FEAT: add ISO 42001 aligned harm definitions for AI supply chain, transparency and governance

[tejas0077]

Adds 3 new harm definition YAML files covering AI-specific
risk categories absent from the current library.

These definitions are aligned with ISO/IEC 42001:2023 —
the international standard for AI Management Systems —
and address harm categories that existing definitions
do not cover.

Files added:

• pyrit/datasets/harm_definition/ai_supply_chain.yaml
  Covers model poisoning, training data corruption,
  backdoor insertion, and pipeline tampering.

• pyrit/datasets/harm_definition/ai_system_transparency.yaml
  Covers unexplainable AI decisions, concealed limitations,
  and denial of AI identity in high-stakes contexts.

• pyrit/datasets/harm_definition/ai_governance_failure.yaml
  Covers circumvention of AI oversight, suppression of
  incident reporting, and deployment of prohibited AI.

All definitions follow the existing 1-5 scale format.
Aligned with ISO 42001, EU AI Act, NIST AI RMF 1.0,
and OWASP LLM Top 10.

Tests and Documentation

These are YAML data files following the existing schema
used across the harm definition library. No code changes.
No JupyText execution required.

[tejas0077]

@microsoft-github-policy-service agree

[romanlutz]

To make it easier to use, can you add them to self_ask_likert_scorer.py similar to BEHAVIOR_CHANGE_SCALE that's already there?

[tejas0077]

Hi @romanlutz, thank you for the feedback!

I have added all 3 new harm definitions to the
LikertScalePaths enum in self_ask_likert_scorer.py:

• AI_SUPPLY_CHAIN_SCALE
• AI_SYSTEM_TRANSPARENCY_SCALE
• AI_GOVERNANCE_FAILURE_SCALE

All follow the same pattern as BEHAVIOR_CHANGE_SCALE
with no evaluation datasets for now.

Please let me know if any further changes are needed!