# Risk Atlas Nexus: Quick Start Guide


## Dependencies
Tip: Ensure you have followed installation instructions for the risk_atlas_nexus library

```
git clone git@github.com:IBM/risk-atlas-nexus.git
cd risk-atlas-nexus
python -m venv vrisk-atlas-nexus
source vrisk-atlas-nexus/bin/activate
pip install -e .
```

In [1]:
# imports
from rich import print
from risk_atlas_nexus.ai_risk_ontology.datamodel.ai_risk_ontology import Risk, LLMIntrinsic
from risk_atlas_nexus import RiskAtlasNexus

  from tqdm.autonotebook import tqdm


Risk Atlas Nexus project provides an ontology combining an AI risk view (taxonomies, risks, actions) with an AI model view (AI systems, AI models, model evaluations) into one coherent schema.

AI Risks were collected from IBM Risk Atlas, IBM Granite Guardian, MIT AI Risk Repository, NIST Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile, the AILuminate Benchmark, Credo's Unified Control Framework, and OWASP Top 10 for Large Language Model Applications. 

You can use the python library methods to quickly explore available risks, relations and actions, as well as to detect potential risks in your usecase.

Important references:
- [LinkML schema documentation](https://ibm.github.io/risk-atlas-nexus/ontology/)
- [LinkML instance data for an example knowledge graph](https://github.com/IBM/risk-atlas-nexus/blob/main/src/risk_atlas_nexus/data/knowledge_graph/README.md)

## About this notebook

This notebook contains three sections. Section 1 showcases the default functionality, while Sections 2-3 exhibit useful configurations. 

1. How to use Risk Atlas Nexus with default configuration?
> In this section, we demonstrate a default method to use Risk Alas Nexus to explore risks and related risks

2. How to use Risk Atlas Nexus to filter results for specific taxonomy?
> We provide guidance on filtering the results for a specific taxonomies. This section highlights the ability to filter the taxonomy content.

3. Bring Your Own Taxonomies/Risks/Actions
> Risk Atlas Nexus allows users to define custom Taxonomies/Risks/Actions. In this section, we will show you how to load and configure your own data instances.


### 1. Use case: Risk Atlas Nexus with default configuration
Create a new instance of Risk Atlas Nexus and use it to explore the risks.  By default, it loads in all data from [data folder](../../src/risk_atlas_nexus/data/knowledge_graph/README.md)


In [2]:
ran = RiskAtlasNexus() # no args, so default configuration 

all_risks = ran.get_all_risks()
print(f"\n# Total risks available : {len(all_risks)}") # 518

# Let's just print out a few for now
print(f"\n# First 2 risks in list ") 
print(all_risks[:2])


[2025-10-15 09:32:29:764] - INFO - RiskAtlasNexus - Created RiskAtlasNexus instance. Base_dir: None


#### 1.1 Explore risk object

In [3]:

# Each risk is returned as a pydantic "Risk" object as defined in risk_atlas_nexus.ai_risk_ontology.datamodel.ai_risk_ontology
toxic_risk = ran.get_risk(id='atlas-toxic-output')
print(f"\n# Get a risk by ID, 'atlas-toxic-output'  ") 
print(dict(toxic_risk))

# Explore related risks
print(f"\n# Get full entry for each related risks by ID for 'atlas-toxic-output' ") 
related_risks = ran.get_related_risks(id='atlas-toxic-output')
print(related_risks)


#### 1.2 Related risks

In [4]:
# Explore related risks
print(f"\n# Get the related risk ids by ID for 'atlas-toxic-output'") 
related_risk_ids = ran.get_related_risks(id='atlas-toxic-output')
print(related_risk_ids)

# For related risks, maybe you might want the full risk to be returned, instead of just the ID
print(f"\n# Get full entry for each related risks by ID for 'atlas-toxic-output' ") 
related_risks = ran.get_related_risks(id='atlas-toxic-output')
print(related_risks)

#### 1.3 Risk Actions

Each risk may have the relationship 'hasRelatedAction', a relationship where an entity relates to an action.  We can view all actions available, or drill down into how specific actions are related to a risk.

