You don't need to build an AI risk taxonomy from scratch — two frameworks, both first published in 2023, cover most of the ground. The NIST AI Risk Management Framework gives a governance-level structure (govern, map, measure, manage) for organizations deploying AI broadly, useful for policy and audit conversations. The OWASP Top 10 for LLM Applications is far more hands-on: a ranked, community-maintained list of concrete vulnerability classes (prompt injection, insecure output handling, training data poisoning, supply chain, excessive agency, and more) written for engineers actually building the thing, and updated as new attack classes emerge.
Using both together works well in practice: OWASP's list gives you a technical checklist to design and review against; NIST's framework gives you the organizational process (who owns AI risk, how it's measured, how it's reported) that makes the technical checklist stick instead of being a one-time exercise.