Class HarmRisk with properties nature and source

[ineweyts-pwc]

This issue is intended to classify the nature and source of HarmRisk Is there any data or examples for this?

Currently in the model there is only HarmRisk. However, the taxonomies in the Code of Practice (https://digital-strategy.ec.europa.eu/en/policies/contents-code-gpai - Safety and Security Chapter - Appendix 1.2 and Appendix 1.3) concerning the nature and sources are about systemic risk.
Should we (1) leave nature and source properties at HarmRisk level and create SystemicRisk as subclass of HarmRisk, or (2) move nature and source directly in the subclass SystemicRisk?

[coolharsh55]

Hi. Thanks for the change in HarmRisk.

(1) For the concept of "nature" -- ISO 31073:2022 defines "risk analysis" as the process to comprehend the nature of risk and the determine the level of risk. This means "nature of risk" in context of AI Act is the determination of probability and severity of harm (Article 3). However, there are already properties probabiliy and severity (7.1.0). So what (additional) information should be expressed via nature is unclear. Therefore I think the nature property can be removed, and in the future if there are additional details to represented as part of the broader 'nature' concept in AI Act, then those should be additional properties.

(2) Nature has severe overlaps in the current spec:

• 7.1.0 nature: The nature of the resource.
• 7.1.0 type: The nature or genre of the resource.
• 7.6 type: The nature or genre of the resource.

This means currently the concept 'nature' is not exclusive to Risk, and there is a conflict between its use when used with risk and with other concepts like the ML Model. Another reason to remove nature and keep the other risk properties in forefront.

(3) SystemicRisk is defined in Article 51 as (a GPAI model having) "high impact capabilities". From a risk analysis perspective, this can be interpreted to state that the propability and severity of HarmRisk result in a (very) high risk level (to society, at wide scale) that will cause harm. Therefore I agree that SystematicRisk should be a subclass of HarmRisk.