{ "version": "1.0.0", "locked_date": "2026-05-13", "failure_modes": [ { "slug": "hallucination", "name": "Hallucination", "definition": "The model fabricates a fact, citation, policy, or quote that has no basis in source data.", "long_definition": "Hallucination is the most cataloged failure mode. The model produces output that is fluent, confident, and wrong. It happens in chatbots that invent legal precedents, copilots that misquote internal policy, voice agents that promise things the company will not honor, and search products that synthesize fake sources. The mechanism is statistical, not malicious. The cost is reputational, legal, and financial.", "realm_capability": "Prism observes hallucination signatures in the model's internal state. AIDR flags the moment the model commits to a fabricated claim. OmniGuard can block the response inline.", "sort_order": 1 }, { "slug": "prompt-injection", "name": "Prompt Injection", "definition": "Adversarial input changes the model's behavior in ways the operator did not authorize.", "long_definition": "Prompt injection is the SQL injection of AI. A user, a document, an email, or a web page contains instructions that the model treats as authoritative. The model then leaks data, ignores guardrails, takes unauthorized actions, or impersonates roles. Direct injection comes from the user. Indirect injection comes from retrieved content the model was asked to read.", "realm_capability": "OmniGuard intercepts injection patterns at the prompt and tool-call layer. Prism flags concept activations that indicate the model is being redirected.", "sort_order": 2 }, { "slug": "data-leakage", "name": "Data Leakage", "definition": "The model emits training data, secrets, or another user's data.", "long_definition": "Data leakage takes three shapes. The model regurgitates training data verbatim. The model surfaces secrets that ended up in its context window because of poor retrieval boundaries. The model serves one tenant data that belongs to another tenant. All three end the same way: a customer sees something they should not have seen.", "realm_capability": "OmniGuard redacts inline. Prism observes the model's representations to flag identity-bound content before it reaches a response. AIDR provides the audit trail.", "sort_order": 3 }, { "slug": "policy-violation", "name": "Policy Violation", "definition": "The model violates a stated company policy or a regulation that applies to the deployment.", "long_definition": "Policy violation is what happens when the model knows what it should not say but says it anyway. It includes promising refunds the company does not offer, quoting prices that are not approved, giving medical or legal advice that the deployment prohibits, or producing content that violates regulatory rules (FINRA suitability, HIPAA disclosure, GDPR consent, CFPB UDAAP).", "realm_capability": "OmniGuard authors policy at the runtime layer and enforces it inline. Prism reads the model's intent against the policy boundary.", "sort_order": 4 }, { "slug": "agentic-action-error", "name": "Agentic Action Error", "definition": "An agent takes a wrong real-world action that has consequences outside the chat surface.", "long_definition": "Agentic action error is what happens when AI stops chatting and starts doing. It cancels the wrong reservation. It refunds the wrong customer. It merges the wrong account. It commits code that breaks production. It files a Jira ticket against the wrong project. The harm is no longer a wrong sentence on a screen. The harm is a wrong row in a system of record.", "realm_capability": "AgentRealm is purpose-built for this. The agent-runtime layer above Prism and OmniGuard inspects each tool call against intent and scope, and intervenes before the action commits.", "sort_order": 5 }, { "slug": "tool-misuse", "name": "Tool Misuse", "definition": "An agent calls the wrong tool or calls a tool with wrong arguments.", "long_definition": "Tool misuse is the failure mode below agentic action error. The agent picked the wrong function, or passed parameters that pointed at the wrong target. Sometimes the action goes through and the harm is the same as an agentic action error. Sometimes the tool errors out and the harm is a stuck workflow that masquerades as availability. Either way the agent did not do what the user asked.", "realm_capability": "AgentRealm inspects each function call against the agent's stated intent. OmniGuard can require human-in-the-loop for high-risk tools.", "sort_order": 6 }, { "slug": "identity-and-access-drift", "name": "Identity & Access Drift", "definition": "An agent acts outside the scope, identity, or permissions it was assigned.", "long_definition": "Identity and access drift is the failure mode that maps to the security team's nightmare. An agent escalates its own privileges. An agent acts on behalf of one user using another user's session. An agent inherits a connector permission it should not have. The model is doing what it was technically allowed to do, but not what the operator intended.", "realm_capability": "OmniGuard enforces identity-bound scope at every tool call. AgentRealm reconciles agent action with the assigned principal in real time.", "sort_order": 7 }, { "slug": "brand-and-safety-incident", "name": "Brand & Safety Incident", "definition": "The model produces toxic, defamatory, or off-brand output that becomes public.", "long_definition": "Brand and safety incidents are the failures that go viral. The chatbot insults a customer. The voice agent uses a slur. The model defames a real