Multi-agent risks move into MIT's AI risk taxonomy

Multi-agent risks now have their own named place in the MIT AI Risk Repository's domain taxonomy. The current taxonomy lists subdomain 7.6, "Multi-agent risks," under AI System Safety, Failures, & Limitations, defining it as risks from agent interactions caused by incentives or multi-agent system structure, including cascading failures, selection pressures, new security vulnerabilities, and lack of shared information and trust.1

That is the change to watch because it moves a growing class of AI risk out of the background. The risk picture is no longer just about a model producing an unsafe output, a developer releasing an unsafe system, or a malicious actor misusing a tool. It now has an explicit slot for failures that arise when many AI agents interact.

MIT's April 2025 repository update introduced a new risk subdomain on multi-agent risks, while expanding the AI Risk Database to 1,612 unique risk entries and integrating 22 new AI risk frameworks into the preprint update.2 The project's December 2025 update then added 9 more frameworks and about 200 new AI risk categories, bringing the repository to over 1,700 coded risks.3 The current public repository page states that the database captures 1,700+ risks extracted from 74 frameworks and classifications.1

The immediate evidence base is unusually clear. The multi-agent paper added in the April update argues that many advanced AI agents will create systems of "unprecedented complexity" and identifies three failure modes based on agent incentives: miscoordination, conflict, and collusion.4 It also lists seven risk factors: information asymmetries, network effects, selection pressures, destabilising dynamics, commitment problems, emergent agency, and multi-agent security.4

That makes the repository's new subdomain more than a label. It gives policy and safety readers a way to ask a sharper question: is the relevant risk produced by a single system, by a human actor, or by the incentives and information structure among many systems?

This matters for audits. If a deployment uses several agentic systems, testing each component in isolation may miss the risk source. A procurement workflow, trading environment, cyber-defense setting, or infrastructure operations stack can look acceptable one model at a time, while still creating incentives for coordination failure or strategic behavior once agents interact.

The repository's causal taxonomy already separates risks by entity, intent, and timing: whether risk is caused by AI, humans, or another source; whether it is intentional or unintentional; and whether it occurs before or after deployment.1 Multi-agent risk adds a harder cross-cutting case. A harmful outcome may not sit cleanly with one actor's intent or one model's failure. It may emerge from the system of interaction.

The underlying paper on the repository was revised on May 5, 2026 and now describes 74 frameworks containing 1,725 distinct risks.5 Its abstract reports that human decisions cause nearly as many AI risks as AI systems themselves, 38% versus 42%.5 Multi-agent risks fit that mixed picture: the dangerous part may be designed by humans, executed by AI systems, and amplified by interaction effects.

NIST is moving in a compatible direction, though through a risk-management framework rather than a taxonomy database. Its AI RMF page says AI RMF 1.0 is being revised and notes an April 7, 2026 concept note for a Trustworthy AI in Critical Infrastructure profile.6 The concept note says the profile is intended to guide critical infrastructure operators toward specific risk-management practices for AI-enabled capabilities across IT, operational technology, and industrial control systems.7

The connection is sober but important. MIT's repository is clarifying the risk vocabulary. NIST is moving toward context-specific implementation profiles. For readers tracking the taxonomy itself, the immediate takeaway is that multi-agent interaction has become a named category to monitor, not a side note inside autonomy, misuse, or system failure.