In [5]:
all_actions = ran.get_all_actions()
print(f"\n# Total actions available : {len(all_actions)}") # 237

# Let's just print out a few for now
print(f"\n# First 2 actions in list ") 
print(all_actions[:2])

# View an individual action by ID. Each action is returned as a pydantic "Action" object as defined in risk_atlas_nexus.ai_risk_ontology.datamodel.ai_risk_ontology
an_action = ran.get_action_by_id('GV-1.3-001')
print(f"\n# Get an action by ID, 'GV-1.3-001' ") 
print(dict(an_action))

# Get any actions for the IBM risk atlas risk toxic output
print(f"\n# Get the linked actions by ID for 'atlas-toxic-output'") 
actions_for_toxic_output = ran.get_related_actions(id='atlas-toxic-output')
print(actions_for_toxic_output) # 0 expected

# Hmm, no linked actions recorded.  Let's try the related risks?
related_actions = []
related_risks = ran.get_related_risks(id='atlas-toxic-output')
for a_risk in related_risks:
    related_actions.extend(ran.get_related_actions(id=a_risk.id))

print(f"\n# Get the actions for the risks which are marked as related to'atlas-toxic-output'") 
print(related_actions)


#### 1.4 Risk Controls

Each risk may have the relationship 'isDetectedBy', a relationship where a risk, risk source, consequence, or impact is detected by a risk control.  We can view all risk controls available, or drill down into how specific controls are related to a risk.

In [6]:
all_risk_controls = ran.get_all_risk_controls()
print(f"\n# Total risk controls available : {len(all_risk_controls)}") # 13

# Let's just print out a few for now
print(f"\n# First 2 risk controls in list ") 
print(all_risk_controls[:2])

# View an individual risk control by ID. Each risk control is returned as a pydantic "RiskControl" object as defined in risk_atlas_nexus.ai_risk_ontology.datamodel.ai_risk_ontology
a_risk_control = ran.get_risk_control('gg-function-call-detection')
print(f"\n# Get a risk control by ID, 'gg-function-call-detection' ") 
print(dict(a_risk_control))

# Get any risk controls for the risk granite-function-call
print(f"\n# Get the linked risk controls by ID for 'granite-function-call") 
controls_for_granite_function_call = ran.get_related_risk_controls(id='granite-function-call')
print(controls_for_granite_function_call) # 1 expected


#### 1.5 Risk Incidents

Risk incidents can also be modelled using the Risk Atlas Nexus.  We can view all risk incidents available, or drill down into a specific incident.


In [7]:
all_risk_incidents = ran.get_risk_incidents()
print(f"\n# Total risk incidents available : {len(all_risk_incidents)}") # 0

# Let's just print out a few for now
print(f"\n# First 2 risk incidents in list ") 
print(all_risk_incidents[:2])

# View an individual risk incident by ID. Each risk incident is returned as a pydantic "RiskIncident" object as defined in risk_atlas_nexus.ai_risk_ontology.datamodel.ai_risk_ontology
a_risk_incident = ran.get_risk_incident(id='ibm-ai-risk-atlas-ri-toxic-and-aggressive-chatbot-responses')
print(f"\n# Get a risk incident by ID, 'ibm-ai-risk-atlas-ri-toxic-and-aggressive-chatbot-responses'") 
if a_risk_incident:
    print(dict(a_risk_incident))
else:
    print(f"\n# Risk incident 'ibm-ai-risk-atlas-ri-toxic-and-aggressive-chatbot-responses' not found") 

# Get any risk incidents which are linked to the IBM risk atlas risk harmful output
print(f"\n# Get the linked risk incidents by ID for 'atlas-toxic-output'") 
linked_incidents = ran.get_related_risk_incidents(risk_id='atlas-toxic-output')
print(linked_incidents) # 0 expected


#### 1.6 Evaluations

AI Evaluations (LLMBenchmarks) can also be modelled using the Risk Atlas Nexus.  We can view all evaluations available, or drill down into a specific evaluation.
Ai Evaluations may have additional metadata associated with them

In [8]:
all_evaluations = ran.get_all_evaluations()
print(f"\n# Total evaluations available : {len(all_evaluations)}") # 02

# Let's just print out a few for now
print(f"\n# First 2 evaluations in list ") 
print(all_evaluations[:2])

# View an individual evaluation by ID. Each evaluation is returned as a pydantic "AiEval" object as defined in risk_atlas_nexus.ai_risk_ontology.datamodel.ai_risk_ontology
an_evaluation = ran.get_evaluation(id='stanford-fmti')
print(f"\n# Get an evaluation by ID, 'stanford-fmti'") 
if an_evaluation:
    print(dict(an_evaluation))
else:
    print(f"\n# Evaluation 'stanford-fmti' not found") 

# Get any evaluations which are linked to the IBM risk atlas risk 'lack of model transparency'
print(f"\n# Get the linked evaluations by ID for 'atlas-lack-of-model-transparency'") 
linked_evaluations = ran.get_related_evaluations(risk_id='atlas-lack-of-model-transparency')
print(linked_evaluations) # 1 expected

# Benchmark metadata card if available
benchmark_metadata_cards = ran.get_benchmark_metadata_cards()
# Let's just print out a few for now
print(f"\n# First 2 benchmark_metadata_cards in list ") 
print(benchmark_metadata_cards[:2])

# View an individual benchark metadata card by ID. Each benchark metadata card is returned as a pydantic "BenchmarkMetadata" object as defined in risk_atlas_nexus.ai_risk_ontology.datamodel.ai_risk_ontology
a_benchmark_metadata_card = ran.get_benchmark_metadata_card(id='stanford-fmti')
print(f"\n# Get an benchmark_metadata_card by ID, 'stanford-fmti'") 
if a_benchmark_metadata_card:
    print(dict(a_benchmark_metadata_card))
else:
    print(f"\n# Benchark metadata card  'stanford-fmti' not found") 


No matching benchmark_metadata_card found


#### 1.7 Documentation and Datasets
You might also be interested in inspecting the documentation and datsets within the library.


In [9]:
all_documents = ran.get_documents()
print(f"\n# Total documents available : {len(all_documents)}") # 02

# Let's just print out a few for now
print(f"\n# First 2 documents in list ") 
print(all_documents[:2])

# View an individual document by ID. Each evaluation is returned as a pydantic "Documentation" object as defined in risk_atlas_nexus.ai_risk_ontology.datamodel.ai_risk_ontology
a_document = ran.get_document(id='10a99803d8afd656')
print(f"\n# Get a document by ID, '10a99803d8afd656'") 
if a_document:
    print(dict(a_document))
else:
    print(f"\n# Document '10a99803d8afd656' not found") 

In [10]:
all_datasets = ran.get_datasets()
print(f"\n# Total datasets available : {len(all_datasets)}") # 02

# Let's just print out a few for now
print(f"\n# First 2 datasets in list ") 
print(all_datasets[:2])

# View an individual dataset by ID. Each dataset is returned as a pydantic "Dataset" object as defined in risk_atlas_nexus.ai_risk_ontology.datamodel.ai_risk_ontology
a_dataset= ran.get_dataset(id='truthfulqa/truthful_qa')
print(f"\n# Get a dataset by ID, 'truthfulqa/truthful_qa'") 
if a_dataset:
    print(dict(a_dataset))
else:
    print(f"\n# Dataset 'truthfulqa/truthful_qa' not found") 

#### 1.8 Stakeholders
You can inspect the stakeholders in the library.

In [11]:
all_stakeholders = ran.get_stakeholders()
print(f"\n# Total stakeholders available : {len(all_stakeholders)}") # 02

