ClawHub

AI Compliance

AI compliance analysis for EU AI Act, ISO 42001, NIST AI RMF, GDPR, OECD, financial services regulations (SEC, FCA, FINRA, DORA, MiFID II), and other frameworks. Use when asked to generate a compliance checklist for an AI tool or use case, determine if a risk assessment is required, score an AI tool's risk level, identify where an AI tool or use case could run afoul of regulatory requirements, perform a gap analysis, recommend remediation steps, assess a vendor, draft an acceptable use policy, map training requirements, or review jurisdiction-specific AI rules. Triggers on phrases like "compliance checklist", "risk assessment", "risk score", "does this comply", "EU AI Act", "ISO 42001", "NIST AI RMF", "AI governance", "gap analysis", "vendor assessment", "acceptable use policy", "MNPI", "AI training requirements", or any request to evaluate an AI tool or use case for regulatory compliance or risk.

Audits

Pending
ClawScanReview

Agentic behavior and permission review.

Static analysisPass

Pattern checks against bundled files.

VirusTotalPending

Multi-engine malware detections and file reputation.

Install

openclaw skills install ai-compliance

AI Compliance Skill

Reference Files

Load only what's needed based on the request type:

Frameworks

  • EU AI Actreferences/eu-ai-act.md — risk tiers, prohibited uses, obligations
  • ISO 42001references/iso-42001.md — clauses, Annex A controls
  • NIST AI RMFreferences/nist-ai-rmf.md — GOVERN/MAP/MEASURE/MANAGE
  • GDPR, OECD, IEEE, UK, Singaporereferences/other-frameworks.md
  • Financial services (SEC, FCA, FINRA, DORA, MiFID II, MNPI)references/finserv-regulations.md
  • Jurisdiction map (global regulatory landscape)references/jurisdiction-map.md
  • ISO 27001 alignmentreferences/iso27001-alignment.md

Output Templates & Tools

  • Checklists, risk assessment, gap analysis templatesreferences/checklist-templates.md
  • Vendor AI risk assessment questionnairereferences/vendor-assessment.md
  • Acceptable use policy templatereferences/aup-template.md
  • Data classification × AI tool matrixreferences/data-classification.md
  • AI system inventory templatereferences/ai-inventory.md
  • AI risk scoring model (0–100)references/risk-scoring.md
  • Training requirements by rolereferences/training-requirements.md

Remediation

  • Incident response playbooksreferences/incident-response.md
  • Remediation playbooks (common gaps)references/remediation-playbooks.md

When in doubt about which files to load, load the framework files + the relevant output template.

Workflow

1. Understand the AI Tool/Use Case

Gather (or ask for):

  • What does the AI system do? (intended purpose)
  • Who uses it and how? (internal staff, customers, automated pipeline)
  • What data does it process? (personal, financial, confidential, public)
  • Where is it deployed? (EU context? affecting EU residents?)
  • Consumer or enterprise tier? Third-party or internal?

2. Select Output Type

RequestLoadOutput
Compliance checklistFramework files + checklist-templates.mdFull checklist per Template 1
Risk assessment needed?eu-ai-act.md + checklist-templates.mdRisk tier determination per Template 2
Gap analysisAll framework files + checklist-templates.mdGap table per Template 3
Risk scorerisk-scoring.mdScored worksheet + risk level
Vendor assessmentvendor-assessment.mdQuestionnaire + scoring
AUP draftaup-template.mdCustomized policy draft
Data classification guidancedata-classification.mdMatrix + decision tree
Incident responseincident-response.mdRelevant playbook
Remediation stepsremediation-playbooks.mdRelevant playbook(s)
Financial services overlayfinserv-regulations.mdRegulatory requirements
Training requirementstraining-requirements.mdRole-based matrix
Jurisdiction guidancejurisdiction-map.mdApplicable rules by region

3. Output Structure

Always structure output as:

## AI Compliance Assessment: [Tool/Use Case Name]
### Risk Classification
### Applicable Frameworks
### Compliance Checklist (or Gap Analysis or Risk Score)
### Issues Found
### Recommendations
### Priority Actions

Key Principles

  • Reference exact articles, clauses, controls (e.g., "EU AI Act Art.14", "ISO 42001 A.6.1", "NIST GOVERN 1.2")
  • Flag HIGH/CRITICAL severity issues prominently — these are blockers
  • Always include remediation steps, not just gaps — link to remediation-playbooks.md when relevant
  • Cross-reference frameworks where they overlap
  • For financial services firms: always check finserv-regulations.md for MNPI and sector-specific rules
  • When uncertain about risk tier, err toward higher risk classification