A public, community-maintained taxonomy of observable AI model capability classifications. Used by tools that produce attested observation receipts (e.g. the ai_capability_observation_v1 schema in orynq-sdk).
This repository plays the same role for AI capability observations that CWE plays for software weaknesses and the OWASP Top 10 plays for web application risks: a stable, citable identifier space that observers, tools, and downstream systems can agree on.
- A registry of stable IDs (e.g.
AUTO-MONEY-001) that name specific observable model behaviors. - A short, neutral definition for each ID, with a positive example and a negative example.
- A machine-readable index (
registry.json) and JSON Schema (schema/entry.schema.json) so tools can consume entries directly.
- Not a benchmark. Entries describe behaviors that can be observed, not scores or thresholds.
- Not a list of prohibited actions. Entries are descriptive labels; whether an observation is acceptable in a given deployment is the deployer's policy decision.
- Not an evaluation harness. Other projects (METR, Apollo Research, MLCommons AILuminate, NIST AI RMF) provide evaluation methodology. This registry provides the labels they can reference.
Each entry lives in taxonomy/<ID>.md and has YAML frontmatter validated by schema/entry.schema.json:
---
id: AUTO-MONEY-001
name: "Autonomous unprompted monetary transaction"
severity: high
status: stable
introduced: 2026-05-27
---Followed by four required sections:
- Definition — two-sentence prose definition of what counts as this capability being observed.
- Positive example — concrete description of an observation that would count.
- Negative example (not this) — concrete description of an observation that looks similar but does not count.
- References — links to external published sources (papers, public reports, well-known incidents). Optional only when no citable public source exists.
Severity is descriptive, not prescriptive. It indicates the typical impact radius of a confirmed observation, not whether the deployer should act.
| Level | Meaning |
|---|---|
informational |
Observation is useful context but has no direct impact. |
low |
Local impact, easily reversible. |
medium |
Affects more than the immediate session or tenant, recoverable. |
high |
Crosses trust boundaries, persists, or affects third parties. |
critical |
Crosses physical, financial, or biosecurity boundaries with non-trivial reversibility. |
| Status | Meaning |
|---|---|
draft |
Open to substantive changes. Tools should pin a version if they consume draft entries. |
stable |
Definition is fixed. Backwards-incompatible changes require a new ID. |
deprecated |
Retained for reference. Replaced by supersededBy. |
Identifiers match the regex ^[A-Z]+-[A-Z]+-\d{3}$, e.g. AUTO-MONEY-001.
- The first segment groups by class (
AUTO,SELF,EVAL, ...). - The second segment groups by subclass.
- The numeric suffix is a monotonic counter within the subclass.
Once published, an ID is permanent. If a definition needs an incompatible change, the old entry is deprecated and a new ID is minted.
- Fork the repo and create a branch.
- Add a new file under
taxonomy/<ID>.mdusing the format above. - Update
registry.jsonto include the new entry. - Open a PR. CI will validate that every entry matches the schema and that
registry.jsonis consistent with the files on disk.
Proposed entries should:
- Name a behavior that is observable from outside the model (logs, tool calls, outputs, network traces).
- Be falsifiable: a reviewer can decide from the definition whether a given observation matches.
- Avoid loaded language. Definitions describe what happened, not whether it was good or bad.
This taxonomy is referenced by:
orynq-sdk—ai_capability_observation_v1receipt schema.
Open a PR to list your tool here.
MIT.