AI Compliance Skill

Reference Files

Load only what's needed based on the request type:

Frameworks

• - EU AI Act → references/eu-ai-act.md — risk tiers, prohibited uses, obligations
• ISO 42001 → references/iso-42001.md — clauses, Annex A controls
• NIST AI RMF → references/nist-ai-rmf.md — GOVERN/MAP/MEASURE/MANAGE
• GDPR, OECD, IEEE, UK, Singapore → INLINECODE3
• Financial services (SEC, FCA, FINRA, DORA, MiFID II, MNPI) → INLINECODE4
• Jurisdiction map (global regulatory landscape) → INLINECODE5
• ISO 27001 alignment → INLINECODE6

Output Templates & Tools

• - Checklists, risk assessment, gap analysis templates → INLINECODE7
• Vendor AI risk assessment questionnaire → INLINECODE8
• Acceptable use policy template → INLINECODE9
• Data classification × AI tool matrix → INLINECODE10
• AI system inventory template → INLINECODE11
• AI risk scoring model (0–100) → INLINECODE12
• Training requirements by role → INLINECODE13

Remediation

• - Incident response playbooks → INLINECODE14
• Remediation playbooks (common gaps) → INLINECODE15

When in doubt about which files to load, load the framework files + the relevant output template.

Workflow

1. Understand the AI Tool/Use Case

Gather (or ask for):

• - What does the AI system do? (intended purpose)
• Who uses it and how? (internal staff, customers, automated pipeline)
• What data does it process? (personal, financial, confidential, public)
• Where is it deployed? (EU context? affecting EU residents?)
• Consumer or enterprise tier? Third-party or internal?

2. Select Output Type

Request	Load	Output
Compliance checklist	Framework files + checklist-templates.md	Full checklist per Template 1
Risk assessment needed?

eu-ai-act.md + checklist-templates.md | Risk tier determination per Template 2 | | Gap analysis | All framework files + checklist-templates.md | Gap table per Template 3 | | Risk score | risk-scoring.md | Scored worksheet + risk level | | Vendor assessment | vendor-assessment.md | Questionnaire + scoring | | AUP draft | aup-template.md | Customized policy draft | | Data classification guidance | data-classification.md | Matrix + decision tree | | Incident response | incident-response.md | Relevant playbook | | Remediation steps | remediation-playbooks.md | Relevant playbook(s) | | Financial services overlay | finserv-regulations.md | Regulatory requirements | | Training requirements | training-requirements.md | Role-based matrix | | Jurisdiction guidance | jurisdiction-map.md | Applicable rules by region |

3. Output Structure

Always structure output as:

CODEBLOCK0

Key Principles

• - Reference exact articles, clauses, controls (e.g., "EU AI Act Art.14", "ISO 42001 A.6.1", "NIST GOVERN 1.2")
• Flag HIGH/CRITICAL severity issues prominently — these are blockers
• Always include remediation steps, not just gaps — link to remediation-playbooks.md when relevant
• Cross-reference frameworks where they overlap
• For financial services firms: always check finserv-regulations.md for MNPI and sector-specific rules
• When uncertain about risk tier, err toward higher risk classification