Position: A taxonomy for reporting and describing AI security incidents

As AI usage becomes more ubiquitous, AI incident reporting is both practiced increasingly in industry and mandated by regulatory requirements. At the same time, it is established that AI systems are exploited in practice by a growing number of security threats. Yet, organizations and practitioners lack necessary guidance in describing AI security incidents. In this position paper, we argue that specific taxonomies are required to describe and report security incidents of AI systems. In other words, existing frameworks for either non-AI security or generic AI safety incident reporting are insufficient to capture the specific properties of AI security. To demonstrate our position, we offer an AI security incident taxonomy and highlight relevant properties, such as machine readability and integration with existing frameworks. We have derived this proposal from interviews with experts, aiming for standardized reporting of AI security incidents, which meets the requirements of affected stakeholder groups. We hope that this taxonomy sparks discussions and eventually allows the sharing of AI security incidents across organizations, enabling more secure AI.