ai-act-readiness
$
npx mdskill add alirezarezvani/claude-skills/ai-act-readiness**Command:** `/cs:ai-act-readiness <system>`
SKILL.md
.github/skills/ai-act-readinessView on GitHub ↗
--- name: "ai-act-readiness" description: "/cs:ai-act-readiness <system> — EU AI Act 6-question forcing interrogation. Use during AI-system intake, before EU deployment, or during annual compliance refresh as Article 113 obligations phase in (2025-02-02 / 2025-08-02 / 2026-08-02 / 2027-08-02)." --- # /cs:ai-act-readiness — EU AI Act Forcing Questions **Command:** `/cs:ai-act-readiness <system>` The EU AI Act compliance operator pressure-tests any AI system before EU deployment. Six Article-cited questions before any EU placement, conformity assessment, or annual compliance refresh. ## When to Run - During AI-system intake review (per new system or material change) - Before placing an AI system on the EU market - Before signing the EU declaration of conformity (Article 47) - During annual compliance refresh (Article 113 phasing brings new obligations) - When the organization's role changes (deployer becomes provider via Article 25(1) substantial modification) - When training compute approaches 10^25 FLOPs (Article 51 systemic-risk threshold) ## The Six EU AI Act Questions ### 1. Article 5: Is this a prohibited AI practice? **Penalty: up to 35M EUR or 7% worldwide turnover.** - 8 categories: subliminal manipulation, exploitation of vulnerabilities, social scoring, predictive policing, untargeted facial scraping, emotion recognition in workplace/education, biometric categorisation by sensitive attributes, real-time public biometric ID by law enforcement - Run `ai_system_risk_classifier.py` - If yes → STOP. Cannot place on EU market. No exceptions outside Article 5(2) carve-outs. ### 2. Article 6 + Annex III: Is this high-risk? **Annex III triggers high-risk; Article 6(3) carve-out conditional.** - 8 categories: biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice - Carve-out applies only if Article 6(3)(a)-(d) AND no profiling of natural persons - Profiling overrides carve-out (Article 6(3) last sentence) - Run `ai_system_risk_classifier.py` ### 3. Article 43: For high-risk, Module A or Module H? **Biometrics → Module H (notified body) by default; others → Module A if harmonised standards applied.** - Run `conformity_assessment_planner.py` - Module A (Annex VI): internal control with presumption of conformity if Article 40 harmonised standards applied - Module H (Annex VII): full QMS + notified body for biometrics or where standards lacking - Annex IV technical documentation: 8 items required before placing on market ### 4. Article 25: What role does the company play? **Provider obligations are heaviest; substantial modification turns deployer into provider.** - Provider (Article 3(3)): placed on market; full Title III + Article 73 reporting - Deployer (Article 3(4)): Article 26 obligations + Article 27 FRIA if public sector - Importer (Article 3(6)): Article 23 verification of conformity - Distributor (Article 3(7)): Article 24 CE marking verification - Authorized representative (Article 22): non-EU providers must appoint - Run `ai_act_obligation_tracker.py` ### 5. Article 50: Are transparency obligations satisfied? **In force 2 Aug 2025.** - Article 50(1): disclose AI interaction to natural persons (chatbots, virtual agents) - Article 50(2): mark synthetic content as AI-generated - Article 50(3): disclose emotion recognition / biometric categorisation (outside Article 5 prohibitions) - Article 50(4): disclose deepfakes (image, audio, video) as AI-generated ### 6. Articles 51-55: Is this a GPAI? Does it have systemic risk? **GPAI has parallel track; systemic risk above 10^25 FLOPs.** - Article 3(63): general-purpose AI model definition - Article 51: systemic-risk presumption (≥ 10^25 FLOPs training compute) or Commission designation - Article 53: all GPAI providers — Annex XI technical docs, Annex XII downstream info, copyright policy, training-data summary - Article 55: systemic-risk GPAI additional obligations — model evaluations, adversarial testing, incident reporting, cybersecurity - Article 54: non-EU GPAI providers must appoint authorized representative ## Workflow ```bash # 1. Risk classification python ra-qm-team/skills/eu-ai-act-specialist/scripts/ai_system_risk_classifier.py systems.json # 2. If high-risk: conformity assessment python ra-qm-team/skills/eu-ai-act-specialist/scripts/conformity_assessment_planner.py system.json # 3. Per-role obligation matrix python ra-qm-team/skills/eu-ai-act-specialist/scripts/ai_act_obligation_tracker.py roles.json # 4. Cross-framework reuse (ISO 42001 etc.) python ../../skills/compliance-os/scripts/cross_framework_mapper.py program.json ``` ## Output Format ```markdown # EU AI Act Readiness: <system> **Date:** YYYY-MM-DD **Article Citations:** Every verdict below cites the specific Article. ## The Decision Being Made [classify | conformity-route | obligation-scope | annual-refresh] ## Risk Classification - Tier: prohibited | high_risk | limited_risk | minimal_risk - Citation: Article X(Y) + Annex Z if applicable - Rationale: <Article-cited rationale> - GPAI: yes/no - Systemic-risk GPAI: yes/no (per Article 51 10^25 FLOPs threshold) ## Conformity Assessment (if high-risk) - Module: A | A_with_caveats | H | sectoral - Citation: Article 43 + Annex VI/VII - Notified body required: yes | no | optional - Annex IV pack status: complete | in-progress | not-started ## Obligation Matrix - Total obligations: N - By deadline phase: 2025-02-02=A, 2025-08-02=B, 2026-08-02=C, 2027-08-02=D - Highest-priority unmet obligation: <Article + description> ## Transparency (Article 50) - 50(1) interaction disclosure: yes | no - 