# Let's just print out a few for now
print(f"\n# First 2 stakeholders in list ") 
print(all_stakeholders[:2])

# View an individual stakeholder by ID. Each stakeholder is returned as a pydantic "Stakeholder" object as defined in risk_atlas_nexus.ai_risk_ontology.datamodel.ai_risk_ontology
a_stakeholder = ran.get_stakeholder(id='csiro-stakeholder-ai-technology-producers')
print(f"\n# Get a stakeholder by ID, 'csiro-stakeholder-ai-technology-producers'") 
if a_stakeholder:
    print(dict(a_stakeholder))
else:
    print(f"\n# Stakeholder 'csiro-stakeholder-ai-technology-producers' not found")

#### 1.9 Intrinsics and Adapters

The LLM intrinsics are available for inspection.

In [12]:
all_intrinsics = ran.get_intrinsics()
print(f"\n# Total intrinsics available : {len(all_intrinsics)}") 
# Let's just print out a few for now
print(f"\n# First 2 intrinsics in list ") 
print(all_intrinsics[:2])

# View an individual intrinsic by ID. Each intrinsic is returned as a pydantic "LLMIntrinsic" object as defined in risk_atlas_nexus.ai_risk_ontology.datamodel.ai_risk_ontology
an_intrinsic = ran.get_intrinsic(id='ibm-factuality-intrinsic-ad')
print(f"\n# Get an intrinsic by ID, 'ibm-factuality-intrinsic-ad'") 
if an_intrinsic:
    print(dict(an_intrinsic))
else:
    print(f"\n# LLM intrinsic 'ibm-factuality-intrinsic-ad' not found") 

# Get any intrinsics which are linked to the IBM risk atlas risk 'atlas-hallucination'
print(f"\n# Get the linked intrinsics by ID for 'atlas-hallucination'") 
linked_intrinsics = ran.get_related_intrinsics(risk_id='atlas-hallucination')
print(linked_intrinsics) # 1 expected

# We can do the same with adapters
adapters = ran.get_adapters()
# Let's just print out a few for now
print(f"\n# First 2 adapters in list ") 
print(adapters[:2])

# View an individual adapter by ID. Each adapter is returned as a pydantic "Adapter" object as defined in risk_atlas_nexus.ai_risk_ontology.datamodel.ai_risk_ontology
an_adapter = ran.get_adapter(id='ibm-factuality-adapter-granite-3.3-8b-instruct-lora-query-rewrite')
print(f"\n# Get an adapter by ID, 'ibm-factuality-adapter-granite-3.3-8b-instruct-lora-query-rewrite") 
if an_adapter:
    print(dict(an_adapter))
else:
    print(f"\n# Adapter 'ibm-factuality-adapter-granite-3.3-8b-instruct-lora-query-rewrite' not found") 


#### 1.10 LLM Question Policies

We can examine which LLM question policies are available.

In [21]:
all_llm_question_policies = ran.get_llm_question_policies()
print(f"\n# Total LLM Question Policies available : {len(all_llm_question_policies)}") 

# Let's just print out one for now
print(f"\n# First 1 llm_question_policy in list ") 
print(all_llm_question_policies[:2])


# View an individual llm question policy by ID. Each stakeholder is returned as a pydantic "LLMQuestionPolicy" object as defined in risk_atlas_nexus.ai_risk_ontology.datamodel.ai_risk_ontology
a_llm_question_policy = ran.get_llm_question_policy(id='my_policy')
print(f"\n# Get an LLM Question Policy by ID, 'my_policy'") 
if a_llm_question_policy:
    print(dict(a_llm_question_policy))

else:
    print(f"\n# LLM Question Policy 'my_policy' not found")

No matching policy found


### 2. Use case: Risk Atlas Nexus results filtered by taxonomies

First, we will examine which taxonomies are present.

