ワンクリックで
ai-governance
AI governance, EU AI Act compliance, OWASP LLM security, responsible AI practices for GitHub Copilot agents
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
AI governance, EU AI Act compliance, OWASP LLM security, responsible AI practices for GitHub Copilot agents
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
Identity and access management: RBAC, least privilege, MFA, quarterly reviews per ISO 27001 A.5.15, A.8.2, A.8.3
Business continuity and disaster recovery: 30-day retention, quarterly restore tests, RTO/RPO targets per ISO 27001 A.17
Political psychology, cognitive biases, group dynamics, leadership analysis, decision-making patterns for Swedish political intelligence
Risk-based data and asset classification framework: PUBLIC, INTERNAL, CONFIDENTIAL, RESTRICTED aligned with ISO 27001 A.5.12 and CIA triad
Unified compliance verification across ISO 27001, NIST CSF, CIS Controls, NIS2, EU CRA, GDPR, SOC 2, PCI DSS, and HIPAA for cybersecurity consulting
Cryptographic controls implementation: TLS 1.3, AES-256-GCM, bcrypt, RSA-4096, key management per NIST FIPS 140-2 and ISO 27001 A.8.24
| name | ai-governance |
| description | AI governance, EU AI Act compliance, OWASP LLM security, responsible AI practices for GitHub Copilot agents |
| license | Apache-2.0 |
This skill provides governance guidelines for AI usage in the CIA platform, including GitHub Copilot agent security, EU AI Act compliance, and responsible AI practices. It ensures AI-assisted development follows Hack23 ISMS policies and regulatory requirements.
Apply this skill when:
Do NOT use for:
CIA Platform AI Usage Assessment
│
├─→ Political Data Analysis (NLP, trend detection)
│ ├─ Risk Level: LIMITED RISK (Article 52)
│ ├─ Requirement: Transparency obligations
│ └─ Action: Disclose AI-generated analysis to users
│
├─→ GitHub Copilot Code Generation
│ ├─ Risk Level: MINIMAL RISK
│ ├─ Requirement: Voluntary codes of conduct
│ └─ Action: Code review before merge, security scanning
│
├─→ Political Risk Scoring
│ ├─ Risk Level: HIGH RISK (Annex III, Category 8)
│ ├─ Requirement: Conformity assessment, human oversight
│ └─ Action: Human review of all risk scores, audit trail
│
└─→ Voter Behavior Prediction
├─ Risk Level: HIGH RISK
├─ Requirement: Transparency, fairness, accountability
└─ Action: Bias testing, explainability, regular audits
Risk: Malicious input manipulating Copilot agent behavior.
Mitigation:
# .github/copilot-instructions.md safeguards
- Validate all agent outputs before committing
- Never allow agents to modify security configurations
- Restrict agent file access to source code only
- Review agent-generated code with CodeQL scanning
Risk: AI-generated code containing vulnerabilities.
Mitigation:
Risk: AI agents leaking secrets or sensitive political data.
Mitigation:
// Never pass sensitive data to AI prompts
// ✅ SECURE: Generic analysis request
String prompt = "Analyze voting patterns for committee " + committeeId;
// ❌ INSECURE: Including PII in prompts
String prompt = "Analyze voting for " + politicianName + " SSN: " + ssn;
Risk: Blindly trusting AI-generated political analysis.
Mitigation:
# Secure agent workflow permissions
permissions:
contents: read # Read-only by default
pull-requests: write # Only for PR creation
issues: write # Only for issue management
actions: read # Read workflow status
# Never grant:
# - admin permissions
# - security_events write
# - secrets access
Agent Output Validation Pipeline
│
├─ Step 1: Syntax validation (compile check)
├─ Step 2: Security scan (CodeQL, OWASP)
├─ Step 3: Test execution (unit + integration)
├─ Step 4: Code review (human or Copilot review)
└─ Step 5: Merge approval (maintainer sign-off)
| Control | Requirement | Implementation |
|---|---|---|
| ISO 27001 A.5.1 | Information security policies | AI governance policy |
| ISO 27001 A.8.1 | Asset management | AI model inventory |
| NIST CSF GV.OC | Organizational context | AI risk assessment |
| CIS Control 16 | Application security | AI code review gates |
| GDPR Art. 22 | Automated decision-making | Human oversight for scoring |