Understanding AI Frameworks and the Risks of Artificial Intelligence
A blog post drawing on current frameworks, research, and the MIT AI Risk Repository
Introduction
Artificial Intelligence is no longer a niche technology. It is embedded in healthcare diagnostics, hiring decisions, financial systems, law enforcement tools, and the everyday software most of us use without a second thought. With that reach comes serious responsibility — and serious risk. Governments, standards bodies, researchers, and international organizations have responded by developing a growing ecosystem of frameworks designed to identify, categorize, and manage those risks.
This post walks through what those frameworks are, what they’re trying to address, why they were created, and what the research tells us about the risks they’re designed to tackle.
Part 1: What Are AI Risks?
Before looking at the frameworks, it helps to understand what we’re actually worried about. The most comprehensive academic effort to answer this question is the MIT AI Risk Repository, a living database developed by MIT FutureTech.
The MIT AI Risk Repository contains a database that captures over 1,700 risks extracted from 74 existing frameworks and classifications of AI risks, organized through both a Causal Taxonomy (classifying how, when, and why risks occur) and a Domain Taxonomy (classifying risks into 7 domains and 24 subdomains). It aims to increase awareness and adoption of best practice AI risk management across the AI ecosystem.
The 7 Risk Domains (MIT AI Risk Repository)
1. Discrimination & Toxicity Risks related to unfair treatment, harmful content exposure, and unequal AI performance across different groups and individuals — including unequal treatment based on race, gender, or other sensitive characteristics.
2. Privacy & Security Risks related to unauthorized access to sensitive information and vulnerabilities in AI systems. Covers AI systems that memorize and leak sensitive personal data, as well as vulnerabilities in AI software and hardware.
3. Misinformation Risks related to AI systems generating or spreading false information, including highly personalized AI-generated misinformation creating “filter bubbles” that undermine shared reality and weaken social cohesion.
4. Malicious Actors Risks related to intentional misuse of AI — including large-scale disinformation campaigns, fraud and impersonation, and using AI to develop cyber weapons or enhance existing weapons for mass harm.
5. Human-Computer Interaction Risks including overreliance on AI systems and the erosion of human agency when AI systems make decisions that diminish human control and autonomy.
6. Socioeconomic & Environmental Risks related to AI’s impact on society and the environment — including power centralization, increased inequality, job displacement, cultural devaluation of human effort, governance failure, and environmental harm from data center energy consumption.
7. AI System Safety, Failures & Limitations Risks related to AI systems that fail to operate safely, pursue misaligned goals, lack robustness, or possess dangerous capabilities. Includes AI acting in conflict with human values and a lack of transparency in AI decision-making.
Transparency note from the MIT researchers: The Repository has several acknowledged limitations, including being based on 65 documents, the potential to miss emerging or domain-specific risks, and possible errors from using a single expert reviewer for extraction and coding. This is living research, not a final word.
Citation: Slattery, P., Saeri, A. K., Grundy, E. A. C., Graham, J., Noetel, M., Uuk, R., Dao, J., Pour, S., Casper, S., & Thompson, N. (2024). The AI Risk Repository: A Comprehensive Meta-Review, Database, and Taxonomy of Risks from Artificial Intelligence. https://doi.org/10.48550/arXiv.2408.12622 Source: airisk.mit.edu
Part 2: The Major AI Governance Frameworks
NIST AI Risk Management Framework (AI RMF 1.0)
Origin: U.S. National Institute of Standards and Technology, January 2023 Type: Voluntary Core Purpose: Risk management process for any organization
In January 2023, NIST released its AI Risk Management Framework — a voluntary set of guidelines for individuals and organizations who want to act responsibly in developing products and services containing AI. The framework does not provide specific technical instructions but calls on organizations to establish a solid process for addressing AI-related risks. Its four core functions are Govern, Map, Measure, and Manage.
In July 2024, NIST expanded the framework with NIST-AI-600-1, a Generative AI Profile addressing unique risks posed by generative AI systems.
Source: nist.gov
EU Artificial Intelligence Act (EU AI Act)
Origin: European Union, entered into force August 1, 2024 Type: Binding law (enforceable) Core Purpose: Risk-tiered compliance for AI deployed in the EU
The EU AI Act is the world’s first comprehensive AI regulation. It establishes a tiered risk classification system — Minimal, Limited, High-Risk, and Prohibited — with mandatory compliance requirements for high-risk AI used in areas like finance, healthcare, and law enforcement. Non-compliance can result in penalties of up to €35 million or 7% of global revenue.