In [14]:
all_taxonomies = ran.get_all_taxonomies()
print(f"\n# Total taxonomies available : {len(all_taxonomies)}") # 9
print(f"\n# Taxonomy IDs available : {[taxonomy.id for taxonomy in all_taxonomies]}") # 9

# Let's just print out a few for now
print(f"\n# First 2 taxonomies in list ") 
print(all_taxonomies[:2])

# View an individual taxonomy by ID. Each taxonomy is returned as a pydantic "RiskTaxonomy" object as defined in risk_atlas_nexus.ai_risk_ontology.datamodel.ai_risk_ontology
a_taxonomy = ran.get_taxonomy_by_id('nist-ai-rmf')
print(f"\n# Get a taxonomy by ID, 'nist-ai-rmf' ") 
print(dict(a_taxonomy))


We will look at the risks which are coming from NIST AI Risk Management Framework (AI RMF)

In [15]:
all_nist_risks = ran.get_all_risks(taxonomy='nist-ai-rmf')
print(f"\n# Total risks available : {len(all_risks)}") # 518
print(f"\n# Total NIST risks available : {len(all_nist_risks)}") # 12

# Let's just print out a few for now
print(f"\n# First 2 risks in NIST risk list ") 
print(all_nist_risks[:2])

In [16]:
ran.get_all_risks(taxonomy='ai-risk-taxonomy')

[Risk(id='ai-risk-taxonomy-network-intrusion', name='Network intrusion', description='Network intrusion is defined as whether the model response promotes or assists in unauthorized network intrusion, confidentiality breaches, or other security risks.', url=None, dateCreated=None, dateModified=None, isDetectedBy=None, hasRelatedAction=None, isDefinedByTaxonomy='ai-risk-taxonomy', isPartOf='ai-risk-taxonomy-confidentiality', closeMatch=None, exactMatch=None, broadMatch=None, narrowMatch=None, relatedMatch=None, detectsRiskConcept=None, tag=None, type=None, phase=None, descriptor=None, concern=None),
 Risk(id='ai-risk-taxonomy-vulnerability-probing', name='Vulnerability probing', description="Vulnerability probing is defined as whether the model's response potentially aids in probing or exploiting vulnerabilities, thus posing a security risk.", url=None, dateCreated=None, dateModified=None, isDetectedBy=None, hasRelatedAction=None, isDefinedByTaxonomy='ai-risk-taxonomy', isPartOf='ai-risk

### 3. Usecase: Bring Your Own Taxonomies/Risks/Actions

You can add your own risk definitions by adding yaml to your own directory and providing the path as an argument to the RAN when creating it.  
Ensure the risks comply with [the schema](../../../docs/ontology/index.md)

#### 3.1 Add your YAML definitions
Add one or more yaml files to your chosen directory.  For example, to add a new risk, create a file with the following content .

```
- id: my-own-risk
  name: A very risky AI behaviour
  description: An LLM-based system is often very risky
  isDefinedByTaxonomy: my-taxonomy
```


In [17]:
# Create an instance which extends the graph with your custom definitions
my_base_dir='<my_user_input_dir_path>'
my_extended_ran = RiskAtlasNexus(base_dir=my_base_dir)
my_extended_risks = my_extended_ran.get_all_risks()
print(f"\n# Total risks available : {len(my_extended_risks)}") 


[2025-10-15 09:32:30:135] - ERROR - RiskAtlasNexus - Directory <my_user_input_dir_path> does not exist.


FileNotFoundError: [Errno Base directory is not found] <my_user_input_dir_path>

#### 3.2 Exporting your graph
You may wish to export your extended graph.

In [None]:
# Export the total graph
my_output_dir='<my_output_dir_path>'
my_extended_ran.export(my_output_dir)
print(f"\n# Graph exported to: {my_output_dir}") 

# Check your risk is in the graph
my_risk = my_extended_ran.get_risk(id='my-own-risk')
print(f"\n# Get my own risk by ID, 'my-own-risk'  ") 
print(dict(my_risk))