| name | ai-governance |
| description | EU AI Act compliance, OWASP LLM security, responsible AI practices for parliamentary data and MCP server applications |
| license | MIT |
AI Governance Skill
Context
This skill applies when:
- Ensuring EU AI Act compliance for MCP tools that serve LLM applications
- Implementing OWASP Top 10 for LLM mitigations in MCP server responses
- Designing responsible AI guardrails for parliamentary data consumption
- Evaluating AI risk classifications for tools that process political data
- Preventing misuse of parliamentary data in AI-generated disinformation
- Implementing transparency and explainability for AI-assisted legislative analysis
- Auditing AI system interactions with European Parliament datasets
This skill focuses on governance of AI systems consuming EP data, distinct from the ai-development-governance skill which covers AI-assisted code development practices. Parliamentary data used by LLMs carries unique risks around political bias, misinformation, and democratic integrity.
Rules
- Classify AI Risk Level: EP MCP tools providing political data to LLMs are at minimum "limited risk" under EU AI Act; document risk assessments for each tool
- Mitigate LLM Prompt Injection: Sanitize all MCP tool outputs to prevent prompt injection attacks when data flows into LLM contexts
- Prevent Data Poisoning: Validate data integrity from EP API sources; never serve cached data beyond its TTL without freshness verification
- Implement Output Guardrails: MCP tool responses must include attribution metadata so LLMs can cite sources accurately
- Address OWASP LLM01 (Prompt Injection): Strip control characters and instruction-like patterns from EP data before returning to MCP clients
- Address OWASP LLM06 (Sensitive Data): Apply GDPR data minimization to MEP personal data returned through MCP tools; never expose private contact details
- Log AI Interactions: Record all MCP tool invocations with request metadata for AI audit trails, without logging personal query content
- Provide Transparency Notices: Include data provenance and recency timestamps in all MCP tool responses
- Prevent Political Bias Amplification: Tool responses must present factual parliamentary records without editorial framing or sentiment indicators
- Support Human Oversight: Design MCP tools as information retrieval aids, not autonomous decision-making systems; always enable human-in-the-loop review
Examples
✅ Good Pattern: Output Sanitization for LLM Safety
function sanitizeForLLMContext(text: string): string {
return text
.replace(/[\x00-\x08\x0B\x0C\x0E-\x1F]/g, '')
.replace(/\bSYSTEM\s*:/gi, '[FILTERED]')
.replace(/\bASSISTANT\s*:/gi, '[FILTERED]')
.replace(/\bIGNORE\s+PREVIOUS/gi, '[FILTERED]')
.trim();
}
✅ Good Pattern: Data Provenance in MCP Responses
function createMCPResponse(data: unknown, toolName: string) {
return {
content: [{
type: "text",
text: JSON.stringify({
data,
_metadata: {
source: "European Parliament Open Data Portal",
sourceUrl: "https://data.europarl.europa.eu/",
retrievedAt: new Date().toISOString(),
tool: toolName,
disclaimer: "Official EU parliamentary records. Verify critical information at europarl.europa.eu.",
},
}, null, 2),
}],
};
}
✅ Good Pattern: AI Risk Classification
| MCP Tool | EU AI Act Risk | Justification |
|------------------------|----------------|--------------------------------------------------|
| search_meps | Limited | Returns public official records |
| get_voting_records | Limited | Factual voting data, public record |
| analyze_voting_patterns| High | Generates political analysis, bias risk |
| get_mep_contacts | Limited | Contains personal data, GDPR applies |
✅ Good Pattern: OWASP LLM Top 10 Checklist
const owaspLLMChecklist = {
'LLM01_PromptInjection': 'Output sanitization applied to all EP data',
'LLM02_InsecureOutput': 'JSON schema validation on all responses',
'LLM03_TrainingDataPoisoning': 'N/A — server does not train models',
'LLM04_ModelDoS': 'Rate limiting enforced per MCP client',
'LLM05_SupplyChain': 'Dependency scanning via OSSF Scorecard',
'LLM06_SensitiveData': 'GDPR minimization for MEP personal data',
'LLM07_InsecurePlugin': 'Input validation on all tool parameters',
'LLM08_ExcessiveAgency': 'Read-only tools, no write operations',
'LLM09_Overreliance': 'Disclaimer and source attribution included',
'LLM10_ModelTheft': 'N/A — server does not host models',
};
Anti-Patterns
❌ Bad: Returning Raw Unsanitized Data to LLM Contexts
return { content: [{ type: "text", text: rawApiResponse }] };
❌ Bad: Missing Data Provenance
return { content: [{ type: "text", text: JSON.stringify(votes) }] };
❌ Bad: Adding Editorial Framing
return {
text: `MEP ${name} controversially voted against the popular climate bill...`
};
ISMS Compliance
- AI-001: AI risk assessment and EU AI Act classification for all MCP tools
- SC-002: Output sanitisation to prevent prompt injection in LLM contexts
- AU-002: Audit logging for AI system interactions with parliamentary data
- DP-001: GDPR data minimisation in AI-consumed MEP personal data
Policy References
Primary:
Related: