Run any Skill in Manus with one click

ai-governance

AI risk classification and governance skill. Classifies AI use cases by EU AI Act risk tier (Unacceptable/High/Limited/Minimal), enforces organizational AI acceptable use policies, determines transparency and human oversight requirements, tracks data lineage for AI-assisted outputs, and generates compliance artifacts for model governance. Use when evaluating AI use cases, building AI workflows, or assessing regulatory compliance.

Run Skill in Manus

Overview

Install command

npx skills add https://github.com/aadityaparab/sentinel-stack --skill ai-governance

Copy and paste this command into Claude Code to install the skill

Source

aadityaparab/sentinel-stack

Stars3

Forks0

UpdatedApril 13, 2026 at 18:23

File Explorer

2 files

SKILL.md

readonly

More from this repository

same repository

vendor-ai-risk

aadityaparab/sentinel-stack

Third-party AI vendor risk assessment skill. Evaluates AI vendors and tools across five dimensions: security, privacy, AI-specific risks, contractual protections, and regulatory compliance. Outputs a vendor risk scorecard with a go/no-go recommendation. Two modes: quick triage (5-minute assessment) and deep due diligence. Use when evaluating AI tools for procurement, vendor due diligence, or third-party AI risk assessment.

2026-04-133

guardrails

aadityaparab/sentinel-stack

Data governance and compliance guardrail. Triggers automatically on ANY interaction involving client data (fund names, portfolio company data, customer-identifiable information, valuation figures), personal data of real individuals (names, emails, employment records, compensation details), financial records (journal entries, statements, forecasts), legal documents (contracts, NDAs, agreements), or HR decisions (compensation, performance, hiring). Always invoke this skill before proceeding with tasks in these areas. Use it to assess compliance with configurable policies — no client data in prompts, GDPR/privacy data handling, and 4-eyes review enforcement — and determine whether to proceed, proceed with conditions, or block the request.

2026-04-133

setup

aadityaparab/sentinel-stack

Configure Sentinel Stack for your organization. Walks through company name, industry, jurisdiction, compliance frameworks, AI risk appetite, and escalation contact. Re-runnable — shows current values so you only change what you need. Run this once after installing, then again whenever your governance settings change.

2026-04-133

audit-trail

aadityaparab/sentinel-stack

Compliance audit log generator. Creates structured, immutable audit records (JSON-lines format) for guardrail decisions, DLP scans, 4-eyes review workflows, and AI-assisted outputs in regulated categories. Designed for SIEM and GRC platform ingestion with built-in retention governance per GDPR, SOC 2, and HIPAA. Use when you need audit logs, compliance trails, or interaction history.

2026-04-133

compliance-evidence

aadityaparab/sentinel-stack

Compliance artifact generator. Auto-generates audit evidence from guardrail detections, 4-eyes review gates, and DLP scans. Maps control evidence to SOC 2 Type II, ISO 27001, NIST CSF, and GDPR Article 30. Generates evidence packages on demand for auditors and tracks control effectiveness over time. Use for audit preparation, compliance evidence collection, or SOC 2/ISO 27001 artifact generation.

2026-04-133

risk-register

aadityaparab/sentinel-stack

Living risk register manager. Auto-populates and maintains a risk register from guardrail detections (DLP, 4-eyes, behavioral anomalies). Scores risks on a 5x5 likelihood-impact matrix, tracks treatment plans (accept/mitigate/transfer/avoid), generates leadership risk reports, and assesses drift against organizational risk appetite. Use for risk assessments, risk matrix updates, or governance reporting.

2026-04-133

Source

aadityaparab

aadityaparab/sentinel-stack

View GitHub Repository View Creator Repositories

Install command

Download

Run Skill in Manus

Useful forSOC

Information Security AnalystsComputer and Mathematical Occupations15-1212L4

name

ai-governance

description

AI Governance

Aliases: AI usage policy, EU AI Act, AI risk classification, model governance, responsible AI, AI compliance, acceptable use policy for AI, AI risk assessment

Maturity: Production

Description: Classify AI use cases by regulatory risk tier, enforce organizational AI acceptable use policies, determine transparency and human oversight requirements, track data lineage for AI-assisted outputs, and generate compliance artifacts for model governance.

Overview

AI is moving from experimental to mission-critical, but governance hasn't kept pace. This skill embeds AI risk assessment and compliance into your operational workflows — not as a retrospective audit, but as a real-time guard rail.

The skill maps every proposed AI use case against:

EU AI Act risk tiers (Unacceptable → High → Limited → Minimal)
Your organization's AI acceptable use policy (from config/org-config.yaml)
Transparency & disclosure requirements for end users/customers
Human oversight obligations — defining what "meaningful review" actually means
Data lineage tracking — so downstream consumers know what's AI-generated vs. human-authored

This is not optional compliance theater. If your use case triggers a High or Unacceptable risk classification, the skill surfaces mandatory obligations that must be satisfied before deployment.

