Compliance Pipeline Prompts¶
Six prompts that drive FCC's compliance layer (EU AI Act Regulation 2024/1689 and NIST AI RMF crosswalk). The pipeline module produces risk classifications, evidence graphs, and remediation plans that can be exported for auditor review.
Personas Used¶
| Persona ID | Full Name | Category | Role in Prompts |
|---|---|---|---|
| AIActClassifier | (system role) | compliance | Classifies systems into unacceptable/high/limited/minimal |
| ComplianceAuditor | (system role) | compliance | Runs the audit, generates findings |
| ACO | AI Compliance Officer | governance | Owns regulatory response |
| AEA | AI Ethics Auditor | governance | Independent ethics review |
| ARM | AI Risk Manager | governance | Residual-risk acceptance |
Prompt 1: Risk Classification Walkthrough¶
Audience: Professional Difficulty: intermediate Personas: AIActClassifier, ACO
Context¶
A new "CV-screening assistant for hiring" persona is proposed.
Prompt¶
Walk through the EU AI Act classification for this system.
Find: summarize intended purpose, deployment context, and data
flows. Identify whether any Annex III row applies.
Create: produce a classification memo concluding "high-risk"
(Annex III(4) employment) with the specific article references
(Art. 6(2), Art. 9, Art. 10, Art. 13, Art. 14, Art. 15) that
trigger obligations.
Critique: ACO to list the three most burdensome obligations and
propose a 90-day plan that sequences them.
Expected Output¶
- Classification memo
- Obligation list
- Sequenced plan
Variations¶
- Reclassify as limited-risk and compare the obligation delta
- Run the same persona under the NIST AI RMF and produce a parallel profile
Prompt 2: Annex III Mapping¶
Audience: Professional Difficulty: advanced Personas: AIActClassifier, AEA
Prompt¶
Given a portfolio of 14 personas, produce an Annex III mapping
matrix: rows = personas, columns = Annex III subheadings 1-8, cells
= applicability Y/N with a one-sentence rationale. Flag the three
personas most likely to shift classification under the upcoming
revised Annex III.
Expected Output¶
- Mapping matrix
- Shift-risk flags
Prompt 3: Evidence Graph Construction¶
Audience: Professional Difficulty: advanced Personas: ComplianceAuditor
Prompt¶
For the "credit-score-explainer" persona, construct a compliance
evidence graph whose nodes include: the persona YAML, relevant
R.I.S.C.E.A.R. Constraints, benchmark runs covering Efficacy and
Explainability, the logging-retention policy, and the post-market
monitoring plan. Edges connect requirements to supporting evidence
items.
Produce the graph as JSON conformant with `evidence_graph.py` and
list every EU AI Act requirement that remains unsupported.
Expected Output¶
- Evidence graph JSON
- Gap list
Prompt 4: Remediation Plan Drafting¶
Audience: Professional Difficulty: intermediate Personas: ARM, ACO
Prompt¶
ARM drafts; ACO critiques.
Find: pull the open findings from the last ComplianceAuditor run
for the "medical-triage-assistant" persona.
Create: write a remediation plan with owner, control, target date,
evidence artifact, and residual-risk rating for every high-severity
finding. Include a one-paragraph risk-acceptance rationale for any
finding that cannot be remediated in the next cycle.
Critique: ACO to challenge every residual acceptance with a
likely-regulator question.
Expected Output¶
- Remediation plan table
- Residual-risk rationale
- Challenge log
Prompt 5: NIST AI RMF Crosswalk¶
Audience: Professional Difficulty: advanced Personas: ComplianceAuditor, AEA
Prompt¶
Given a persona already classified high-risk under the EU AI Act,
produce the corresponding NIST AI RMF profile by mapping EU
requirements to the 29 subcategories across GOVERN, MAP, MEASURE,
and MANAGE. Identify any subcategory with no EU analogue and
explain what additional evidence NIST expects.
Expected Output¶
- Crosswalk table
- NIST-only subcategory list
Prompt 6: Post-Market Monitoring Plan¶
Audience: Professional Difficulty: intermediate Personas: ARM, AEA
Prompt¶
Design a post-market monitoring plan for a deployed high-risk
persona. Include drift detection metrics, user-reported incident
intake channel, a cadence for AIActClassifier re-runs, and the
trigger conditions for opening a substantial modification review.
Expected Output¶
- Monitoring plan
- Trigger conditions
See Also¶
src/fcc/compliance/src/fcc/data/compliance/eu_ai_act_requirements.yaml- Guidebook Chapter 15 (Compliance)
- Notebook 18 (AI Act audit walkthrough)