In [1]:
from risk_atlas_nexus.ai_risk_ontology.datamodel.ai_risk_ontology import Risk
from risk_atlas_nexus import RiskAtlasNexus

  from tqdm.autonotebook import tqdm


# Risk Atlas Nexus - Use a Custom Action list

Risk Atlas Nexus project provides an ontology combining an AI risk view (taxonomies, risks, actions) with an AI model view (AI systems, AI models, model evaluations) into one coherent schema.

AI Risks were collected from IBM Risk Atlas, IBM Granite Guardian, MIT AI Risk Repository, NIST Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile, the AILuminate Benchmark, Credo's Unified Control Framework, and OWASP Top 10 for Large Language Model Applications. 

You can add your own custom action list.  

In [2]:
ran = RiskAtlasNexus(base_dir="/Users/ingevejs/Documents/workspace/ingelise/risk-atlas-nexus/src/risk_atlas_nexus/data/knowledge_graph_prep") # path to add for custom content
all_actions = ran.get_all_actions()
print(f"\n# Total actions available : {len(all_actions)}") # 372

# Let's just print out a few for now
print(f"\n# First 2 actions in list ") 
print(all_actions[:2])

[2025-05-06 15:44:43:734] - INFO - RiskAtlasNexus - Created RiskAtlasNexus instance. Base_dir: /Users/ingevejs/Documents/workspace/ingelise/risk-atlas-nexus/src/risk_atlas_nexus/data/knowledge_graph_prep



# Total actions available : 372

# First 2 actions in list 
[Action(id='GV-1.1-001', name='GV-1.1-001', description='Align GAI development and use with applicable laws and regulations, including those related to data privacy, copyright and intellectual property law.', url=None, dateCreated=None, dateModified=None, hasRelatedRisk=['nist-data-privacy', 'nist-intellectual-property'], hasDocumentation=['NIST.AI.600-1'], isDefinedByTaxonomy=None, hasAiActorTask=['Governance and Oversight']), Action(id='GV-1.2-001', name='GV-1.2-001', description='Establish transparency policies and processes for documenting the origin and history of training data and generated data for GAI applications to advance digital content transparency, while balancing the proprietary nature of training approaches.', url=None, dateCreated=None, dateModified=None, hasRelatedRisk=['nist-data-privacy', 'nist-information-integrity', 'nist-intellectual-property'], hasDocumentation=['NIST.AI.600-1'], isDefinedByTaxonomy=No

In [3]:
all_actions = ran.get_all_actions()
all_actions

[Action(id='GV-1.1-001', name='GV-1.1-001', description='Align GAI development and use with applicable laws and regulations, including those related to data privacy, copyright and intellectual property law.', url=None, dateCreated=None, dateModified=None, hasRelatedRisk=['nist-data-privacy', 'nist-intellectual-property'], hasDocumentation=['NIST.AI.600-1'], isDefinedByTaxonomy=None, hasAiActorTask=['Governance and Oversight']),
 Action(id='GV-1.2-001', name='GV-1.2-001', description='Establish transparency policies and processes for documenting the origin and history of training data and generated data for GAI applications to advance digital content transparency, while balancing the proprietary nature of training approaches.', url=None, dateCreated=None, dateModified=None, hasRelatedRisk=['nist-data-privacy', 'nist-information-integrity', 'nist-intellectual-property'], hasDocumentation=['NIST.AI.600-1'], isDefinedByTaxonomy=None, hasAiActorTask=['Governance and Oversight']),
 Action(id

In [4]:
custom_actions = ran.get_all_actions(taxonomy='ibm-custom-mitigations')
custom_actions

[Action(id='ibm-action-list-data-sources', name='List the data sources', description='List the data sources used in building the model', url=None, dateCreated=None, dateModified=None, hasRelatedRisk=['atlas-lack-of-data-transparency', 'atlas-data-provenance'], hasDocumentation=['ibm-custom-mitigations-doc'], isDefinedByTaxonomy='ibm-custom-mitigations', hasAiActorTask=None),
 Action(id='ibm-action-present-the-risks', name='Present potential risks to user', description='Present the potential risks associated with the data sources used in building the model', url=None, dateCreated=None, dateModified=None, hasRelatedRisk=['atlas-lack-of-data-transparency', 'atlas-unrepresentative-data', 'atlas-reidentification', 'atlas-personal-information-in-data', 'atlas-improper-retraining', 'atlas-data-acquisition', 'atlas-data-bias', 'atlas-data-contamination', 'atlas-data-curation', 'atlas-data-poisoning', 'atlas-data-privacy-rights', 'atlas-data-provenance', 'atlas-data-transfer', 'atlas-data-trans

