Internal Vulnerabilities, External Threats: A Grounded Framework for Enterprise Open Source Risk Governance

• URL: http://arxiv.org/abs/2510.25882v2
• Date: Fri, 31 Oct 2025 01:43:14 GMT
• Title: Internal Vulnerabilities, External Threats: A Grounded Framework for Enterprise Open Source Risk Governance
• Authors: Wenhao Yang, Minghui Zhou, Daniel Izquierdo Cortázar, Yehui Wang,
• Abstract summary: Traditional risk management narrowly focused on technical tools.<n>"Objectives -> Threats -> Vulnerabilities -> Mitigation" (OTVM)<n>This provides a holistic decision model that transcends mere technical checklists.
• Score: 11.431576667955268
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: Enterprise engagement with open source has evolved from tactical adoption to strategic deep integration, exposing them to a complex risk landscape far beyond mere code. However, traditional risk management, narrowly focused on technical tools, is structurally inadequate for systemic threats like upstream "silent fixes", community conflicts, or sudden license changes, creating a dangerous governance blind spot. To address this governance vacuum and enable the necessary shift from tactical risk management to holistic risk governance, we conducted a grounded theory study with 15 practitioners to develop a holistic risk governance framework. Our study formalizes an analytical framework built on a foundational risk principle: an uncontrollable External Threat (e.g., a sudden license change in a key dependency) only becomes a critical risk when it exploits a controllable Internal Vulnerability (e.g., an undefined risk appetite for single-vendor projects), which then amplifies the impact. The framework operationalizes this principle through a clear logical chain: "Objectives -> Threats -> Vulnerabilities -> Mitigation" (OTVM). This provides a holistic decision model that transcends mere technical checklists. Based on this logic, our contributions are: (1) a "Strategic Objectives Matrix" to clarify goals; (2) a systematic dual taxonomy of External Threats (Ex-Tech, Ex-Comm, Ex-Eco) and Internal Vulnerabilities (In-Strat, In-Ops, In-Tech); and (3) an actionable mitigation framework mapping capability-building to these vulnerabilities. The framework's analytical utility was validated by three industry experts through retrospective case studies on real-world incidents. This work provides a novel diagnostic lens and a systematic path for enterprises to shift from reactive "firefighting" to proactively building an organizational "immune system".