50(2) synthetic content marking: yes | no | NA - 50(3) emotion recognition disclosure: yes | no | NA - 50(4) deepfake disclosure: yes | no | NA ## Cross-Framework Reuse - ISO 42001 evidence applicable to Article 17 QMS: yes/no - ISO 27001 evidence applicable to Article 15 cybersecurity: yes/no - GDPR DPIA usable for Article 27 FRIA: yes/no ## Verdict 🟢 READY-FOR-EU | 🟡 GAPS-IDENTIFIED | 🔴 NOT-READY | 🚫 PROHIBITED ## Top 3 Actions [3 concrete next steps with owner + Article-tied deadline] ## Legal Review Required [Article-level ambiguities flagged for outside counsel: novel cases, GPAI threshold disputes, Article 5 boundary cases, Article 25 substantial-modification questions] ``` ## Routing - `/cs:compliance-readiness` — for multi-framework view (combine with ISO 42001 + GDPR) - `/cs:aims-audit` — for ISO 42001 deep-dive - `/cs:caio-review` — for executive AI strategy decisions - `/cs:gc-review` — for novel-case legal review (GPAI threshold, Article 5 boundary, substantial-modification) - `/cs:decide` — to log the verdict - `/cs:freeze 30` — on EU launch commitments (regulatory exposure) ## Related - Agent: [`cs-ai-act-compliance`](../../agents/cs-ai-act-compliance.md) - Skill: [`eu-ai-act-specialist`](../../../ra-qm-team/skills/eu-ai-act-specialist/SKILL.md) - Adjacent: `../../skills/compliance-os/`, `../aims-audit/`, `../compliance-readiness/`, `../../../ra-qm-team/skills/gdpr-dsgvo-expert/` --- **Version:** 1.0.0
More from alirezarezvani/claude-skills
- a11y-auditAccessibility audit skill for scanning, fixing, and verifying WCAG 2.2 Level A and AA compliance across React, Next.js, Vue, Angular, Svelte, and plain HTML codebases. Use when auditing accessibility, fixing a11y violations, checking color contrast, generating compliance reports, or integrating accessibility checks into CI/CD pipelines.
- ab-test-setupWhen the user wants to plan, design, or implement an A/B test or experiment. Also use when the user mentions "A/B test," "split test," "experiment," "test this change," "variant copy," "multivariate test," "hypothesis," "conversion experiment," "statistical significance," or "test this." For tracking implementation, see analytics-tracking.
- ad-creativeWhen the user needs to generate, iterate, or scale ad creative for paid advertising. Use when they say 'write ad copy,' 'generate headlines,' 'create ad variations,' 'bulk creative,' 'iterate on ads,' 'ad copy validation,' 'RSA headlines,' 'Meta ad copy,' 'LinkedIn ad,' or 'creative testing.' This is pure creative production — distinct from paid-ads (campaign strategy). Use ad-creative when you need the copy, not the campaign plan.
- adversarial-reviewerAdversarial code review that breaks the self-review monoculture. Use when you want a genuinely critical review of recent changes, before merging a PR, or when you suspect Claude is being too agreeable about code quality. Forces perspective shifts through hostile reviewer personas that catch blind spots the author's mental model shares with the reviewer.
- aeoAnswer Engine Optimization (AEO) skill — optimize content to be cited by AI language models (ChatGPT, Perplexity, Claude, Gemini, Mistral) as authoritative sources. Distinct from SEO — AEO optimizes for citation in LLM-generated responses, not search rankings. Use when planning content for AI-first search audiences, auditing existing content for E-E-A-T signals, tracking which pages get cited by which LLMs, or building a citation-friendly content strategy. Triggers — 'AEO audit', 'optimize for ChatGPT', 'get cited by Perplexity', 'LLM citation strategy', 'answer engine optimization', 'content for AI search', 'E-E-A-T audit'. Output is a markdown audit report (default) or JSON for pipeline integration. Stdlib-only Python tools.
- agent-designerUse when the user asks to design a multi-agent system, pick an orchestration pattern (supervisor/swarm/pipeline), generate tool schemas for agents, or evaluate agent execution logs for cost, latency, and failure bottlenecks. Examples: 'design an agent architecture for research automation', 'generate Anthropic tool schemas from these tool descriptions', 'analyze these agent run logs for bottlenecks'. NOT for Claude Code workflow files (use workflow-builder) or single-agent prompt design (use agent-workflow-designer).
- agent-protocolInter-agent communication protocol for C-suite agent teams. Defines invocation syntax, loop prevention, isolation rules, and response formats. Use when C-suite agents need to query each other, coordinate cross-functional analysis, or run board meetings with multiple agent roles.
- agent-workflow-designerDesign production-grade multi-agent workflows with clear pattern choice (sequential, parallel, hierarchical), handoff contracts, failure handling, and cost/context controls. Use when architecting a multi-step agent pipeline, choosing between single-agent vs multi-agent approaches, or refactoring an LLM workflow that suffers from context bloat or unreliable handoffs.
- agenthubMulti-agent collaboration plugin that spawns N parallel subagents competing on the same task via git worktree isolation. Agents work independently, results are evaluated by metric or LLM judge, and the best branch is merged. Use when: user wants multiple approaches tried in parallel — code optimization, content variation, research exploration, or any task that benefits from parallel competition. Requires: a git repo.
- agile-product-ownerAgile product ownership for backlog management and sprint execution. Covers user story writing, acceptance criteria, sprint planning, and velocity tracking. Use when writing user stories, creating acceptance criteria, planning sprints, estimating story points, breaking down epics, or prioritizing the backlog.