R0043/2026-03-28/Q003/SRC02/E01¶
Standardized Threat Taxonomy: bridging effort that omits sycophancy
URL: https://arxiv.org/html/2511.21901
Extract¶
The taxonomy identifies the "Tower of Babel problem": "Engineering teams focus on technical metrics like 'gradient descent manipulation' or 'adversarial perturbations' while Board members require assessments in financial liability terms."
9 threat domains with 53 sub-threats, including Unreliable Outputs (hallucinations, logical inconsistency), Biases (representational harm, proxy discrimination), and Drift (concept drift, feedback loop decay).
Critical finding: "The taxonomy does not explicitly categorize sycophancy, over-reliance on AI outputs, or automation bias as distinct threat vectors." These risks are partially subsumed within other categories but are not independently recognized.
The paper explicitly bridges NIST AI RMF, ISO/IEC 42001, and EU AI Act requirements through domain-to-regulation mapping.
JUDGMENT: This is the most systematic bridging effort found, and its omission of sycophancy is the most diagnostic evidence for Q003. A 53-threat taxonomy designed to bridge technical and regulatory domains, published in November 2025, that does not include sycophancy as a threat category demonstrates that the sycophancy vocabulary gap is not yet on the bridging community's radar.
Relevance to Hypotheses¶
| Hypothesis | Relationship | Strength |
|---|---|---|
| H1 | Partially supports | Bridging effort exists |
| H2 | Contradicts | The general gap is clearly recognized |
| H3 | Strongly supports | Systematic bridging effort that specifically omits sycophancy — confirming the sycophancy gap is not addressed |
Context¶
The taxonomy's business translation layer (mapping technical threats to financial impacts) is innovative but does not help with sycophancy because sycophancy's primary impact is epistemological (wrong decisions made with confidence), not financial in the narrow sense captured by existing risk categories.