In [5]:
action1 = custom_actions[10]
action1.model_dump()

{'id': 'ibm-action-document-performance-changes',
 'name': 'Document performance changes',
 'description': 'Identify and document performance improvements or declines.',
 'url': None,
 'dateCreated': None,
 'dateModified': None,
 'hasRelatedRisk': ['atlas-data-transparency',
  'atlas-lack-of-model-transparency',
  'atlas-lack-of-system-transparency'],
 'hasDocumentation': ['ibm-custom-mitigations-doc'],
 'isDefinedByTaxonomy': 'ibm-custom-mitigations',
 'hasAiActorTask': None}

In [6]:
all_action_risks = []
for action in all_actions:
    if action.hasRelatedRisk is not None:
        all_action_risks.extend(action.hasRelatedRisk)


risks = []
for action in custom_actions:
    if action.hasRelatedRisk is not None:
        risks.extend(action.hasRelatedRisk)
print(f"\n# All actions: {len(all_actions)}")
print(f"\n# All actions Related risk entries: {len(all_action_risks)}") 
print(f"\n# All actions Unique risks covered: {len(set(all_action_risks))}")  
print(f"\n# Custom actions: {len(custom_actions)}") 
print(f"\n# Custom actions Related risk entries: {len(risks)}") 
print(f"\n# Custom actions Unique risks covered: {len(set(risks))}") 


# All actions: 372

# All actions Related risk entries: 599

# All actions Unique risks covered: 75

# Custom actions: 118

# Custom actions Related risk entries: 160

# Custom actions Unique risks covered: 36


In [7]:
all_risk_controls = ran.get_all_risk_controls()
len(all_risk_controls)
print(f"\n# All other risk controls: {len(all_risk_controls)}")
all_risk_controls


# All other risk controls: 13


[RiskControl(id='gg-harm-detection', name='Harm detection', description=None, url=None, dateCreated=None, dateModified=None, isDetectedBy=None, detectsRiskConcept=['granite-guardian-harm'], isDefinedByTaxonomy='ibm-granite-guardian'),
 RiskControl(id='gg-social-bias-detection', name='Social Bias detection', description=None, url=None, dateCreated=None, dateModified=None, isDetectedBy=None, detectsRiskConcept=['granite-social-bias'], isDefinedByTaxonomy='ibm-granite-guardian'),
 RiskControl(id='gg-profanity-detection', name='Profanity detection', description=None, url=None, dateCreated=None, dateModified=None, isDetectedBy=None, detectsRiskConcept=['granite-profanity'], isDefinedByTaxonomy='ibm-granite-guardian'),
 RiskControl(id='gg-sexual-content-detection', name='Sexual Content detection', description=None, url=None, dateCreated=None, dateModified=None, isDetectedBy=None, detectsRiskConcept=['granite-sexual-content'], isDefinedByTaxonomy='ibm-granite-guardian'),
 RiskControl(id='gg-u

# What next?

Great, now we have a lot of content loaded.  How should it be loaded to Openpages?

Options include:
1. Create a FASTMAP excel file for import
2. Make API calls, using the GRC REST API
3. ?  

1. Option 1. Create a FASTMAP excel file for import
- 1.1 Create file
- 1.2 Validate the file 
- 1.3 Upload the file

In [8]:
!%pip install xlsxwriter
import pandas as pd 
import http.client
import os

REPLACE_BASIC_AUTH = "<REPLACE_BASIC_AUTH>"
REPLACE_BASEPATH_VARIABLE= "<REPLACE_BASEPATH_VARIABLE>"

def create_fastmap_file(output_file_path):

    # TODO: need help of specialist to understand what are the sheets to create, ID conventions etc
    
    # DEFINITIONs
    # CREATE DFs
    # SAVE TO EXCEL

    # business_entities
    business_entities = [
        {
            "Parent Path":"/Library/MRG",
            "Parent Object Types":"Business Entity", 
            "Parent Objects": "MRG",	
            "Folder Path":"/Library/MRG/Risk Atlas Nexus Library",
            "Name":"Risk Atlas Nexus Library",
            "Description":"Risk Atlas Nexus AI Risk Library",
            "Entity Type":"Library",
            "Executive Owner":"",
            "Tags":""
        }
    ]

    df_be = pd.DataFrame(data=business_entities)
    

