MIT researchers release a repository of AI risks
Which specific risks should a person, company or government consider when using an AI system, or crafting rules to govern its use? It's not an easy question to answer. If it's an AI with control over critical infrastructure, there's the obvious risk to human safety. But what about an AI designed to score exams, sort resumes or verify travel documents at immigration control? Those each carry their own, categorically different risks, albeit risks no less severe.
In crafting laws to regulate AI, like the EU AI Act or California's SB 1047, policymakers have struggled to come to a consensus on which risks the laws should cover. To help provide a guidepost for them, as well as for stakeholders across the AI industry and academia, MIT researchers have developed what they're calling an AI "risk repository" — a sort of database of AI risks.
"This is an attempt to rigorously curate and analyze AI risks into a publicly accessible, comprehensive, extensible and categorized risk database that anyone can copy and use, and that will be kept up to date over time," Peter Slattery, a researcher at MIT's FutureTech group and lead on the AI risk repository project, told TechCrunch. "We created it now because we needed it for our project, and had realized that many others needed it, too."
Slattery says that the AI risk repository, which includes over 700 AI risks grouped by causal factors (e.g. intentionality), domains (e.g. discrimination) and subdomains (e.g. disinformation and cyberattacks), was born out of a desire to understand the overlaps and disconnects in AI safety research. Other risk frameworks exist. But they cover only a fraction of the risks identified in the repository, Slattery says, and these omissions could have major consequences for AI development, usage and policymaking.
"People may assume there is a consensus on AI risks, but our findings suggest otherwise," Slattery added. "We found that the average frameworks mentioned just 34% of the 23 risk subdomains we identified, and nearly a quarter covered less than 20%. No document or overview mentioned all 23 risk subdomains, and the most comprehensive covered only 70%. When the literature is this fragmented, we shouldn’t assume that we are all on the same page about these risks."
To build the repository, the MIT researchers worked with colleagues at the University of Queensland, the nonprofit Future of Life Institute, KU Leuven and AI startup Harmony Intelligence to scour academic databases and retrieve thousands of documents relating to AI risk evaluations.
The researchers found that the third-party frameworks they canvassed mentioned certain risks more often than others. For example, over 70% of the frameworks included the privacy and security implications of AI, whereas only 44% covered misinformation. And while over 50% discussed the forms of discrimination and misrepresentation that AI could perpetuate, only 12% talked about "pollution of the information ecosystem" — i.e. the increasing volume of AI-generated spam.
"A takeaway for researchers and policymakers, and anyone working with risks, is that this database could provide a foundation to build on when doing more specific work," Slattery said. "Before this, people like us had two choices. They could invest significant time to review the scattered literature to develop a comprehensive overview, or they could use a limited number of existing frameworks, which might miss relevant risks. Now they have a more comprehensive database, so our repository will hopefully save time and increase oversight."
But will anyone use it? It's true that AI regulation around the world today is at best a hodgepodge: a spectrum of different approaches disunified in their goals. Had an AI risk repository like MIT's existed before, would it have changed anything? Could it have? That's tough to say.
Another fair question to ask is whether simply being aligned on the risks that AI poses is enough to spur moves toward competently regulating it. Many safety evaluations for AI systems have significant limitations, and a database of risks won't necessarily solve that problem.
The MIT researchers plan to try, though. Neil Thompson, head of the FutureTech lab, tells TechCrunch that the group plans in its next phase of research to use the repository to evaluate how well different AI risks are being addressed.
"Our repository will help us in the next step of our research, when we will be evaluating how well different risks are being addressed," Thompson said. "We plan to use this to identify shortcomings in organizational responses. For instance, if everyone focuses on one type of risk while overlooking others of similar importance, that's something we should notice and address.