Mapping AI harms: a taxonomy for HR, compliance, and risk leaders
Artificial intelligence is reshaping how organizations operate, but its rapid adoption brings risks that demand structured governance. For senior HR, compliance, and risk leaders, understanding AI’s potential harms isn’t just about regulatory alignment—it’s about safeguarding people, reputation, and operational integrity. A continuous governance framework is essential, but it starts with a clear taxonomy of risks. Below, we break down AI harms across individuals, groups, society, organizations, and the environment, along with frameworks to assess and mitigate them.
Why a harms taxonomy matters
A harms taxonomy is more than a checklist—it’s an ontological map of negative consequences that could arise from AI deployment. By categorizing risks, organizations can:
Identify vulnerabilities before they escalate into crises
Align AI governance with privacy and security frameworks (e.g., ISO 42001, ISO 27001)
Prioritize mitigation efforts based on severity and likelihood
Foster empathy by centering the human impact of AI decisions
Without this structure, AI risks remain abstract, making it harder to justify investments in governance or demonstrate compliance to regulators.
Privacy harms taxonomies: the foundation for AI risk assessment
Privacy harms taxonomies provide a blueprint for understanding AI’s downstream effects. Here are three influential models:
MITRE PANOPTIC Privacy Threat Model
Combines contextual domains (e.g., healthcare, finance) with privacy activities (e.g., data collection, inference) to assess threats. Its data-driven structure supports red-teaming and risk modeling.
Ryan Calo’s Subjective/Objective Harms
Categorizes harms as subjective (internal to the individual, like psychological distress) or objective (external, like economic loss from adverse actions).
Citron and Solove’s Harm Types
Identifies seven harm categories: physical, reputational, relationship, economic, discrimination, psychological, and autonomy. This framework is particularly useful for HR leaders evaluating AI’s impact on employees.
These taxonomies help organizations move beyond generic "privacy risks" to specific, actionable scenarios—like how an AI hiring tool might perpetuate discrimination under the EU AI Act.
AI-specific harms taxonomies
AI introduces unique risks that overlap with—but extend beyond—traditional privacy harms. Three key frameworks include:
Sociotechnical Harms of Algorithmic Systems
Organizes harms into five themes:
Representational: Stereotyping or erasure of groups (e.g., facial recognition bias against darker-skinned individuals).
Allocative: Denial of resources or opportunities (e.g., AI-driven loan denials).
Quality-of-service: Unequal performance (e.g., voice assistants struggling with non-native accents).
Interpersonal: Harm to relationships (e.g., AI-generated deepfakes damaging reputations).
Social system/societal: Erosion of trust in institutions (e.g., AI-driven misinformation).
CSET AI Harm Taxonomy for AIID
Defines AI harm as requiring four elements: a harmful event, an affected entity, an AI system, and a circumstance linking them. This structure helps organizations trace harms back to root causes.
NIST AI Risk Management Framework (RMF)
Focuses on minimizing negative impacts while maximizing AI’s benefits. Identifies harms to people (e.g., bias), organizations (e.g., reputational damage), and ecosystems (e.g., environmental costs). The RMF is particularly valuable for aligning AI governance with broader risk management strategies.
Core risks and harms posed by AI systems
AI systems reflect the biases, values, and limitations of their human creators. When deployed without governance, they can amplify harms across multiple dimensions. Below, we explore risks to individuals, groups, society, organizations, and the environment.
Individual harms
Definition: Harms to a person’s civil liberties, rights, physical/psychological safety, or economic opportunity.
AI-driven bias is one of the most visible individual harms. It can manifest in several ways:
Implicit bias: Unconscious preferences embedded in training data (e.g., favoring certain demographics in hiring).
Sampling bias: Over- or under-representation of groups in training data (e.g., facial recognition trained primarily on lighter-skinned faces).
Temporal bias: Data that becomes outdated (e.g., hiring algorithms trained on pre-pandemic workforce trends).
These biases can lead to:
Overfitting: AI models performing well on training data but failing in real-world scenarios.
Underfitting: Models too simplistic to capture critical patterns (e.g., missing nuanced job qualifications).
Edge cases: Rare but high-impact scenarios (e.g., AI misclassifying an employee’s performance due to atypical work patterns).
Examples of individual harm
Category | Example | Impact |
|---|---|---|
Employment bias | Amazon’s AI hiring tool discriminated against women due to biased training data. | Reinforced gender gaps in tech hiring. |
Facial recognition | London police AI system had an 81% inaccuracy rate for darker-skinned individuals. | Biased policing and wrongful arrests. |
Economic discrimination | AI-driven lending tools denied loans based on socioeconomic background. | Perpetuated cycles of financial exclusion. |
Privacy violations | AI trained on social media data without user consent. | Loss of control over personal information. |
Education access | AI school selection systems excluded students from underrepresented groups. | Limited opportunities for marginalized communities. |
Privacy concerns
AI systems often rely on vast datasets, raising concerns about:
Data appropriation: Using personal data for unintended purposes (e.g., training AI on employee emails without consent).
Inference risks: AI drawing sensitive conclusions from seemingly innocuous data (e.g., predicting health conditions from shopping habits).
Lack of transparency: Employees or customers unaware their data is being used (e.g., chatbots processing sensitive HR queries).
As generative AI and agentic workspaces proliferate, these risks will only grow. Organizations must implement clear policies around data consent, purpose limitation, and auditability.
A closer look at bias
Not all bias is harmful—some is necessary (e.g., denying loans to high-risk applicants). The key is distinguishing between acceptable and unacceptable bias. For example:
Acceptable: An AI tool prioritizing candidates with relevant certifications for a technical role.
Unacceptable: An AI tool downgrading candidates from certain zip codes due to historical discrimination.
HR and compliance leaders must work with data scientists to audit AI systems for discriminatory patterns and align them with legal and ethical standards.
Group and societal harms
Group harms: Discrimination against population subgroups (e.g., racial, gender, or religious groups). Societal harms: Erosion of democratic processes, public trust, or social cohesion.
Key risks
Group discrimination: AI systems reflecting or amplifying societal biases (e.g., predictive policing tools disproportionately targeting minority communities).
Mass surveillance: AI-powered monitoring eroding privacy and autonomy (e.g., workplace productivity tools tracking employees’ every keystroke).
Echo chambers: AI-driven content recommendation systems reinforcing polarization (e.g., social media algorithms amplifying extremist views).
Lethal AI weapons: Autonomous systems making life-and-death decisions without human oversight (e.g., military drones).
These harms aren’t hypothetical. For example, facial recognition systems have been used to identify protesters, raising concerns about free speech and civil liberties. Similarly, AI-driven hiring tools have excluded qualified candidates from marginalized groups, perpetuating systemic inequities.
Environmental harms
AI’s environmental impact is often overlooked but significant. Key concerns include:
Carbon emissions: Training a single large AI model can emit over 626,000 pounds of CO₂—equivalent to five times the lifetime emissions of an average car.
Energy consumption: Major cloud providers’ energy use for AI training rivals that of small countries.
Water usage: Data centers powering AI systems consume vast amounts of water for cooling (e.g., one generative AI query can "waste" a small bottle of water).
Lithium extraction: The demand for batteries to support AI infrastructure strains water supplies and ecosystems, particularly in regions like South America.
For organizations committed to sustainability, these harms present a dilemma: how to leverage AI’s benefits while minimizing its environmental footprint. Solutions include:
Using energy-efficient hardware (e.g., GPUs optimized for AI workloads).
Prioritizing cloud providers powered by renewable energy.
Adopting "green AI" practices, such as model pruning and federated learning.
Organizational harms
AI risks extend beyond individuals and society—they can directly harm organizations. Here’s how:
Harm Type | Description | Potential Impact |
|---|---|---|
Reputational | Loss of trust due to AI failures (e.g., biased hiring tools, data breaches). | Customer churn, share price drops, and brand damage. |
Cultural | AI systems reinforcing stereotypes or exclusionary norms (e.g., chatbots using gendered language). | Reduced inclusivity, employee disengagement, and talent loss. |
Economic | Costs from litigation, remediation, or regulatory fines (e.g., EU AI Act penalties up to 7% of global revenue). | Financial losses, resource diversion, and operational disruptions. |
Acceleration | Unanticipated risks from AI’s speed and complexity (e.g., shadow AI tools spreading misinformation). | Wider and more severe impacts than traditional technologies. |
Legal | Noncompliance with regulations (e.g., GDPR, CCPA, EU AI Act). | Fines, sanctions, and loss of market access. |
“Given the scope, the scale, the speed, and the potential impact of artificial intelligence, it is essential that harms continue to be identified both at the start of the AI creation process and throughout the lifecycle.”
Vivienne Artz, AIGP, Senior Data Strategy and Privacy Policy Advisor
Organizations can mitigate these risks by integrating AI governance into broader risk management frameworks, conducting regular audits, and fostering a culture of accountability.
Key takeaways for HR, compliance, and risk leaders
Adopt a structured approach: Use harms taxonomies (e.g., NIST RMF, Sociotechnical Harms) to systematically identify and assess AI risks.
Prioritize bias mitigation: Audit AI systems for discriminatory patterns, particularly in high-stakes areas like hiring, lending, and law enforcement.
Safeguard privacy: Implement policies for data consent, purpose limitation, and transparency to prevent misuse of personal information.
Address environmental impact: Partner with sustainability teams to reduce AI’s carbon footprint and water usage.
Prepare for regulatory scrutiny: Align AI governance with frameworks like ISO 42001 and the EU AI Act to avoid fines and reputational damage.
Foster continuous governance: AI risks evolve rapidly; static policies won’t suffice. Adopt continuous oversight to keep pace with innovation.
AI’s potential is undeniable, but so are its risks.