    #models
    models = [
        {
            "Parent Path":"/Library/MRG/Risk Atlas Nexus Library",
            "Parent Object Types":"Business Entity", 
            "Parent Objects": "Risk Atlas Nexus Library",	
            "Folder Path":"/Library/MRG/Risk Atlas Nexus Library",
            "Name.ID":"MOD_0000000",
            "Name.Title":"",
            "Description":"Placeholder model used to link to Risk Atlas Nexus AI Risk Library objects",
            "Model Status":"Decommissioned",
            "Model Created By":"OpenPagesAdminsitrator",
            "Creation Date":"1-Jan-2024 0:00:00",
            "Last Modification Date":"1-Jan-2024 0:00:00",
            "Created By": "OpenPagesAdministrator",
            "Last Modified By":"OpenPagesAdministrator",
            "Tags":""
        }
    ]

    df_models = pd.DataFrame(data=models)


    # risks 
    risks = []


    for counter, x in enumerate(ran.get_all_risks()):
        x_risk = {"Parent Path":"/Library/MRG/Risk Atlas Nexus Library",
                 "Parent Object Types":"Model",
                 "Parent Objects":"MOD_0000000",
                 "Folder Path":"/Library/MRG/Risk Atlas Nexus Library",
                 "Name.ID": "MOD_0000000_RIS_000000" +str(counter),  
                 "Name.Title": x.name,
                 "Description": x.description,
                 "Tags": x.relatedMatch,
                 "Reference URL": x.url,
                 "Domain":"Model governance",
                 "Owner":"OpenPagesAdministrator",
                 "Status":"Not Applicable",
                 "Submit for Approval?":"No",
                 "Inherent Impact":"Not Determined",
                 "Inherent Likelihood":"Not Determined",
                 "Inherent Risk Rating":"Not Determined",
                 "Residual Impact":"Not Determined",
                 "Residual Likelihood":"Not Determined",
                 "Residual Risk Rating":"Not Determined",
                 "Created By":"OpenPagesAdministrator",
                 "Creation Date":"1-Jan-2024 0:00:00",
                 "Last Modified By":"OpenPagesAdministrator",
                 "Last Modification Date":"1-Jan-2024 0:00:00",
                 "Assessment Method":"Qualitative",
                 "Library ID": "Nexus-Risk-"+str(counter)
        }
        risks.append(x_risk)

    df_risks = pd.DataFrame(data=risks)
    
    # write it all to excel 

    with pd.ExcelWriter(output_file_path) as writer:
        df_be.to_excel(writer, sheet_name="Business Entities")
        df_models.to_excel(writer, sheet_name="Models")  
        df_risks.to_excel(writer, sheet_name="Risks")  


def validate_for_openpages(content_path):
    file_name = os.path.basename(content_path)
    print(f"Validating file name: {file_name} ...")
    with open(content_path, 'rb') as f:
        f_data = f.read()
        conn = http.client.HTTPSConnection("replace_server_name_variable")

        payload = f_data

        headers = {
            'Authorization': "Basic {REPLACE_BASIC_AUTH}",
            'content-type': "application/octet-stream",
            'accept': "application/json"
            }

        conn.request("POST", "/{REPLACE_BASEPATH_VARIABLE}/v2/fastmap/validate?file_name={file_name}", payload, headers)
        res = conn.getresponse()
        data = res.read()
        print(data.decode("utf-8"))


def upload_to_openpages(content_path):
    file_name = os.path.basename(content_path)
    print(f"Uploading file name: {file_name} ...")
    with open(content_path, 'rb') as f:
        f_data = f.read()
        conn = http.client.HTTPSConnection("replace_server_name_variable")

        payload = f_data
        stop_on_warnings = 'true'

        headers = {
            'Authorization': "Basic {REPLACE_BASIC_AUTH}",
            'content-type': "application/octet-stream",
            'accept': "application/json"
            }

        conn.request("POST", "/{REPLACE_BASEPATH_VARIABLE}/v2/fastmap/import?file_name={file_name}&stop_on_warnings={stop_on_warnings}", payload, headers)
        res = conn.getresponse()
        data = res.read()
        print(data.decode("utf-8"))




zsh:fg:1: no job control in this shell.


In [9]:
# 1.1
create_fastmap_file(output_file_path="/Users/ingevejs/Documents/workspace/ingelise/risk-atlas-nexus/not for upload/test_outut.xlsx")

In [10]:
# 1.2
content_path = "/Users/ingevejs/Documents/workspace/ingelise/risk-atlas-nexus/not for upload/Worksheet in IBM OpenPages- FastMap.xls"
validate_for_openpages(content_path)

Validating file name: Worksheet in IBM OpenPages- FastMap.xls ...


gaierror: [Errno 8] nodename nor servname provided, or not known

Big assumption: file was valid and everything is fine!

Moving on to 1.3...

In [None]:
# 1.3
upload_to_openpages(content_path)

In [11]:
# output the actions to a csv for mike

df_custom_actions = pd.DataFrame([action.model_dump() for action in custom_actions])
df_selected_fields = df_custom_actions[["id", "name", "description", "hasRelatedRisk"]]
df_selected_fields

Unnamed: 0,id,name,description,hasRelatedRisk
0,ibm-action-list-data-sources,List the data sources,List the data sources used in building the model,"[atlas-lack-of-data-transparency, atlas-data-p..."
1,ibm-action-present-the-risks,Present potential risks to user,Present the potential risks associated with th...,"[atlas-lack-of-data-transparency, atlas-unrepr..."
2,ibm-action-declare-team-composition,Describe the risk management team composition,Document the risk management team composition ...,"[atlas-lack-of-data-transparency, atlas-lack-o..."
3,ibm-action-document-system-validity-reliability,Document the validity and reliability of the A...,Document the validity and reliability of the A...,"[atlas-data-transparency, atlas-lack-of-model-..."
4,ibm-action-document-fairness-evaluation,Document fairness and bias evaluation,Document fairness and bias evaluation.,"[atlas-data-bias, atlas-output-bias, atlas-dec..."
...,...,...,...,...
113,ibm-action-describe-feedback-developer,Describe feedback received by developer,Please share the summary of the feedback the m...,
114,ibm-action-quantify-dependent-applications,Quantify dependent applications,Please share the number of applications depend...,"[atlas-lack-of-model-transparency, atlas-lack-..."
115,ibm-action-upload-report,Upload usage report,Document whether usage statistics describing t...,[atlas-lack-of-model-transparency]
116,ibm-action-describe-redress,Describe the redress mechanisms,Please share the mechanism used to redress use...,


In [12]:
# output the mapping
df_selected_fields= df_selected_fields.explode("hasRelatedRisk")
df_selected_fields
#df_pivot = pd.crosstab(df_selected_fields.explode("hasRelatedRisk")["hasRelatedRisk"], )
#df_pivot

Unnamed: 0,id,name,description,hasRelatedRisk
0,ibm-action-list-data-sources,List the data sources,List the data sources used in building the model,atlas-lack-of-data-transparency
0,ibm-action-list-data-sources,List the data sources,List the data sources used in building the model,atlas-data-provenance
1,ibm-action-present-the-risks,Present potential risks to user,Present the potential risks associated with th...,atlas-lack-of-data-transparency
1,ibm-action-present-the-risks,Present potential risks to user,Present the potential risks associated with th...,atlas-unrepresentative-data
1,ibm-action-present-the-risks,Present potential risks to user,Present the potential risks associated with th...,atlas-reidentification
...,...,...,...,...
116,ibm-action-describe-redress,Describe the redress mechanisms,Please share the mechanism used to redress use...,
117,ibm-action-provide-relevant-detail,Provide the relevant details,Document details about whether the wages and i...,atlas-human-exploitation
117,ibm-action-provide-relevant-detail,Provide the relevant details,Document details about whether the wages and i...,atlas-data-transparency
117,ibm-action-provide-relevant-detail,Provide the relevant details,Document details about whether the wages and i...,atlas-data-curation


In [24]:
by_related_risk = df_selected_fields.groupby("hasRelatedRisk")
for rr, id in by_related_risk:
    print(f"Entries for {rr!r}")
    print("------------------------")
    print(id, end="\n\n")


Entries for 'atlas-confidential-information-in-data'
------------------------
                             id                             name  \
1  ibm-action-present-the-risks  Present potential risks to user   

                                         description  \
1  Present the potential risks associated with th...   

                           hasRelatedRisk  
1  atlas-confidential-information-in-data  

Entries for 'atlas-dangerous-use'
------------------------
                                id  \
60  ibm-action-provide-filter-info   
91     ibm-action-provide-evidence   

                                             name  \
60  Provide information on the associated filters   
91                               Provide evidence   

                                          description       hasRelatedRisk  
60  Provide information on the data filters used t...  atlas-dangerous-use  
91  Document if evaluations of the models risks re...  atlas-dangerous-use  

Entries for 'atla