Related papers

• Frontier AI Risk Management Framework in Practice: A Risk Analysis Technical Report v1.5 [61.787178868669265]
  This technical report presents an updated and granular assessment of five critical dimensions: cyber offense, persuasion and manipulation, strategic deception, uncontrolled AI R&D, and self-replication.<n>This work reflects our current understanding of AI frontier risks and urges collective action to mitigate these challenges.
  arXiv  Detail & Related papers  (2026-02-16T04:30:06Z)
• Responsible AI: The Good, The Bad, The AI [1.932555230783329]
  This paper presents a comprehensive examination of AI's dual nature through the lens of strategic information systems.<n>We develop the Paradox-based Responsible AI Governance (PRAIG) framework that articulates: (1) the strategic benefits of AI adoption, (2) the inherent risks and unintended consequences, and (3) governance mechanisms that enable organizations to navigate these tensions.<n>The paper concludes with a research agenda for advancing responsible AI governance scholarship.
  arXiv  Detail & Related papers  (2026-01-28T22:33:27Z)
• With Great Capabilities Come Great Responsibilities: Introducing the Agentic Risk & Capability Framework for Governing Agentic AI Systems [11.09031447875337]
  Agentic Risk & Capability (ARC) Framework is a technical governance framework designed to help organizations identify, assess, and mitigate risks arising from agentic AI systems.<n>The framework's core contributions are:.<n>It develops a novel capability-centric perspective to analyze a wide range of agentic AI systems.<n>It distills three primary sources of risk intrinsic to agentic AI systems - components, design, and capabilities.<n>It establishes a clear nexus between each risk source, specific materialized risks, and corresponding technical controls.
  arXiv  Detail & Related papers  (2025-12-22T03:51:34Z)
• The Role of Risk Modeling in Advanced AI Risk Management [33.357295564462284]
  Rapidly advancing artificial intelligence (AI) systems introduce novel, uncertain, and potentially catastrophic risks.<n>Managing these risks requires a mature risk-management infrastructure whose cornerstone is rigorous risk modeling.<n>We argue that advanced-AI governance should adopt a similar dual approach and that verifiable, provably-safe AI architectures are urgently needed.
  arXiv  Detail & Related papers  (2025-12-09T15:37:33Z)
• AI Deception: Risks, Dynamics, and Controls [153.71048309527225]
  This project provides a comprehensive and up-to-date overview of the AI deception field.<n>We identify a formal definition of AI deception, grounded in signaling theory from studies of animal deception.<n>We organize the landscape of AI deception research as a deception cycle, consisting of two key components: deception emergence and deception treatment.
  arXiv  Detail & Related papers  (2025-11-27T16:56:04Z)
• RADAR: A Risk-Aware Dynamic Multi-Agent Framework for LLM Safety Evaluation via Role-Specialized Collaboration [81.38705556267917]
  Existing safety evaluation methods for large language models (LLMs) suffer from inherent limitations.<n>We introduce a theoretical framework that reconstructs the underlying risk concept space.<n>We propose RADAR, a multi-agent collaborative evaluation framework.
  arXiv  Detail & Related papers  (2025-09-28T09:35:32Z)
• Never Compromise to Vulnerabilities: A Comprehensive Survey on AI Governance [211.5823259429128]
  We propose a comprehensive framework integrating technical and societal dimensions, structured around three interconnected pillars: Intrinsic Security, Derivative Security, and Social Ethics.<n>We identify three core challenges: (1) the generalization gap, where defenses fail against evolving threats; (2) inadequate evaluation protocols that overlook real-world risks; and (3) fragmented regulations leading to inconsistent oversight.<n>Our framework offers actionable guidance for researchers, engineers, and policymakers to develop AI systems that are not only robust and secure but also ethically aligned and publicly trustworthy.
  arXiv  Detail & Related papers  (2025-08-12T09:42:56Z)
• To Think or Not to Think: Exploring the Unthinking Vulnerability in Large Reasoning Models [56.19026073319406]
  Large Reasoning Models (LRMs) are designed to solve complex tasks by generating explicit reasoning traces before producing final answers.<n>We reveal a critical vulnerability in LRMs -- termed Unthinking -- wherein the thinking process can be bypassed by manipulating special tokens.<n>In this paper, we investigate this vulnerability from both malicious and beneficial perspectives.
  arXiv  Detail & Related papers  (2025-02-16T10:45:56Z)
• A Frontier AI Risk Management Framework: Bridging the Gap Between Current AI Practices and Established Risk Management [0.0]
  The recent development of powerful AI systems has highlighted the need for robust risk management frameworks.<n>This paper presents a comprehensive risk management framework for the development of frontier AI.
  arXiv  Detail & Related papers  (2025-02-10T16:47:00Z)
• Attack Atlas: A Practitioner's Perspective on Challenges and Pitfalls in Red Teaming GenAI [52.138044013005]
  generative AI, particularly large language models (LLMs), become increasingly integrated into production applications. New attack surfaces and vulnerabilities emerge and put a focus on adversarial threats in natural language and multi-modal systems. Red-teaming has gained importance in proactively identifying weaknesses in these systems, while blue-teaming works to protect against such adversarial attacks. This work aims to bridge the gap between academic insights and practical security measures for the protection of generative AI systems.
  arXiv  Detail & Related papers  (2024-09-23T10:18:10Z)
• Risks of AI Scientists: Prioritizing Safeguarding Over Autonomy [65.77763092833348]
  This perspective examines vulnerabilities in AI scientists, shedding light on potential risks associated with their misuse.<n>We take into account user intent, the specific scientific domain, and their potential impact on the external environment.<n>We propose a triadic framework involving human regulation, agent alignment, and an understanding of environmental feedback.
  arXiv  Detail & Related papers  (2024-02-06T18:54:07Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.