Contributing Authors
You’re drowning in AI policy briefs.
Every week, there’s a new regulation, a new framework, a new incident to respond to. Your CEO asks if you’re covered. Your legal team asks what everyone else is doing. Your technical teams ask which risks matter most. Meanwhile, you’re trying to build a governance program from scratch, or overhaul one that wasn’t designed for 2026.
The MIT AI Risk Repository can’t solve all of this. But it can answer the questions that actually matter if you know how to use it.
This is a story about five governance professionals who found themselves stuck, and how the Repository helped them get unstuck.
1. The Compliance Officer Who Needed Proof
The situation: Sarah runs compliance for a mid-sized fintech company. Her CEO approved an AI-based lending recommendation tool. Marketing wants to launch in 90 days. Sarah’s job: make sure it’s defensible when (not if) something goes wrong.
She started with the usual playbook: fairness tests, bias audits, documentation. But then someone asked the question that always trips her up: “How many lending AI systems have actually failed in production?”
She didn’t know. Neither did her risk team. They had frameworks and principles, but no ground truth about what actually happens.
What she did: Sarah downloaded the incident database and filtered for “lending,” “credit,” and “financial services.” Nineteen incidents. She read them all.
Here’s what surprised her: Most failures weren’t technical failures (the model was wrong). They were visibility failures. The system was working as designed, but nobody noticed it was systematically denying credit to a specific demographic. The problem appeared 18 months in production.
That changed her roadmap. She didn’t add more pre-launch tests. She added monitoring requirements. Specifically: monthly audits of approval rates by demographic group, with automatic escalation if variance exceeds 10%. Not because a framework said so. Because the incident database showed that’s where the real risk materializes.
When the board asked, “Why this specific control?” She had evidence. Nineteen incidents’ worth.
The lesson: The Repository isn’t a compliance checklist. It’s a pattern library of what actually failed. Use it to reverse-engineer what matters.
2. The Policy Analyst Who Was Writing Into a Void
The situation: Jordan works for a state legislature. They’re drafting an AI transparency bill. Everyone has opinions. Consumer advocates want disclosure of when AI is being used. Industry says that’s unworkable. Civil rights groups want bias audits. Industry says that’s redundant with fairness assessments.
Jordan is trying to figure out: What transparency requirement would actually prevent harm?
Transparency laws look good on paper (“systems must be explainable”). In practice, no one knows what that means. Jordan needed to see: When transparency was missing, what went wrong?
What they did: Jordan used the Repository’s governance dataset to see what transparency requirements already exist (EU AI Act, NIST framework, various state proposals). Then they cross-referenced those with incidents in the “Lack of Transparency” domain.
Finding: Incidents in the transparency domain overwhelmingly involved automated decision systems where the person affected had no way to know they were interacting with AI (hiring decisions, content moderation, credit decisions). The transparency requirement that mattered: not “explain the model,” but “tell the human this decision was made by AI.”
The second-order finding: Where companies did disclose AI use (like chatbots that clearly identify themselves), incidents dropped. But where disclosure was buried in terms of service, it made no difference.
Jordan’s bill now requires clear disclosure at the point of decision, not just in documentation. Evidence-based, not principle-based.
The lesson: Use the Repository to map the gap between what regulations say and what actually prevents harm.
3. The Internal Audit Function That Needed Priority
The situation: Michael leads internal audit for a tech company. The company uses AI in four areas: content recommendation, content moderation, fraud detection, and hiring assistance. His audit budget is finite. He can deep-dive on maybe two of them this year.
Which two?
His initial instinct: prioritize hiring (most politically sensitive) and fraud detection (biggest financial impact). But that’s gut instinct. He needed data on: Which of these AI applications cause the most harm in the real world?
What he did: Michael looked up each application type in the incident database. Here’s what he found:
- Content recommendation: 37 incidents
- Content moderation: 40 incidents
- Fraud detection: 12 incidents
- Hiring/recruitment: 15 incidents
His gut was wrong. Content moderation and recommendation were the real pressure points. He’d planned to audit them as a checkbox. He completely missed that these are where most of his company’s exposure is.
He also found something more interesting: the 40 content moderation incidents fell into three clusters (false positives, missing policy violations, and cultural insensitivity). The incidents in hiring were more random. This meant: content moderation risks are systematic and preventable. Hiring risks are more idiosyncratic.
Michael redesigned his audits around this insight. He built specific tests for the three failure modes in content moderation. For hiring, he built a different kind of audit—more about process documentation than specific technical controls.
The lesson: Use incident frequency to drive priority. Use incident patterns to drive audit design.
4. The Governance Officer Who Needed to Explain the Explainable
The situation: Patricia works in enterprise risk for a large bank. She needs to brief the board on AI risk quarterly. Last quarter, she presented the standard seven-domain taxonomy: discrimination, privacy, misinformation… all equally concerning, all requiring attention.
The board looked confused. “Which one should we focus on?” Good question.
Patricia realized: she was presenting AI governance like it’s a uniform problem. It’s not. The risks stack on top of each other. A failure in one domain often drives failures in others.