person. The copilot writes something the press can screenshot. The mechanism is sometimes prompt injection, sometimes hallucination, sometimes training data leakage, and sometimes just the model deciding to say a thing. Recovery costs more than the deployment was supposed to save.", "realm_capability": "Prism reads the model's representation against brand and safety policy. OmniGuard blocks inline. AIDR provides the post-incident audit trail.", "sort_order": 8 } ], "industries": [ { "slug": "asset-management", "name": "Asset Management", "intro": "Asset managers are deploying AI inside research, client communication, trade ops, and risk. Each surface fails in a different shape. The ones below are what we have seen in public.", "icp_tier": "ICP-1" }, { "slug": "retail-banking", "name": "Retail Banking", "intro": "Retail banks moved chatbots to the front line for support, then to onboarding, then to fraud triage. The failures track the surfaces.", "icp_tier": "ICP-1" }, { "slug": "fintech-and-payments", "name": "Fintech & Payments", "intro": "Fintechs ship faster than banks. They also fail in public faster. These are the cases that show what payments-adjacent AI does wrong.", "icp_tier": "ICP-1" }, { "slug": "saas", "name": "SaaS", "intro": "Every SaaS company is now an AI company. These are the ones where the AI feature outran the safety story.", "icp_tier": "ICP-2" }, { "slug": "retail-and-ecommerce", "name": "Retail & E-commerce", "intro": "Retail chatbots and pricing agents have shipped at scale. So have their public failures.", "icp_tier": "ICP-2" }, { "slug": "travel-and-hospitality", "name": "Travel & Hospitality", "intro": "Booking, refund, and loyalty surfaces touch real money. AI failures here travel fast and land in court.", "icp_tier": "ICP-2" }, { "slug": "healthcare", "name": "Healthcare", "intro": "Healthcare AI failures end in regulatory letters, patient harm, or both. We catalog the public ones.", "icp_tier": "ICP-3" }, { "slug": "public-sector", "name": "Public Sector", "intro": "Government and public-sector AI deployments are subject to public records laws. The failures are unusually visible.", "icp_tier": "ICP-3" }, { "slug": "legal-services", "name": "Legal Services", "intro": "Legal AI failures are documented inside court filings. The receipts are the docket.", "icp_tier": "ICP-3" }, { "slug": "insurance", "name": "Insurance", "intro": "Insurance AI failures touch underwriting, claims, and customer comms. Each surface has its own failure mode.", "icp_tier": "ICP-3" }, { "slug": "other", "name": "Cross-industry", "intro": "Consumer apps, media, manufacturing, education, and anything that does not fit a primary vertical lands here.", "icp_tier": "None" } ], "ai_surfaces": [ { "slug": "chatbot", "name": "Chatbot", "definition": "Customer-facing conversational interface. The most cataloged surface." }, { "slug": "copilot", "name": "Copilot", "definition": "Employee-facing assistant embedded in a productivity surface. Microsoft 365 Copilot, Google Duet, internal builds." }, { "slug": "voice-agent", "name": "Voice Agent", "definition": "Phone or in-product voice surface. Failures travel further because audio is harder to redact after the fact." }, { "slug": "agentic-workflow", "name": "Agentic Workflow", "definition": "Multi-step agent that calls tools, retrieves data, and takes actions. The fastest-growing failure surface." }, { "slug": "code-assistant", "name": "Code Assistant", "definition": "AI that writes or commits code. Failures land in git history and stay there." }, { "slug": "search-rag", "name": "Search / RAG", "definition": "Retrieval-augmented search and answer surfaces. Failures look like authoritative wrong answers." }, { "slug": "computer-vision", "name": "Computer Vision", "definition": "Image and video recognition: facial recognition, object detection, visual inspection. Failures misidentify people and things with high confidence." }, { "slug": "recommender", "name": "Recommender", "definition": "Ranking and recommendation engines that steer what people see, buy, or watch. Failures amplify at feed scale." }, { "slug": "autonomous-system", "name": "Autonomous System", "definition": "Vehicles, robots, and other systems that act in the physical world. Failures are kinetic and often irreversible." }, { "slug": "algorithmic-decision", "name": "Algorithmic Decision", "definition": "Scoring and eligibility models that decide who gets credit, benefits, bail, or a job. Failures deny at scale and hide behind the score." }, { "slug": "media-generation", "name": "Media Generation", "definition": "Image, video, and audio generation tools. Failures produce content that crosses legal and safety lines." }, { "slug": "machine-translation", "name": "Machine Translation", "definition": "Automated translation between languages. Failures change what someone said, with legal consequences." } ], "severities": [ { "value": "Catastrophic", "definition": "Class-action lawsuit, regulatory enforcement, material financial harm, fatal or near-fatal user harm.", "color": "#B91C1C" }, { "value": "High", "definition": "Public press cycle longer than 72 hours, named-customer harm, executive apology or resignation.", "color": "#EA580C" }, { "value": "Medium", "definition": "Public incident with brief press cycle, no named regulatory action.", "color": "#CA8A04" }, { "value": "Low", "definition": "Surfaced on social media, no broad press, no enforcement.", "color": "#475569" } ], "source_types": [ "Primary", "Press", "Social", "Court Filing", "Customer-Disclosed", "Reader-Submitted" ] }