ai-compliance

# AI Compliance Skill ## Reference Files Load only what's needed based on the request type: ### Frameworks - **EU AI Act** → `references/eu-ai-act.md` — risk tiers, prohibited uses, obligations - **ISO 42001** → `references/iso-42001.md` — clauses, Annex A controls - **NIST AI RMF** → `references/nist-ai-rmf.md` — GOVERN/MAP/MEASURE/MANAGE - **GDPR, OECD, IEEE, UK, Singapore** → `references/other-frameworks.md` - **Financial services (SEC, FCA, FINRA, DORA, MiFID II, MNPI)** → `references/finserv-regulations.md` - **Jurisdiction map (global regulatory landscape)** → `references/jurisdiction-map.md` - **ISO 27001 alignment** → `references/iso27001-alignment.md` ### Output Templates & Tools - **Checklists, risk assessment, gap analysis templates** → `references/checklist-templates.md` - **Vendor AI risk assessment questionnaire** → `references/vendor-assessment.md` - **Acceptable use policy template** → `references/aup-template.md` - **Data classification × AI tool matrix** → `references/data-classification.md` - **AI system inventory template** → `references/ai-inventory.md` - **AI risk scoring model (0–100)** → `references/risk-scoring.md` - **Training requirements by role** → `references/training-requirements.md` ### Remediation - **Incident response playbooks** → `references/incident-response.md` - **Remediation playbooks (common gaps)** → `references/remediation-playbooks.md` When in doubt about which files to load, load the framework files + the relevant output template. ## Workflow ### 1. Understand the AI Tool/Use Case Gather (or ask for): - What does the AI system do? (intended purpose) - Who uses it and how? (internal staff, customers, automated pipeline) - What data does it process? (personal, financial, confidential, public) - Where is it deployed? (EU context? affecting EU residents?) - Consumer or enterprise tier? Third-party or internal? ### 2. Select Output Type | Request | Load | Output | |---|---|---| | Compliance checklist | Framework files + checklist-templates.md | Full checklist per Template 1 | | Risk assessment needed? | eu-ai-act.md + checklist-templates.md | Risk tier determination per Template 2 | | Gap analysis | All framework files + checklist-templates.md | Gap table per Template 3 | | Risk score | risk-scoring.md | Scored worksheet + risk level | | Vendor assessment | vendor-assessment.md | Questionnaire + scoring | | AUP draft | aup-template.md | Customized policy draft | | Data classification guidance | data-classification.md | Matrix + decision tree | | Incident response | incident-response.md | Relevant playbook | | Remediation steps | remediation-playbooks.md | Relevant playbook(s) | | Financial services overlay | finserv-regulations.md | Regulatory requirements | | Training requirements | training-requirements.md | Role-based matrix | | Jurisdiction guidance | jurisdiction-map.md | Applicable rules by region | ### 3. Output Structure Always structure output as: ``` ## AI Compliance Assessment: [Tool/Use Case Name] ### Risk Classification ### Applicable Frameworks ### Compliance Checklist (or Gap Analysis or Risk Score) ### Issues Found ### Recommendations ### Priority Actions ``` ## Key Principles - Reference exact articles, clauses, controls (e.g., "EU AI Act Art.14", "ISO 42001 A.6.1", "NIST GOVERN 1.2") - Flag HIGH/CRITICAL severity issues prominently — these are blockers - Always include remediation steps, not just gaps — link to remediation-playbooks.md when relevant - Cross-reference frameworks where they overlap - For financial services firms: always check finserv-regulations.md for MNPI and sector-specific rules - When uncertain about risk tier, err toward higher risk classification