What she did: Patricia used the network analysis tools I built to show the board something new: a map of which risks cascade into each other.
She showed them:
- Malicious misuse incidents often involve discrimination and misinformation simultaneously
- Content moderation failures create both safety and discrimination issues
- Privacy breaches enable targeted fraud
The board got it instantly. This wasn’t seven separate problems. This was an ecosystem where pressure on one point creates dynamics in others.
She then showed them the governance coverage map: where were regulators actually intervening? Where were gaps?
Her conclusion: “We can’t solve all seven domains equally. But if we focus on the three domains that sit at the center of this network—malicious misuse, system safety, and misinformation—we reduce cascading failures in the others.”
The board approved a 60/40 budget split: 60% on the high-centrality risks, 40% on specialized domains. Evidence-based risk prioritization.
The lesson: Use the Repository to show decision-makers why some risks matter more than others—and show them it’s data, not opinion.
5. The Startup Governance Lead Who Had to Build From Nothing
The situation: Alex just joined a fast-growing AI startup as the first full-time governance hire. Brilliant engineers, but no governance infrastructure. The CEO wants an “responsible AI program.” Alex doesn’t know where to start.
They could copy what bigger companies do. But startup constraints are different—smaller budget, different products, different risk profile.
What they did: Alex used the Repository to identify which risks were most common for startups (vs. big tech). They filtered incidents by company size (where data was available), by AI application type (matching their products), and by company maturity.
Finding: Most startup AI harms fell into two categories—undetected safety failures (they shipped systems without adequate testing) and unintended discrimination (they built with insufficient diversity in their datasets or testing populations).
Enterprise incidents skewed toward malicious misuse and governance failures. Different problem.
Alex built a lean governance program:
- Mandatory automated testing for both safety and fairness before any production deployment
- Monthly incident reviews (looking at what could fail, not what did fail)
- Quarterly external audits (because startups lack internal expertise to spot what they don’t know)
They skipped the stuff that mattered more for big tech: adversarial robustness, model explanation frameworks, governance structures. Not because those are unimportant, but because they’re premature for a startup.
Six months later, they caught a discrimination issue in their recommendation system before it shipped. The mitigation cost three weeks of engineering. If they’d shipped and had to debug in production? Months of remediation plus customer trust damage.
The lesson: Use the Repository to calibrate your governance program to your actual risk profile, not your company’s image.
How to Actually Use the Repository (Without Getting Overwhelmed)
The Repository has three datasets:
Incidents: real harms, with dates, affected parties, and failure modes. Use this to:
- See what actually happens in production
- Understand failure patterns in systems like yours
- Estimate time-to-detection (how long before a problem gets caught?)
- Plan your monitoring
Governance: existing laws, frameworks, and standards. Use this to:
- See what other jurisdictions are regulating (and whether it’s working)
- Understand the gap between what’s regulated and what’s failing
- Benchmark your controls against what’s expected
Mitigations: proposed solutions from AI risk research. Use this to:
- See which controls are recommended for your risk profile
- Understand the evidence base for specific practices
- Find approaches you haven’t considered
Here’s the workflow that works:
Step 1: Define your scope: What AI systems are you governing? Which ones create the most exposure? Start narrow.
Step 2: Search incidents: Look for incidents involving your AI system type (recommendation, moderation, hiring, etc.). Read them. Really read them. Don’t skim.
Step 3: Find patterns: What broke most often? Pre-deployment or post? Intentional misuse or unintended failure?
Step 4: Map governance: What controls do the incidents show should have prevented the failure? Is that control standard in your industry? Why or why not?
Step 5: Build your program: Design controls around the actual failure modes, not the theoretical ones. Prioritize based on frequency and severity.
Step 6: Review quarterly: New incidents keep getting added. Your program should evolve with them.
What The Repository Isn’t
Before you get excited: manage your expectations.
The Repository doesn’t tell you:
- How to design a specific control (that’s implementation detail)
- What your company’s risk tolerance should be (that’s judgment)
- Whether you’re compliant with any specific regulation (it maps regulations but doesn’t tell you if you meet them)
- How to handle novel risks that haven’t appeared as incidents yet
It’s not a checklist. It’s not a compliance roadmap. It’s not a shortcut.
What it is: a time machine for governance. It shows you what breaks, how often, and when. That’s actually rare in AI governance. Most of the field is built on theory, not observation.
Why This Actually Matters
AI governance is a young field. We’re still figuring out what works. Most governance programs are built on:
- Industry best practices (which were designed for a different era of AI)
- Regulatory requirements (which lag behind actual risks)
- Academic risk frameworks (which don’t account for how real systems fail)
- Consultant templates (which are one-size-fits-all)
The Repository is different. It’s based on what actually happened. When you design a control based on incident patterns, you’re not guessing. You’re learning from failures.
That doesn’t mean you’ll catch everything. New risks emerge. Systems fail in unexpected ways. But you’ll be investing your governance budget in the things that matter.
And you’ll be able to explain why to your board, your regulators, and your stakeholders. That’s worth a lot.
