A Taxonomy of AI Agent Risks: 15RL Classification Framework
A Taxonomy of AI Agent Risks: 15RL Classification Framework
Effective risk management requires a shared vocabulary. In our work evaluating AI agent safety across dozens of deployments, we found that teams consistently struggled to systematically enumerate the risks their agents face. Ad-hoc risk lists led to ad-hoc controls, and ad-hoc controls led to incidents.
This post presents the 15RL Agent Risk Taxonomy, a structured classification framework for the risks posed by tool-using AI agents. We publish it as a reference for teams building risk assessments, configuring safety policies, and conducting red-team exercises.
Taxonomy Structure
We organize risks along two axes:
- Category: the type of resource or capability involved (file system, network, shell, data, compute, multi-agent)
- Severity: rated 1-5 based on potential impact (1 = nuisance, 5 = catastrophic)
Each risk entry includes a description, example scenario, and recommended mitigation.
Category 1: File System Risks
| Risk | Severity | Description |
|---|---|---|
| FS-1: Path traversal | 4 | Agent accesses files outside its designated workspace using relative paths (../) or symlinks |
| FS-2: Credential exposure | 5 | Agent reads .env, SSH keys, API tokens, or other credential files |
| FS-3: Data destruction | 5 | Agent deletes or overwrites critical files (application code, databases, configurations) |
| FS-4: Large file creation | 3 | Agent creates excessively large files, exhausting disk space |
| FS-5: Sensitive data in output | 4 | Agent includes sensitive file contents in its responses or logs |
Mitigation: Path-scoped file access policies with explicit directory allowlists. SafeClaw's file system protection implements this pattern with support for glob-based path rules.Category 2: Network Risks
| Risk | Severity | Description |
|---|---|---|
| NET-1: Data exfiltration | 5 | Agent sends sensitive data to external, attacker-controlled endpoints |
| NET-2: SSRF (Server-Side Request Forgery) | 4 | Agent makes requests to internal services or metadata endpoints |
| NET-3: Unrestricted API calls | 3 | Agent calls external APIs without rate limiting, incurring cost or triggering abuse detection |
| NET-4: DNS exfiltration | 4 | Agent encodes data in DNS queries to bypass HTTP-level controls |
| NET-5: Downloading malicious payloads | 4 | Agent downloads and executes code from untrusted sources |
Mitigation: Egress allowlists restricting outbound connections to approved domains and ports. Network protection policies should operate at the action layer, not just the network layer, to catch application-level exfiltration.Category 3: Shell Execution Risks
| Risk | Severity | Description |
|---|---|---|
| SH-1: Arbitrary command execution | 5 | Agent executes shell commands with no constraints |
| SH-2: Privilege escalation | 5 | Agent uses shell access to gain elevated privileges (sudo, setuid) |
| SH-3: Persistent backdoor installation | 5 | Agent creates cron jobs, systemd services, or SSH authorized_keys entries |
| SH-4: System configuration modification | 4 | Agent alters firewall rules, DNS settings, or network configuration |
| SH-5: Package installation | 3 | Agent installs system or language packages, potentially introducing vulnerabilities |
Mitigation: Shell commands are the highest-risk action category. Deny-by-default with an explicit command allowlist is essential. In high-security environments, consider disabling shell access entirely and providing purpose-built tools for specific operations.Category 4: Data and Privacy Risks
| Risk | Severity | Description |
|---|---|---|
| DATA-1: PII exposure | 5 | Agent processes or outputs personally identifiable information without authorization |
| DATA-2: Cross-context data leakage | 4 | Agent shares data between users, sessions, or tenants |
| DATA-3: Training data extraction | 3 | Adversary uses the agent to extract memorized data from the underlying model |
| DATA-4: Audit log manipulation | 4 | Agent modifies or deletes its own audit trail |
| DATA-5: Unintended data persistence | 3 | Agent stores sensitive data in temporary files, caches, or logs that are not properly cleaned up |
Mitigation: Data-level controls require both action gating (restricting what data the agent can access) and output filtering (restricting what data appears in responses). Hash-chain audit logs address DATA-4 specifically.Category 5: Compute and Cost Risks
| Risk | Severity | Description |
|---|---|---|
| COST-1: Infinite loops | 3 | Agent enters a retry or processing loop consuming unbounded compute |
| COST-2: Excessive API consumption | 4 | Agent makes far more API calls than expected, incurring large bills |
| COST-3: Resource exhaustion | 3 | Agent consumes all available CPU, memory, or disk, affecting other services |
| COST-4: Cryptocurrency mining | 4 | Compromised agent used to mine cryptocurrency on the host |
Mitigation: Per-action rate limits, per-session budget caps, and compute resource quotas (CPU time, memory limits).Category 6: Multi-Agent Risks
| Risk | Severity | Description |
|---|---|---|
| MA-1: Trust propagation | 5 | Inner agent inherits outer agent's full permissions without policy scoping |
| MA-2: Confused deputy | 4 | Agent A tricks Agent B into performing actions that Agent A is not authorized to do |
| MA-3: Coordination failure | 3 | Agents working on shared resources create race conditions or conflicting actions |
| MA-4: Amplification attacks | 4 | Adversary uses one compromised agent to direct many others |
Mitigation: Per-agent policy scoping with the principle of least privilege. Each agent in a multi-agent system should have its own action gating policy, not inherited blanket permissions.Using This Taxonomy
We recommend teams use this framework in three ways:
A PDF version of this taxonomy with additional examples is available from 15 Research Lab upon request.
This taxonomy is published under Creative Commons CC-BY-4.0 for community use.