SAIL 2.0

/

Test - AI Red Teaming

/

Lack of Risk Assessment Process

4.3

.

Lack of Risk Assessment Process

sail
4.3
Risk

Lack of Risk Assessment Process

Description

Inconsistent methodology, coverage, and severity scoring across teams; evidence may be incomplete or non-comparable.

Example

One team only tests bias and prompt injection; another only jailbreaks; nobody covers tool-chain hijacking or A2A smuggling.

Assets Affected

No core AI components directly affected - relates to testing process

Mitigation
  • Adopt a red-team playbook/checklist (MITRE ATLAS, OWASP Agentic Top 10, MAESTRO, OWASP MAS)
  • maintain a severity taxonomy covering agentic failure modes
  • train red-team staff on agentic attack chains.
Standards Mapping
  • ISO: A.5.2, Clause 6.1.2
  • EU AI Act: Art. 9
  • DASF: Platform 12.2
  • AIUC-1: C001, E008