Core Capabilities

1. AI System Risk Classification

Input: Description of a proposed AI use case (e.g., "Using an LLM to generate hiring recommendations based on CV analysis")

Process:

Extract key attributes: data involved, decision autonomy, affected population, reversibility, sector
Cross-reference against EU AI Act Annex III (high-risk) and Annex II (limited-risk) definitions
Map to internal risk tier framework (Minimal → Limited → High → Unacceptable)
Return: risk tier, justification, applicable obligations

Output Example:

Risk Tier: HIGH
Rationale: AI system used to support hiring decisions. EU AI Act Article 6(2) classifies 
employment decisions as high-risk. Impacts fundamental rights (employment opportunity).
Applicable Obligations:
  - High-quality training data (Article 10)
  - Documented risk assessment (Article 9)
  - Performance monitoring (Article 26)
  - Human oversight by qualified personnel (Article 26(3))
  - Transparent documentation (Article 13)

2. AI Usage Policy Enforcement

Input: Proposed AI use case (description + risk tier classification result)

Process:

Load org's AI acceptable use policy from config/org-config.yaml → ai-policies section
Check against prohibited uses:
- Automated hiring decisions without human review
- Autonomous financial transactions above thresholds
- Processing of special category data (health, biometric, criminal) without explicit safeguards
- Real-time remote biometric identification (unless carve-out applies)
- Subliminal/manipulative uses
- Social scoring
- Unauthorized profiling
Return: policy compliance status, flagged violations, required mitigations

Configuration Reference:

ai-policies:
  prohibited-uses:
    - hiring-decisions-unreviewed
    - autonomous-financial-transfers
    - special-category-processing
    - real-time-biometric-id
  oversight-thresholds:
    high-risk-review: true
    approval-required-by: ["Chief Risk Officer", "Chief Compliance Officer"]
  disclosure-required: true
  data-retention-limits: "P1Y"  # 1 year post-decision

Output:

PASS / BLOCKED / CONDITIONAL (requires mitigations)
If BLOCKED: which policy was violated, no exceptions possible
If CONDITIONAL: list mitigations needed to proceed (e.g., "Require 4-eyes review gate for all hiring recommendations")

3. Transparency & Disclosure Requirements

Input: Risk tier + use case description + affected audience (employees, customers, public)

Process:

Determine if users/customers must be informed they're interacting with AI (EU AI Act Article 52)
Identify when explicit consent is required vs. just disclosure
Generate templated disclosure language
Check internal disclosure policy thresholds

Output: Generates disclosure language like:

TRANSPARENCY DISCLOSURE (Required)

[Your interaction with] this system uses artificial intelligence to [summarize: function]. 
The AI system processes [data categories] to generate [output type].

A human [job title] has reviewed [frequency] of outputs before [action taken].
To appeal or request human review, contact [support channel].

Data generated from this interaction will be retained for [duration] and used for [purposes].

Also produces:

Timing of disclosure (before interaction, during, after)
Consent requirement (explicit Y/N)
Revocation mechanism (how user opts out)
Mapping to EU AI Act Article 52 (transparency) + GDPR Article 21 (right to object)

4. Human Oversight Requirements

For High and Unacceptable risk tiers, the skill doesn't just say "require human oversight" — it defines what that means operationally.

Input: Risk tier + use case + available data + existing guardrails

Output Example:

MANDATORY HUMAN OVERSIGHT SPECIFICATION

Risk Tier: HIGH
Use Case: AI-assisted hiring recommendation system

REVIEW TRIGGER: Every candidate recommendation for roles above Director level
REVIEWER QUALIFICATION: Hiring Manager + Talent Acquisition Lead (segregation required)
REVIEW SCOPE (Minimum):
  - Verify AI reasoning aligns with legal criteria (EEOC Article 106)
  - Check for disparate impact signals in recommendation patterns
  - Validate training data quality assumptions
  - Confirm no personal data from external sources was used without consent

DECISION AUTHORITY:
  - Reviewer may override AI recommendation without escalation
  - Reviewer must document override rationale in decision log
  - Overrides >10% of AI recommendations → trigger root cause analysis

DOCUMENTATION REQUIRED:
  - Reviewer name, date, time of review
  - Override decision (if applicable) + justification
  - Feedback to ML team for model retraining signal
  - Audit trail (immutable, tamper-evident log)

AUDIT & EFFECTIVENESS:
  - Monthly sample audit (10% of reviewed decisions)
  - Quarterly effectiveness metrics: false positive rate, override frequency
  - Report to Chief Risk Officer if override rate diverges >5% from baseline

5. Data Lineage Tagging for AI

Input: Any content or data artifact (generated, augmented, or influenced by AI)

Process:

Tag outputs with metadata:
- AI_GENERATED: AI created this from scratch
- AI_AUGMENTED: Human + AI collaborative output
- AI_INFLUENCED: AI provided input; human made final decision
- HUMAN_ONLY: No AI involvement
Capture: which AI model, version, timestamp, training data cutoff
Link to transparency obligations (downstream consumers must know)

Output: Metadata object for every artifact:

{
  "ai-lineage": {
    "status": "AI_AUGMENTED",
    "models": [
      {
        "name": "claude-opus-4",
        "version": "20250201",
        "timestamp": "2026-04-12T14:32:00Z",
        "training-data-cutoff": "2025-02-01"
      }
    ],
    "human-involvement": {
      "created-by": "user@company.com",
      "reviewed-by": "manager@company.com",
      "review-date": "2026-04-12",
      "override": false
    },
    "disclosure-required": true,
    "retention-until": "2027-04-12"
  }
}

Downstream systems use this to:

Trigger required disclosures automatically
Enforce retention policies
Generate audit trails
Support subject access requests (GDPR Article 15)

Integration with Sentinel Stack

This skill consumes signals from the core toolkit:

Guardrail Signal	AI Governance Response
DLP hard block (data classified as sensitive)	Check if high-risk AI use case is attempting to process it → escalate
DLP soft block (confidence below threshold)	Tag AI output with lower confidence; require human oversight
4-eyes review gate triggered	Automatically log as "human oversight satisfied" for that decision
Behavioral pattern anomaly	Flag as potential prohibited use pattern (e.g., social scoring)

References guardrail detections and logs, not just forward-facing use cases.

How to Invoke

Trigger Phrases:

"Is this AI use case compliant?"
"Classify this AI system's risk"
"What's our policy on [use case]?"
"Generate a disclosure for this AI feature"
"Define oversight requirements for this model"
"What data can we feed into this AI system?"
"Document the human review process for this AI decision"

Example Prompt:

Skill: ai-governance

We're building an AI system that:
- Analyzes job applicants' written responses to structured questions
- Generates a shortlist of top 10 candidates for HR review
- HR may override the shortlist but 95% of recommendations are implemented

Classify risk tier, flag policy issues, define required human oversight, 
and generate employee transparency disclosure.

Configuration Requirements

Expects config/org-config.yaml to provide:

ai-governance:
  # Applicable regulatory frameworks
  frameworks: ["EU AI Act", "GDPR", "internal-policy"]
  
  # Risk classification scheme (you may extend)
  risk-tiers: ["Unacceptable", "High", "Limited", "Minimal"]
  
  # Who can approve high-risk use cases?
  high-risk-approval-required-by:
    - "Chief Risk Officer"
    - "Chief Compliance Officer"
    - "Legal Counsel"
  
  # Transparency & consent defaults
  transparency:
    disclosure-required-for-tiers: ["High", "Limited"]
    explicit-consent-required: true
    consent-audit-required: true
  
  # Human oversight defaults
  oversight:
    minimum-qualifications: "Domain expert or manager"
    documentation-required: true
    audit-frequency: "quarterly"
    
  # AI acceptable use policy
  ai-policies:
    prohibited-uses:
      - hiring-decisions-unreviewed
      - autonomous-financial-transfers
      - special-category-processing
      - real-time-biometric-id
    approval-required-for: ["High", "Unacceptable"]
    disclosure-required: true
    data-retention-limits: "P1Y"

Outputs & Artifacts

Risk Classification Report — suitable for architecture review boards
Policy Compliance Memo — legal sign-off or exceptions
Transparency Disclosure Templates — production-ready for UI/docs
Human Oversight Specification — for process documentation
Data Lineage Metadata — embedded in outputs for audit
Risk Register Entries — auto-populates the risk-register skill

Key Principles

No rubber-stamp oversight. If human oversight is required, the skill specifies what the human must actually check, not just that a button was clicked.
Data-driven accountability. Every AI decision is tagged with lineage so auditors can trace back.
Regulatory mapping, not guessing. Risk tiers map to EU AI Act Articles; obligations are cited.
Org policy enforcement. Your org's AI acceptable use policy is the source of truth, not generic guidelines.
Operational integration. Results feed guardrails, risk registers, and compliance evidence pipelines.

ai-governance

AI Governance

Overview

Core Capabilities

1. AI System Risk Classification

2. AI Usage Policy Enforcement

3. Transparency & Disclosure Requirements

4. Human Oversight Requirements

5. Data Lineage Tagging for AI

Integration with Sentinel Stack

How to Invoke

Configuration Requirements

Outputs & Artifacts

Key Principles

See Also

AI Governance

Overview

Core Capabilities

1. AI System Risk Classification

2. AI Usage Policy Enforcement

3. Transparency & Disclosure Requirements

4. Human Oversight Requirements

5. Data Lineage Tagging for AI

Integration with Sentinel Stack

How to Invoke

Configuration Requirements

Outputs & Artifacts

Key Principles

See Also