Notably, the Act has extraterritorial reach: any AI whose output is used within the EU falls under its jurisdiction, regardless of where the developer is based.
Source: eur-lex.europa.eu
ISO/IEC 42001
Origin: International Organization for Standardization, 2023 Type: Voluntary (certifiable standard) Core Purpose: Certifiable AI management system
ISO/IEC 42001 is the first international standard for managing AI systems responsibly. Unlike NIST AI RMF, it is certifiable — organizations can formally demonstrate compliance through third-party audits. It provides specific practices and controls for building and running an AI governance system, making it a natural complement to the NIST framework.
Source: iso.org
OECD Principles on AI
Origin: Organisation for Economic Co-operation and Development, 2019 (updated 2023–2024) Type: Soft law (non-binding recommendation) Core Purpose: Shared global ethical norms for AI
The OECD Principles on AI were created to establish shared, cross-border ethical norms at an intergovernmental level. Updated in 2023–2024 to address generative AI systems, the principles have been adopted by the G20 and significantly influenced both the EU AI Act and the NIST AI RMF.
Source: oecd.ai
UNESCO Recommendation on the Ethics of AI
Origin: UNESCO, adopted by all 194 member states in 2021 Type: Recommendation (non-binding) Core Purpose: Human rights-centered AI ethics globally
UNESCO’s Recommendation on the Ethics of Artificial Intelligence was created to ensure that global AI development reflects universal human rights standards — especially critical for developing nations lacking their own enforcement infrastructure. It centers on the protection of human rights and fundamental freedoms.
Source: unesco.org
MIT AI Risk Repository
Origin: MIT FutureTech, 2024 Type: Research tool / living database Core Purpose: Comprehensive catalog of 1,700+ AI risks
Not a governance framework in the regulatory sense, but an essential research resource. The Repository provides a common frame of reference for researchers, developers, businesses, evaluators, auditors, policymakers, and regulators, and serves as a resource to help develop research, curricula, audits, and policy.
Source: airisk.mit.edu
Part 3: How the Frameworks Relate to Each Other
These frameworks are not siloed. Many organizations start with NIST AI RMF for risk management, add ISO/IEC 42001 for systematic management, and layer EU AI Act requirements for European compliance. Growing multilateral cooperation is fostering greater alignment between these frameworks, suggesting that global regulatory interoperability is becoming an organizational priority.
| Framework | Origin | Binding? | Core Purpose |
|---|---|---|---|
| NIST AI RMF | U.S. (NIST), 2023 | No — voluntary | Risk management process for any org |
| EU AI Act | European Union, 2024 | Yes — enforceable law | Risk-tiered compliance for AI in the EU |
| ISO/IEC 42001 | International (ISO), 2023 | No — certifiable standard | Certifiable AI management system |
| OECD AI Principles | Intergovernmental, 2019/updated | No — soft law | Shared global ethical norms for AI |
| UNESCO AI Ethics | UN body, 2021 | No — recommendation | Human rights-centered AI ethics globally |
| MIT AI Risk Repository | MIT FutureTech, 2024 | N/A — research tool | Catalog of 1,700+ AI risks |
What I Cannot Confirm
In the interest of transparency:
- Statistics about risk reduction rates from AI governance adoption (e.g., “organizations reduce AI-related incidents by 70%”) appear in some secondary sources but the original research behind those numbers cannot be independently verified. Those figures are not cited here.
- The exact future trajectory of U.S. federal AI legislation is genuinely uncertain as of early 2026. State-level laws are proliferating and NIST frameworks are widely referenced, but whether a federal AI law passes — and what it looks like — is unknown.
- China’s AI regulatory framework is developing rapidly, but verified insight into its enforcement realities is limited.
Key Sources
- MIT AI Risk Repository — airisk.mit.edu | Slattery et al., 2024, arXiv:2408.12622
- NIST AI RMF 1.0 — nist.gov
- EU AI Act — eur-lex.europa.eu
- ISO/IEC 42001 — iso.org
- OECD AI Principles — oecd.ai
- UNESCO Recommendation on AI Ethics — unesco.org
- Lumenova AI, “AI Governance Frameworks: NIST AI RMF vs EU AI Act vs Internal” — lumenova.ai
- EC-Council, “EU AI Act vs NIST AI RMF vs ISO/IEC 42001” — eccouncil.org
- Nemko Digital, “Global AI Regulations 2025” — digital.nemko.com