At the ISF World Congress in Prague 2025, I gave a talk on a small visual that Daniel Kroiss and I use in our AI security work: the AI Risk Compass. It exists to fix a specific kind of meeting. Ask an AppSec engineer, a data scientist, and a board member what "AI risk" means, and you get three different answers. All three are partial, and they rarely connect.

Presenting the AI Risk Compass at the ISF World Congress in Prague
Presenting the compass at the ISF World Congress, Prague.

The compass sorts the threats into four quadrants:

The AI Risk Compass: a 2×2 mapping AI threats across an attacker-versus-defender axis and a harm-versus-asset axis
The AI Risk Compass, by Bernhard Wannasek and Daniel Kroiss.
  • The Attacker's Advantage: attackers turning AI into a weapon, from deepfake voice scams to AI-assisted intrusion.
  • The Defender's Dilemma: the cost of not adopting AI for defense while your analysts burn out on alert volume and the other side automates.
  • Securing the Brain: threats to the models themselves, like data poisoning, model theft, or a compromised supply chain.
  • Taming the Beast: risk from your own AI when it gets manipulated, hallucinates, or leaks data it should never have surfaced.

Two axes make it useful. Left to right runs from enterprise and strategic risk, the board's territory, to hands-on application risk owned by AppSec, developers, and data scientists. Top to bottom separates the quadrants where AI is actively causing harm from the ones where AI is the asset you defend with or have to protect.

Once it's on a whiteboard, people stop talking past each other. The board can stay on strategic exposure without being pulled into prompt injection, and the engineers stop being handed deepfake policy. Everyone works the same map, and the meeting finally goes somewhere.