LibraryDocumentsLLM Risk Scenarios
DOCUMENT 02 · MODULE

LLM Risk Scenarios

Eight top-level risk domains, expressed as Cause, Event, Consequence. Six are AI-Act-aligned attack categories; prompt injection and shadow AI receive special treatment for distinct structural reasons. Each domain is published as a standardized event-lifecycle taxonomy (phases · TTPs · controls · telemetry · CCCE).

8 risk domainsCause, Event, ConsequenceAI Act Art. 9, 15MITRE ATLAS
↓ RS1 Data Poisoning ↓ RS2 Model Poisoning ↓ RS3 Adversarial ↓ RS4 Evasion ↓ RS5 Confidentiality ↓ RS6 Model Flaws ↓ RS7 Prompt Injection ↓ RS8 Shadow AI

Risk as Cause, Event, Consequence

Each LLM risk scenario is expressed as a relationship: an (Event) caused by (Cause) resulting in (Consequence). This structure matters because LLM-related harm appears indirectly. A malicious prompt is not only an input manipulation event; it may enable disclosure, corrupt a workflow, degrade decision quality, or trigger unauthorized actions through tools or connected systems. Hallucinated content is not merely a quality issue — once embedded in reports, policies, customer communications, or employee decisions, it becomes an operational and governance problem.

Construction rules

Eight top-level risk domains

The first six domains follow an AI Act imperative to address AI-specific attacks. Domains 7 and 8 — prompt injection and shadow AI — receive special treatment because each, on independent grounds, defines a structurally distinct category of organizational exposure.

1. Data poisoning

Manipulation of the training data set such that the model learns adversary-controlled patterns. Becomes operationally significant in Fine-Tuned archetypes where the organization owns the dataset, and remains a supply-chain concern elsewhere when third-party training data is reused.

2. Model poisoning

Compromise of pre-trained components or weights used in training or inference. Most acute under Fine-Tuned and Application archetypes when checkpoints are downloaded from open repositories.

3. Adversarial examples

Inputs crafted (often mathematically) to cause the model to make a confident but wrong decision. Particularly relevant for decision-support and classification deployments where downstream actions depend on model outputs.

4. Model evasion

Inputs designed to bypass safety filters, content policies, or detection logic. Distinct from adversarial examples in that the goal is escape rather than misclassification.

5. Confidentiality attacks

Extraction of training data, system prompts, or contextual information through inference-time queries. Includes membership inference, model inversion, and prompt-leak attacks.

6. Model flaws

Failures arising from the model itself rather than from attack — hallucinations, miscalibration, drift, and unsupported generalizations. Article 15(5) of the AI Act treats these as in-scope for security analysis.

7. Prompt injection — special treatment

Prompt injection receives separate treatment because recent work shows it is not a marginal edge case but a structurally important inference-time risk. Liu et al. formalized and benchmarked prompt injection attacks across multiple models and tasks; Geng et al., synthesizing 128 studies, argue that the core weakness lies in the model's inability to cleanly distinguish instructions from data — making prompt injection a persistent control problem for LLM-enabled systems.

In methodological terms, that finding means the taxonomy must preserve a separate class for prompt-mediated control failure rather than absorbing it into generic application misuse.

8. Shadow AI — special treatment

Shadow AI is included as a distinct organizational-use domain because it operates at a different control layer than the technical risks above. Waters-Lynch et al. define shadow user innovation as employee-led AI experimentation that remains opaque to management and therefore obstructs organizational learning. Silic et al. extend this into the concept of shadow AI as the unsanctioned use of AI systems outside approved governance frameworks, producing a governance drift zone in which formal policies exist but fail to gain traction in practice.

Because the study evaluates organizational control sufficiency, these findings are central to why visibility, accountability, and escalation appear as explicit analytical dimensions in the gap typology.

Open question

The relationship between adversarial examples and model evasion (Domains 3 and 4) is debated in the literature. Some surveys treat them as one category; the framework keeps them separate because the operational signals and the control responses differ. This is noted in the limitations.

PreviousDeployment archetypes