk score crosses a threshold, it triggers violations through the existing ComplianceAutomationService pipeline.
Report output — Generate an exportable risk assessment report (PDF/DOCX) that can serve as audit evidence, compatible with the existing EvidenceService (evidence type: MANUAL_ATTESTATION or a new RISK_ASSESSMENT type).
Frontend — A dedicated risk assessment page under the dashboard. Questionnaire form, results visualization with per-category breakdown, and historical assessment tracking.
Alternatives Considered
Relying solely on the existing per-framework compliance checks — insufficient because they don't cover risk dimensions like robustness, hallucination, or security holistically.
Building a fully custom taxonomy from scratch — unnecessary when IBM and MIT have done extensive research. Better to adapt their work.
Third-party risk assessment tool integration — adds external dependency and doesn't leverage the data FairMind already collects (bias scores, model metrics, compliance state).
Use Cases
A compliance officer runs a risk assessment before an EU AI Act audit. The report maps each risk finding to the relevant regulatory requirement and references existing FairMind evidence.
An ML engineer evaluates a new model before deployment. The questionnaire flags high risk in explainability and robustness, triggering a compliance violation that blocks production release until remediation.
A governance team tracks risk posture over time by running quarterly assessments and comparing aggregate scores across their model portfolio.
Subtasks
1. Risk taxonomy data model — Define the risk category schema based on IBM AI Risk Atlas and MIT AI Risk Repository. Create database models for risk categories, risk factors, and assessment templates. Should be framework-agnostic so new taxonomies can be added later. Output: migration + seed data for the initial taxonomy.
2. Assessment questionnaire engine (backend) — Build the API endpoints for creating, submitting, and scoring risk assessments. Accepts questionnaire responses, pulls existing FairMind data (bias scores, compliance state, model metrics), and computes per-category + aggregate risk scores. Integrates with the existing RiskLevel enum and risk_incident_manager scoring logic.
3. Compliance pipeline integration — Wire assessment results into the existing ComplianceAutomationService. When a risk score exceeds a threshold, auto-create ComplianceViolations. Store assessment results as evidence in EvidenceService. Update AIBOMAnalysis records with risk assessment scores.
4. Risk assessment report generation — Add PDF/DOCX export for risk assessment results. Should include per-category scores, findings, regulatory mapping, and recommendations. Build on the existing report generation infrastructure used for bias evaluation exports.
6. API documentation and tests — Endpoint documentation, unit tests for scoring logic, integration tests for the compliance pipeline integration. Cover edge cases like partial questionnaire submissions and models with no prior FairMind data.
Related Issues
Builds on the existing compliance automation service and violation detection pipeline
Extends the AI BOM analysis scoring (currently has risk_score, compliance_score, security_score, performance_score)
Complements the existing India-specific bias detection and DPDP Act compliance checks
Feature Description
Add a structured AI risk assessment module based on IBM's AI Risk Atlas and MIT's AI Risk Repository taxonomies. This would let users run a guided risk evaluation against their AI models and get a scored report covering categories like fairness, explainability, robustness, privacy, and accountability — mapped to the regulatory frameworks FairMind already supports (EU AI Act, DPDP Act, NIST AI RMF, ISO 42001).
Problem Statement
FairMind currently detects bias and checks compliance against specific frameworks, but there's no unified risk assessment flow that evaluates an AI system holistically. Users have to piece together compliance checks, bias results, and monitoring data manually to understand their overall risk posture. Compliance teams and ML engineers need a single structured assessment that covers all risk dimensions — not just fairness — to prepare for audits and internal governance reviews.
Proposed Solution
A modular, questionnaire-driven risk assessment system:
Risk taxonomy — Define risk categories drawn from IBM AI Risk Atlas (hallucination, data privacy, fairness, explainability, robustness, security, accountability) and MIT AI Risk Repository (organized by causal factors and risk domains). Store as structured data, not hardcoded logic.
Assessment engine — A backend service that accepts questionnaire responses + existing FairMind data (bias detection results, compliance scores, model monitoring metrics) and computes a per-category risk score and an aggregate risk level (maps to the existing RiskLevel enum: LOW, MEDIUM, HIGH, CRITICAL).
Integration with existing compliance — Risk assessment results should feed into the existing ComplianceViolation and AIBOMAnalysis models. If a risk score crosses a threshold, it triggers violations through the existing ComplianceAutomationService pipeline.
Report output — Generate an exportable risk assessment report (PDF/DOCX) that can serve as audit evidence, compatible with the existing EvidenceService (evidence type: MANUAL_ATTESTATION or a new RISK_ASSESSMENT type).
Frontend — A dedicated risk assessment page under the dashboard. Questionnaire form, results visualization with per-category breakdown, and historical assessment tracking.
Alternatives Considered
Use Cases
Subtasks
1. Risk taxonomy data model — Define the risk category schema based on IBM AI Risk Atlas and MIT AI Risk Repository. Create database models for risk categories, risk factors, and assessment templates. Should be framework-agnostic so new taxonomies can be added later. Output: migration + seed data for the initial taxonomy.
2. Assessment questionnaire engine (backend) — Build the API endpoints for creating, submitting, and scoring risk assessments. Accepts questionnaire responses, pulls existing FairMind data (bias scores, compliance state, model metrics), and computes per-category + aggregate risk scores. Integrates with the existing RiskLevel enum and risk_incident_manager scoring logic.
3. Compliance pipeline integration — Wire assessment results into the existing ComplianceAutomationService. When a risk score exceeds a threshold, auto-create ComplianceViolations. Store assessment results as evidence in EvidenceService. Update AIBOMAnalysis records with risk assessment scores.
4. Risk assessment report generation — Add PDF/DOCX export for risk assessment results. Should include per-category scores, findings, regulatory mapping, and recommendations. Build on the existing report generation infrastructure used for bias evaluation exports.
5. Frontend — Risk assessment page — Dashboard page with: questionnaire form UI, results visualization (per-category breakdown chart, aggregate score), historical assessment list, and export button. Follows the existing neobrutalist design system.
6. API documentation and tests — Endpoint documentation, unit tests for scoring logic, integration tests for the compliance pipeline integration. Cover edge cases like partial questionnaire submissions and models with no prior FairMind data.
Related Issues
Additional Context
Reference materials:
Existing infrastructure to build on: