IBM Risk Atlas x AIUC-1 Crosswalk¶
About this notebook¶
This notebook contains three sections.
- Overview of AIUC-1 resources in the AI Atlas Nexus repository.
- Using the AIAtlasNexus library API to load the data.
- A crosswalk pandas dataframe showing linkages between AIUC-1 Framework requirements and IBM AI Risk Atlas risks.
In [1]:
Copied!
# imports
import pandas as pd
from collections import defaultdict
from rich import print
from pathlib import Path
from ai_atlas_nexus import AIAtlasNexus
# imports
import pandas as pd
from collections import defaultdict
from rich import print
from pathlib import Path
from ai_atlas_nexus import AIAtlasNexus
/Users/ingevejs/Documents/workspace/ingelise/risk-atlas-nexus/src/ai_atlas_nexus/toolkit/job_utils.py:4: TqdmWarning: IProgress not found. Please update jupyter and ipywidgets. See https://ipywidgets.readthedocs.io/en/stable/user_install.html from tqdm.autonotebook import tqdm
1. Overview of AIUC-1 resources¶
Hierarchy Structure¶
- 6 Principles (A-F)
- Contains 51 Requirements (Rules)
- Each Requirement contains 1-3 Control Activities (Rules)
- Total: 129 Control Activities
- Each Requirement contains 1-3 Control Activities (Rules)
- Contains 51 Requirements (Rules)
Class Details¶
Core Classes¶
| Class | Purpose | Count |
|---|---|---|
| Principle | Top-level AIUC-1 framework principle | 6 |
| Requirement | Specific requirement associated with a principle | 51 |
| ControlActivity | Concrete control (Permission/Prohibition/Obligation/Recommendation) | 129 |
2. Load the data¶
In [2]:
Copied!
ran = AIAtlasNexus() # default configuration
# We can use any of the classes as the class_name argument with "get_all", let's choose `certification` to start
aiuc1_certs = ran.get_all(class_name="certification", taxonomy="aiuc1")
aiuc1_principles = ran.get_all(class_name="principle", taxonomy="aiuc1")
aiuc1_requirements = ran.get_all(class_name="requirement", taxonomy="aiuc1")
print(f"\n# Total AIUC certificates available : {len(aiuc1_certs)}") # 1
print(f"\n# Total AIUC principles available : {len(aiuc1_principles)}") # 6
print(f"\n# Total AIUC requirements available : {len(aiuc1_requirements)}") # 51
# Let's just print out a few for now
print(f"\n# First 2 AIUC principles in list ")
print(aiuc1_principles[:2])
# Find an element by ID
instance = ran.get_by_id(
class_name="principle",
identifier="aiuc1-principle-d"
)
print(f"\n# Get instance of principle, `aiuc1-principle-d` by ID ")
print(instance)
ran = AIAtlasNexus() # default configuration
# We can use any of the classes as the class_name argument with "get_all", let's choose `certification` to start
aiuc1_certs = ran.get_all(class_name="certification", taxonomy="aiuc1")
aiuc1_principles = ran.get_all(class_name="principle", taxonomy="aiuc1")
aiuc1_requirements = ran.get_all(class_name="requirement", taxonomy="aiuc1")
print(f"\n# Total AIUC certificates available : {len(aiuc1_certs)}") # 1
print(f"\n# Total AIUC principles available : {len(aiuc1_principles)}") # 6
print(f"\n# Total AIUC requirements available : {len(aiuc1_requirements)}") # 51
# Let's just print out a few for now
print(f"\n# First 2 AIUC principles in list ")
print(aiuc1_principles[:2])
# Find an element by ID
instance = ran.get_by_id(
class_name="principle",
identifier="aiuc1-principle-d"
)
print(f"\n# Get instance of principle, `aiuc1-principle-d` by ID ")
print(instance)
[2026-02-19 22:13:36:965] - INFO - AIAtlasNexus - Created AIAtlasNexus instance. Base_dir: None
# Total AIUC certificates available : 1
# Total AIUC principles available : 6
# Total AIUC requirements available : 51
# First 2 AIUC principles in list
[ Principle( id='aiuc1-principle-a', name='Principle A: Data and Privacy', description='Protect against data leakage, IP leakage, and training on user data without consent', url=None, dateCreated=None, dateModified=None, exact_mappings=[], close_mappings=[], related_mappings=[], narrow_mappings=[], broad_mappings=[], isDefinedByTaxonomy='aiuc1', isDefinedByVocabulary=None, hasDocumentation=['AIUC-1-Jan-2026'], isPartOf=None, requiredByTask=[], requiresCapability=[], implementedByAdapter=[], type='Principle' ), Principle( id='aiuc1-principle-b', name='Principle B: Security', description='Protect against adversarial attacks like jailbreaks and prompt injections as well as unauthorized tool calls', url=None, dateCreated=None, dateModified=None, exact_mappings=[], close_mappings=[], related_mappings=[], narrow_mappings=[], broad_mappings=[], isDefinedByTaxonomy='aiuc1', isDefinedByVocabulary=None, hasDocumentation=['AIUC-1-Jan-2026'], isPartOf=None, requiredByTask=[], requiresCapability=[], implementedByAdapter=[], type='Principle' ) ]
# Get instance of principle, `aiuc1-principle-d` by ID
Principle( id='aiuc1-principle-d', name='Principle D: Reliability', description='Prevent hallucinations and unreliable tool calls to business systems', url=None, dateCreated=None, dateModified=None, exact_mappings=[], close_mappings=[], related_mappings=[], narrow_mappings=[], broad_mappings=[], isDefinedByTaxonomy='aiuc1', isDefinedByVocabulary=None, hasDocumentation=['AIUC-1-Jan-2026'], isPartOf=None, requiredByTask=[], requiresCapability=[], implementedByAdapter=[], type='Principle' )
2.1. Associated requirements¶
We can get all the associated requirements for a given principle:
In [3]:
Copied!
# Find an element by attribute value pair
instances = ran.query(
class_name="requirement",
hasPrinciple="aiuc1-principle-d"
)
print(f"\n# Get a list of of requirements, that are part of `aiuc1-principle-d` principle")
print(instances)
# Find an element by attribute value pair
instances = ran.query(
class_name="requirement",
hasPrinciple="aiuc1-principle-d"
)
print(f"\n# Get a list of of requirements, that are part of `aiuc1-principle-d` principle")
print(instances)
# Get a list of of requirements, that are part of `aiuc1-principle-d` principle
[ Requirement( id='aiuc1-req-d001', name='Prevent hallucinated outputs', description='Implement safeguards or technical controls to prevent hallucinated outputs', url=None, dateCreated=None, dateModified=None, exact_mappings=[], close_mappings=['atlas-hallucination'], related_mappings=[ 'atlas-unreliable-source-attribution', 'atlas-untraceable-attribution', 'atlas-incomplete-advice', 'atlas-poor-model-accuracy', 'llm052025-improper-output-handling', 'llm092025-misinformation' ], narrow_mappings=[], broad_mappings=[], isDefinedByTaxonomy='aiuc1', hasRule=['aiuc1-ctrl-d001-1', 'aiuc1-ctrl-d001-2', 'aiuc1-ctrl-d001-3'], type='Requirement', hasApplication=['MANDATORY'], hasFrequency='MONTHS_12', hasKeywords=[], hasPrinciple=['aiuc1-principle-d'], appliesToCapability=[], hasRequirementType=None ), Requirement( id='aiuc1-req-d002', name='Third-party testing for hallucinations', description='Appoint expert third-parties to evaluate hallucinated outputs at least every 3 months', url=None, dateCreated=None, dateModified=None, exact_mappings=[], close_mappings=['atlas-hallucination'], related_mappings=['atlas-poor-model-accuracy', 'llm092025-misinformation'], narrow_mappings=[], broad_mappings=[], isDefinedByTaxonomy='aiuc1', hasRule=['aiuc1-ctrl-d002-1'], type='Requirement', hasApplication=['MANDATORY'], hasFrequency='MONTHS_3', hasKeywords=[], hasPrinciple=['aiuc1-principle-d'], appliesToCapability=[], hasRequirementType=None ), Requirement( id='aiuc1-req-d003', name='Restrict unsafe tool calls', description='Implement safeguards or technical controls to prevent tool calls in AI systems from executing unauthorized actions, accessing restricted information, or making decisions beyond their intended scope', url=None, dateCreated=None, dateModified=None, exact_mappings=[], close_mappings=['atlas-function-calling-hallucination-agentic', 'atlas-misaligned-actions-agentic'], related_mappings=[ 'llm082025-vector-and-embedding-weaknesses', 'atlas-external-resources-attack-agentic', 'atlas-redundant-actions-agentic', 'llm102025-unbounded-consumption', 'atlas-function-calling-hallucination-agentic', 'atlas-unauthorized-use-agentic', 'llm062025-excessive-agency' ], narrow_mappings=[], broad_mappings=[], isDefinedByTaxonomy='aiuc1', hasRule=[ 'aiuc1-ctrl-d003-1', 'aiuc1-ctrl-d003-2', 'aiuc1-ctrl-d003-3', 'aiuc1-ctrl-d003-4', 'aiuc1-ctrl-d003-5' ], type='Requirement', hasApplication=['MANDATORY'], hasFrequency='MONTHS_12', hasKeywords=[], hasPrinciple=['aiuc1-principle-d'], appliesToCapability=[], hasRequirementType=None ), Requirement( id='aiuc1-req-d004', name='Third-party testing of tool calls', description='Appoint expert third-parties to evaluate tool calls in AI systems, including executing unauthorized actions, accessing restricted information, or making decisions beyond their intended scope at least every 3 months', url=None, dateCreated=None, dateModified=None, exact_mappings=[], close_mappings=['atlas-function-calling-hallucination-agentic'], related_mappings=[ 'atlas-function-calling-hallucination-agentic', 'atlas-incomplete-ai-agent-evaluation-agentic', 'llm062025-excessive-agency', 'atlas-misaligned-actions-agentic' ], narrow_mappings=[], broad_mappings=[], isDefinedByTaxonomy='aiuc1', hasRule=['aiuc1-ctrl-d004-1'], type='Requirement', hasApplication=['MANDATORY'], hasFrequency='MONTHS_3', hasKeywords=[], hasPrinciple=['aiuc1-principle-d'], appliesToCapability=[], hasRequirementType=None ) ]
In [4]:
Copied!
# all rules associated with Principle D
principle_d_rules = [req.hasRule for req in instances]
principle_d_rules_flat = [x for xs in principle_d_rules for x in xs]
full_rule_list = [ran.get_by_id(class_name="rules", identifier=id) for id in principle_d_rules_flat]
print(full_rule_list)
# all rules associated with Principle D
principle_d_rules = [req.hasRule for req in instances]
principle_d_rules_flat = [x for xs in principle_d_rules for x in xs]
full_rule_list = [ran.get_by_id(class_name="rules", identifier=id) for id in principle_d_rules_flat]
print(full_rule_list)
[ ControlActivityObligation( id='aiuc1-ctrl-d001-1', name='D001.1 Config: Groundedness filter', description='Implementing factual accuracy controls. For example, deploying available fact-checking mechanisms, flagging uncertain or low-confidence responses.', url=None, dateCreated=None, dateModified=None, exact_mappings=[], close_mappings=[], related_mappings=[], narrow_mappings=[], broad_mappings=[], isDefinedByTaxonomy='aiuc1', hasRule=[], type='ControlActivityObligation', hasControlApplication='CORE', hasEvidenceCategory=['TECHNICAL_IMPLEMENTATION'], hasTypicalLocation=['Engineering Code'], appliesToCapability=[], hasRequirement='aiuc1-req-d001', hasRequirementType=None, hasTypicalEvidence='Screenshot of code or configuration showing groundedness validation - may include filters checking responses against source documents, fact-checking API integration, or logic comparing generated content to retrieved context for factual accuracy.' ), ControlActivityObligation( id='aiuc1-ctrl-d001-2', name='D001.2 Demonstration: User-facing citations & source attributions', description='Establishing information source validation. For example, requiring citations for factual claims, implementing source reliability checks.', url=None, dateCreated=None, dateModified=None, exact_mappings=[], close_mappings=[], related_mappings=[], narrow_mappings=[], broad_mappings=[], isDefinedByTaxonomy='aiuc1', hasRule=[], type='ControlActivityObligation', hasControlApplication='CORE', hasEvidenceCategory=['TECHNICAL_IMPLEMENTATION'], hasTypicalLocation=['Product'], appliesToCapability=[], hasRequirement='aiuc1-req-d001', hasRequirementType=None, hasTypicalEvidence='Screenshot of UI or output format showing citations and source attributions provided to users - may include inline citations, source links, reference lists, or attribution labels identifying where information originated.' ), ControlActivityRecommendation( id='aiuc1-ctrl-d001-3', name='D001.3 Demonstration: User-facing uncertainty labels', description='Maintaining uncertainty communication. For example, displaying confidence levels, providing appropriate disclaimers for generated information.', url=None, dateCreated=None, dateModified=None, exact_mappings=[], close_mappings=[], related_mappings=[], narrow_mappings=[], broad_mappings=[], isDefinedByTaxonomy='aiuc1', hasRule=[], type='ControlActivityRecommendation', hasControlApplication='SUPPLEMENTAL', hasEvidenceCategory=['TECHNICAL_IMPLEMENTATION'], hasTypicalLocation=['Product'], appliesToCapability=[], hasRequirement='aiuc1-req-d001', hasRequirementType=None, hasTypicalEvidence='Screenshot of UI or output format showing confidence levels, uncertainty disclaimers, or warnings for generated information - may include confidence score displays, low-certainty warnings, or standard disclaimers about potential inaccuracies.' ), ControlActivityObligation( id='aiuc1-ctrl-d002-1', name='D002.1 Report: Hallucination testing results', description='Appointing qualified third-party assessors. Including selecting assessors with relevant technical capabilities for identified risk areas, maintaining records of assessor qualifications and independence.\n- Conducting regular testing. Including defining testing scope and methodologies based on risk taxonomy and performing assessments at least every quarter.\n- Maintaining documentation. Including testing scope, results, and remediation actions taken, tracking follow-up activities and resolution timelines.', url=None, dateCreated=None, dateModified=None, exact_mappings=[], close_mappings=[], related_mappings=[], narrow_mappings=[], broad_mappings=[], isDefinedByTaxonomy='aiuc1', hasRule=[], type='ControlActivityObligation', hasControlApplication='CORE', hasEvidenceCategory=['THIRD_PARTY_EVALS'], hasTypicalLocation=['Third-party evaluation report'], appliesToCapability=[], hasRequirement='aiuc1-req-d002', hasRequirementType=None, hasTypicalEvidence='Third-party evaluation report showing hallucination testing - must include risk taxonomy tested, testing methodology and findings, and improvement tracking with remediation timelines and documentation.' ), ControlActivityObligation( id='aiuc1-ctrl-d003-1', name='D003.1 Config: Tool authorization & validation', description='Implementing function call validation and authorization. For example, restricting tool access to approved functions, validating parameters before execution.', url=None, dateCreated=None, dateModified=None, exact_mappings=[], close_mappings=[], related_mappings=[], narrow_mappings=[], broad_mappings=[], isDefinedByTaxonomy='aiuc1', hasRule=[], type='ControlActivityObligation', hasControlApplication='CORE', hasEvidenceCategory=['TECHNICAL_IMPLEMENTATION'], hasTypicalLocation=['Engineering Code'], appliesToCapability=[], hasRequirement='aiuc1-req-d003', hasRequirementType=None, hasTypicalEvidence='Screenshot of code or configuration showing function allowlists, parameter validation logic, or authz checks before tool execution - may include tool permission schemas, input validation functions, or access control lists restricting available tools per agent/user.' ), ControlActivityObligation( id='aiuc1-ctrl-d003-2', name='D003.2 Config: Rate limits for tools', description='Enforcing rate limits and transaction caps for autonomous tool use.', url=None, dateCreated=None, dateModified=None, exact_mappings=[], close_mappings=[], related_mappings=[], narrow_mappings=[], broad_mappings=[], isDefinedByTaxonomy='aiuc1', hasRule=[], type='ControlActivityObligation', hasControlApplication='CORE', hasEvidenceCategory=['TECHNICAL_IMPLEMENTATION'], hasTypicalLocation=['Engineering Code'], appliesToCapability=[], hasRequirement='aiuc1-req-d003', hasRequirementType=None, hasTypicalEvidence='Screenshot of code or configuration showing rate limits and transaction caps on tool usage - may include per-tool usage quotas, time-windowed limits, or circuit breakers preventing excessive autonomous tool calls.' ), ControlActivityObligation( id='aiuc1-ctrl-d003-3', name='D003.3 Config: Tool call log', description='Establishing execution monitoring and logging. For example, tracking all tool calls, monitoring for unauthorized access attempts or scope violations.', url=None, dateCreated=None, dateModified=None, exact_mappings=[], close_mappings=[], related_mappings=[], narrow_mappings=[], broad_mappings=[], isDefinedByTaxonomy='aiuc1', hasRule=[], type='ControlActivityObligation', hasControlApplication='CORE', hasEvidenceCategory=['TECHNICAL_IMPLEMENTATION'], hasTypicalLocation=['Logs'], appliesToCapability=[], hasRequirement='aiuc1-req-d003', hasRequirementType=None, hasTypicalEvidence='Screenshot of logging configuration, monitoring dashboard, or audit logs showing tracked tool calls - may include tool execution logs with timestamps and parameters, alerts for unauthorized access attempts, or monitoring system flagging scope violations.' ), ControlActivityRecommendation( id='aiuc1-ctrl-d003-4', name='D003.4 Config: Human-approval workflows', description='Requiring human approval for sensitive tool operations. For example, requiring human confirmation before executing high-risk actions, implementing approval workflows for operations beyond autonomous boundaries.', url=None, dateCreated=None, dateModified=None, exact_mappings=[], close_mappings=[], related_mappings=[], narrow_mappings=[], broad_mappings=[], isDefinedByTaxonomy='aiuc1', hasRule=[], type='ControlActivityRecommendation', hasControlApplication='SUPPLEMENTAL', hasEvidenceCategory=['OPERATIONAL_PRACTICES'], hasTypicalLocation=['Internal processes'], appliesToCapability=[], hasRequirement='aiuc1-req-d003', hasRequirementType=None, hasTypicalEvidence='Screenshot of approval workflow, code requiring human confirmation, or ticketing system for sensitive tool operations' ), ControlActivityRecommendation( id='aiuc1-ctrl-d003-5', name='D003.5 Documentation: tool call log reviews', description='Reviewing patterns of AI tool usage. For example, identifying anomalies, updating tool permissions, and retiring unused or high-risk functions during scheduled evaluations.', url=None, dateCreated=None, dateModified=None, exact_mappings=[], close_mappings=[], related_mappings=[], narrow_mappings=[], broad_mappings=[], isDefinedByTaxonomy='aiuc1', hasRule=[], type='ControlActivityRecommendation', hasControlApplication='SUPPLEMENTAL', hasEvidenceCategory=['OPERATIONAL_PRACTICES'], hasTypicalLocation=['Internal processes'], appliesToCapability=[], hasRequirement='aiuc1-req-d003', hasRequirementType=None, hasTypicalEvidence='Reports or documentation showing periodic review of tool usage patterns, permission updates, and function retirement decisions - may include usage analytics identifying anomalies, change logs showing permission adjustments, or records of deprecated/retired tools with rationale.' ), ControlActivityObligation( id='aiuc1-ctrl-d004-1', name='D004.1 Report: Tool call testing', description='Appointing qualified third-party assessors. Including selecting assessors with relevant technical capabilities for identified risk areas, maintaining records of assessor qualifications and independence.\n- Conducting regular testing. Including defining testing scope and methodologies based on risk taxonomy and performing assessments of tool calls at least every quarter.\n- Maintaining documentation. Including testing scope, results, and remediation actions taken, tracking follow-up activities and resolution timelines.', url=None, dateCreated=None, dateModified=None, exact_mappings=[], close_mappings=[], related_mappings=[], narrow_mappings=[], broad_mappings=[], isDefinedByTaxonomy='aiuc1', hasRule=[], type='ControlActivityObligation', hasControlApplication='CORE', hasEvidenceCategory=['THIRD_PARTY_EVALS'], hasTypicalLocation=['Third-party evaluation report'], appliesToCapability=[], hasRequirement='aiuc1-req-d004', hasRequirementType=None, hasTypicalEvidence='Third-party evaluation report showing tool call testing - must include risk taxonomy tested, testing methodology and findings, and improvement tracking with remediation timelines and documentation.' ) ]
In [5]:
Copied!
# Util functions
def get_mapped_aiuc1_requirements(ibm_risk_id, aiuc1_requirements):
"""
Find the AIUC-1 requirements that map to a given IBM risk
"""
mapping_fields = ['close_mappings', 'exact_mappings', 'related_mappings', 'broad_mappings', 'narrow_mappings']
matched_reqs = defaultdict(list) # req_id -> [mapping_types]
for req in aiuc1_requirements:
for field_name in mapping_fields:
if hasattr(req, field_name):
field_value = getattr(req, field_name)
if field_value:
ids = field_value if isinstance(field_value, list) else [field_value]
if ibm_risk_id in ids:
if req.id not in matched_reqs:
matched_reqs[req.id] = []
matched_reqs[req.id].append(field_name.replace('_mappings', '').capitalize())
return matched_reqs
# Get all AIUC-1 requirements
aiuc1_requirements = ran.get_all(class_name='requirement', taxonomy='aiuc1')
# Get all IBM Risk Atlas risks
ibm_risks = ran.get_all(class_name='entries', taxonomy='ibm-risk-atlas')
ibm_risks = [r for r in ibm_risks if hasattr(r, 'isDefinedByTaxonomy') and r.isDefinedByTaxonomy == 'ibm-risk-atlas']
# Create lookup dictionaries
ibm_risk_map = {risk.id: risk for risk in ibm_risks}
aiuc1_req_map = {req.id: req for req in aiuc1_requirements}
# Build the crosswalk data
crosswalk_data = []
for ibm_risk in ibm_risks:
mapped_aiuc1_reqs = get_mapped_aiuc1_requirements(ibm_risk.id, aiuc1_requirements)
mapped_reqs_list = []
for req_id, mapping_types in sorted(mapped_aiuc1_reqs.items()):
req = aiuc1_req_map.get(req_id)
if req:
mapping_str = ', '.join(mapping_types)
mapped_reqs_list.append(f'{req_id} ({mapping_str})')
crosswalk_data.append({
'IBM_AI_Risk_Atlas_Risk_ID': ibm_risk.id,
'IBM_AI_Risk_Atlas_Risk_Name': ibm_risk.name,
'IBM_Description': ibm_risk.description[:150] if ibm_risk.description else '',
'Mapped_AIUC1_Requirements_Count': len(mapped_aiuc1_reqs),
'Mapped_AIUC1_Requirements': ', '.join(mapped_reqs_list) if mapped_reqs_list else ''
})
crosswalk_df = pd.DataFrame(crosswalk_data)
# Sort by number of mappings (descending)
crosswalk_df = crosswalk_df.sort_values('Mapped_AIUC1_Requirements_Count', ascending=False).reset_index(drop=True)
print("Crosswalk ready")
# Util functions
def get_mapped_aiuc1_requirements(ibm_risk_id, aiuc1_requirements):
"""
Find the AIUC-1 requirements that map to a given IBM risk
"""
mapping_fields = ['close_mappings', 'exact_mappings', 'related_mappings', 'broad_mappings', 'narrow_mappings']
matched_reqs = defaultdict(list) # req_id -> [mapping_types]
for req in aiuc1_requirements:
for field_name in mapping_fields:
if hasattr(req, field_name):
field_value = getattr(req, field_name)
if field_value:
ids = field_value if isinstance(field_value, list) else [field_value]
if ibm_risk_id in ids:
if req.id not in matched_reqs:
matched_reqs[req.id] = []
matched_reqs[req.id].append(field_name.replace('_mappings', '').capitalize())
return matched_reqs
# Get all AIUC-1 requirements
aiuc1_requirements = ran.get_all(class_name='requirement', taxonomy='aiuc1')
# Get all IBM Risk Atlas risks
ibm_risks = ran.get_all(class_name='entries', taxonomy='ibm-risk-atlas')
ibm_risks = [r for r in ibm_risks if hasattr(r, 'isDefinedByTaxonomy') and r.isDefinedByTaxonomy == 'ibm-risk-atlas']
# Create lookup dictionaries
ibm_risk_map = {risk.id: risk for risk in ibm_risks}
aiuc1_req_map = {req.id: req for req in aiuc1_requirements}
# Build the crosswalk data
crosswalk_data = []
for ibm_risk in ibm_risks:
mapped_aiuc1_reqs = get_mapped_aiuc1_requirements(ibm_risk.id, aiuc1_requirements)
mapped_reqs_list = []
for req_id, mapping_types in sorted(mapped_aiuc1_reqs.items()):
req = aiuc1_req_map.get(req_id)
if req:
mapping_str = ', '.join(mapping_types)
mapped_reqs_list.append(f'{req_id} ({mapping_str})')
crosswalk_data.append({
'IBM_AI_Risk_Atlas_Risk_ID': ibm_risk.id,
'IBM_AI_Risk_Atlas_Risk_Name': ibm_risk.name,
'IBM_Description': ibm_risk.description[:150] if ibm_risk.description else '',
'Mapped_AIUC1_Requirements_Count': len(mapped_aiuc1_reqs),
'Mapped_AIUC1_Requirements': ', '.join(mapped_reqs_list) if mapped_reqs_list else ''
})
crosswalk_df = pd.DataFrame(crosswalk_data)
# Sort by number of mappings (descending)
crosswalk_df = crosswalk_df.sort_values('Mapped_AIUC1_Requirements_Count', ascending=False).reset_index(drop=True)
print("Crosswalk ready")
Crosswalk ready
Now let's understand some stats about the current mapping data.
In [6]:
Copied!
print('CROSSWALK STATISTICS')
print(f'\nTotal IBM Risks: {len(crosswalk_df)}')
print(f'IBM Risks with AIUC-1 Mappings: {(crosswalk_df["Mapped_AIUC1_Requirements_Count"] > 0).sum()}')
print(f'IBM Risks without Mappings: {(crosswalk_df["Mapped_AIUC1_Requirements_Count"] == 0).sum()}')
print(f'\nMapping Distribution:')
print(f' Min mappings per risk: {crosswalk_df["Mapped_AIUC1_Requirements_Count"].min()}')
print(f' Max mappings per risk: {crosswalk_df["Mapped_AIUC1_Requirements_Count"].max()}')
print(f' Mean mappings per risk: {crosswalk_df["Mapped_AIUC1_Requirements_Count"].mean():.2f}')
print(f'\nTop 10 IBM Risks by AIUC-1 Requirement Count:')
top_risks = crosswalk_df.nlargest(10, 'Mapped_AIUC1_Requirements_Count')[['IBM_AI_Risk_Atlas_Risk_ID', 'IBM_AI_Risk_Atlas_Risk_Name', 'Mapped_AIUC1_Requirements_Count']]
print(top_risks.to_string(index=False))
print('CROSSWALK STATISTICS')
print(f'\nTotal IBM Risks: {len(crosswalk_df)}')
print(f'IBM Risks with AIUC-1 Mappings: {(crosswalk_df["Mapped_AIUC1_Requirements_Count"] > 0).sum()}')
print(f'IBM Risks without Mappings: {(crosswalk_df["Mapped_AIUC1_Requirements_Count"] == 0).sum()}')
print(f'\nMapping Distribution:')
print(f' Min mappings per risk: {crosswalk_df["Mapped_AIUC1_Requirements_Count"].min()}')
print(f' Max mappings per risk: {crosswalk_df["Mapped_AIUC1_Requirements_Count"].max()}')
print(f' Mean mappings per risk: {crosswalk_df["Mapped_AIUC1_Requirements_Count"].mean():.2f}')
print(f'\nTop 10 IBM Risks by AIUC-1 Requirement Count:')
top_risks = crosswalk_df.nlargest(10, 'Mapped_AIUC1_Requirements_Count')[['IBM_AI_Risk_Atlas_Risk_ID', 'IBM_AI_Risk_Atlas_Risk_Name', 'Mapped_AIUC1_Requirements_Count']]
print(top_risks.to_string(index=False))
CROSSWALK STATISTICS
Total IBM Risks: 99
IBM Risks with AIUC-1 Mappings: 77
IBM Risks without Mappings: 22
Mapping Distribution:
Min mappings per risk: 0
Max mappings per risk: 6
Mean mappings per risk: 1.64
Top 10 IBM Risks by AIUC-1 Requirement Count:
IBM_AI_Risk_Atlas_Risk_ID IBM_AI_Risk_Atlas_Risk_Name Mapped_AIUC1_Requirements_Count
atlas-incorrect-risk-testing Incorrect risk testing 6
atlas-harmful-output Harmful output 5
atlas-unauthorized-use-agentic Unauthorized use 5
atlas-legal-accountability Legal accountability 5
atlas-unrepresentative-risk-testing Unrepresentative risk testing 4
atlas-prompt-leaking Prompt leaking 4
atlas-external-resources-attack-agentic Attack on AI agents' external resources 3
atlas-misaligned-actions-agentic Misaligned actions 3
atlas-lack-of-testing-diversity Lack of testing diversity 3
atlas-harmful-code-generation Harmful code generation 3
Display Crosswalk Table (Mapped Risks only)
In [7]:
Copied!
# Show only risks with mappings
mapped_risks_df = crosswalk_df[crosswalk_df['Mapped_AIUC1_Requirements_Count'] > 0]
print(f'\nIBM Risks with AIUC-1 Mappings ({len(mapped_risks_df)} risks):')
mapped_risks_df
# Show only risks with mappings
mapped_risks_df = crosswalk_df[crosswalk_df['Mapped_AIUC1_Requirements_Count'] > 0]
print(f'\nIBM Risks with AIUC-1 Mappings ({len(mapped_risks_df)} risks):')
mapped_risks_df
IBM Risks with AIUC-1 Mappings (77 risks):
Out[7]:
| IBM_AI_Risk_Atlas_Risk_ID | IBM_AI_Risk_Atlas_Risk_Name | IBM_Description | Mapped_AIUC1_Requirements_Count | Mapped_AIUC1_Requirements | |
|---|---|---|---|---|---|
| 0 | atlas-incorrect-risk-testing | Incorrect risk testing | A metric selected to measure or track a risk i... | 6 | aiuc1-req-c001 (Related), aiuc1-req-c002 (Rela... |
| 1 | atlas-harmful-output | Harmful output | A model might generate language that leads to ... | 5 | aiuc1-req-c003 (Close), aiuc1-req-c005 (Close)... |
| 2 | atlas-unauthorized-use-agentic | Unauthorized use | Unauthorized use: If attackers can gain access... | 5 | aiuc1-req-b006 (Close), aiuc1-req-b007 (Relate... |
| 3 | atlas-legal-accountability | Legal accountability | Determining who is responsible for an AI model... | 5 | aiuc1-req-e001 (Related), aiuc1-req-e002 (Rela... |
| 4 | atlas-unrepresentative-risk-testing | Unrepresentative risk testing | Testing is unrepresentative when the test inpu... | 4 | aiuc1-req-c001 (Related), aiuc1-req-c002 (Rela... |
| ... | ... | ... | ... | ... | ... |
| 72 | atlas-impact-human-agency-agentic | AI agents' impact on human agency | The autonomous nature of AI agents in performi... | 1 | aiuc1-req-c009 (Related) |
| 73 | atlas-introduce-data-bias-agentic | Introduce data bias | Specific actions taken by the AI agent, such a... | 1 | aiuc1-req-c003 (Related) |
| 74 | atlas-untraceable-attribution | Untraceable attribution | The content of the training data used for gene... | 1 | aiuc1-req-d001 (Related) |
| 75 | atlas-non-disclosure | Non-disclosure | Content might not be clearly disclosed as AI g... | 1 | aiuc1-req-e016 (Close) |
| 76 | atlas-data-provenance | Uncertain data provenance | Data provenance refers to the traceability of ... | 1 | aiuc1-req-e006 (Related) |
77 rows × 5 columns
Understand which risks are not currently mapped.
In [8]:
Copied!
# Example 1: Find IBM risks without AIUC-1 mappings
unmapped = crosswalk_df[crosswalk_df['Mapped_AIUC1_Requirements_Count'] == 0]
if len(unmapped) > 0:
print(f"Unmapped risks ({len(unmapped)})")
print(unmapped[['IBM_AI_Risk_Atlas_Risk_ID', 'IBM_AI_Risk_Atlas_Risk_Name']].to_string(index=False))
# Example 1: Find IBM risks without AIUC-1 mappings
unmapped = crosswalk_df[crosswalk_df['Mapped_AIUC1_Requirements_Count'] == 0]
if len(unmapped) > 0:
print(f"Unmapped risks ({len(unmapped)})")
print(unmapped[['IBM_AI_Risk_Atlas_Risk_ID', 'IBM_AI_Risk_Atlas_Risk_Name']].to_string(index=False))
Unmapped risks (22)
IBM_AI_Risk_Atlas_Risk_ID IBM_AI_Risk_Atlas_Risk_Name
atlas-unrepresentative-data Unrepresentative data
atlas-impact-human-dignity-agentic Impact on human dignity
atlas-discriminatory-actions-agentic Discriminatory actions
atlas-impact-on-human-agency AI agents' Impact on human agency
atlas-impact-jobs-agentic AI agents' impact on jobs
atlas-data-curation Improper data curation
atlas-temporal-gap Temporal gap
atlas-lack-domain-expertise Lack of domain expertise
atlas-exclusion Exclusion
atlas-impact-environment-agentic AI agents' impact on environment
atlas-data-contamination Data contamination
atlas-impact-on-the-environment Impact on the environment
atlas-impact-on-affected-communities Impact on affected communities
atlas-improper-retraining Improper retraining
atlas-spreading-toxicity Spreading toxicity
atlas-inaccessible-training-data Inaccessible training data
atlas-impact-on-jobs Impact on Jobs
atlas-bypassing-learning Impact on education: bypassing learning
atlas-plagiarism Impact on education: plagiarism
atlas-impact-on-cultural-diversity Impact on cultural diversity
atlas-data-transparency Lack of training data transparency
atlas-overfitting Overfitting