riskforge 0.1.0__py3-none-any.whl

riskforge/__init__.py

@@ -0,0 +1,2 @@
+"""RiskForge — EU AI Act Article 9 Risk Management System CLI."""
+__version__ = "0.1.0"

riskforge/_data/patterns/patterns.yaml

@@ -0,0 +1,147 @@
+schema_version: "1.0.0"
+patterns:
+  - pattern_id: CREDIT_SCORING_BIAS
+    name: "Credit Scoring — Demographic Bias Risk"
+    triggers:
+      annex_iii_category: essential_services
+      purpose_keywords: ["credit", "loan", "mortgage", "underwriting", "insurance"]
+    risks:
+      - dimension: discrimination
+        title: "Demographic bias in credit scoring outputs"
+        description: "Credit scoring models trained on historical data may encode systemic biases against protected groups (age, gender, ethnicity). Article 9(9) requires consideration of impacts on vulnerable groups."
+        likelihood_hint: 3
+        severity_hint: 4
+        article_refs: ["Art.9(2)(a)", "Art.9(9)", "Art.10(2)(f)"]
+        nist_rmf_ref: "MEASURE 2.9"
+        iso42001_ref: "Clause A.7"
+      - dimension: transparency
+        title: "Lack of explanation for credit decisions"
+        description: "Automated credit decisions must be explainable to affected individuals under GDPR Article 22. The system may not currently provide this."
+        likelihood_hint: 3
+        severity_hint: 3
+        article_refs: ["Art.13"]
+        nist_rmf_ref: "GOVERN 1.7"
+        iso42001_ref: "Clause A.6"
+
+  - pattern_id: HIRING_SCREENING
+    name: "Hiring / CV Screening — Multiple Risk Cluster"
+    triggers:
+      annex_iii_category: employment
+      purpose_keywords: ["recruit", "hiring", "cv", "resume", "screening", "interview", "candidate"]
+    risks:
+      - dimension: discrimination
+        title: "Proxy discrimination in automated CV screening"
+        description: "Automated screening tools may use proxies (school name, postcode, employment gaps) that correlate with protected characteristics."
+        likelihood_hint: 4
+        severity_hint: 4
+        article_refs: ["Art.9(2)(a)", "Art.10(2)(f)"]
+        nist_rmf_ref: "MEASURE 2.9"
+        iso42001_ref: "Clause A.7"
+      - dimension: transparency
+        title: "Lack of explainability for rejection decisions"
+        description: "Candidates subject to automated CV screening may have a right to explanation under GDPR Article 22. The system may not be designed to provide this."
+        likelihood_hint: 3
+        severity_hint: 3
+        article_refs: ["Art.13", "Art.14"]
+        nist_rmf_ref: "GOVERN 1.7"
+        iso42001_ref: "Clause A.6"
+      - dimension: human_oversight
+        title: "Automation bias in recruiter review of shortlisted candidates"
+        description: "Recruiters presented with AI-ranked shortlists tend to follow the ranking without independent assessment. This undermines the human oversight requirement."
+        likelihood_hint: 4
+        severity_hint: 3
+        article_refs: ["Art.14(3)"]
+        nist_rmf_ref: "MANAGE 1.1"
+        iso42001_ref: "Clause A.9"
+
+  - pattern_id: LAW_ENFORCEMENT_BIOMETRIC
+    name: "Law Enforcement — Biometric Identification Risk Cluster"
+    triggers:
+      annex_iii_category: law_enforcement
+      purpose_keywords: ["facial recognition", "biometric", "identification", "surveillance", "matching"]
+    risks:
+      - dimension: fundamental_rights
+        title: "Chilling effect on freedom of assembly and expression"
+        description: "Real-time biometric identification in public spaces can have a chilling effect on fundamental rights even when technically lawful. Article 9(2)(a) requires this to be assessed."
+        likelihood_hint: 4
+        severity_hint: 5
+        article_refs: ["Art.9(2)(a)"]
+        nist_rmf_ref: "MAP 1.5"
+        iso42001_ref: "Clause 6.1"
+      - dimension: discrimination
+        title: "Higher false match rates for under-represented demographic groups"
+        description: "Facial recognition systems have documented higher false positive rates for darker skin tones and women. This creates discriminatory law enforcement outcomes."
+        likelihood_hint: 4
+        severity_hint: 5
+        article_refs: ["Art.9(2)(a)", "Art.10(2)(f)"]
+        nist_rmf_ref: "MEASURE 2.9"
+        iso42001_ref: "Clause A.7"
+
+  - pattern_id: EDUCATION_ASSESSMENT
+    name: "Education — Automated Student Assessment Risk"
+    triggers:
+      annex_iii_category: education
+      purpose_keywords: ["assessment", "grading", "scoring", "evaluation", "exam", "test"]
+    risks:
+      - dimension: discrimination
+        title: "Bias in automated educational assessment"
+        description: "Automated grading systems may unfairly penalise essays written in non-standard dialects or by non-native speakers, perpetuating educational inequality."
+        likelihood_hint: 3
+        severity_hint: 4
+        article_refs: ["Art.9(2)(a)", "Art.10(2)(f)"]
+        nist_rmf_ref: "MEASURE 2.9"
+        iso42001_ref: "Clause A.7"
+      - dimension: transparency
+        title: "Students unable to understand or contest automated grade decisions"
+        description: "Where automated assessment influences final grades or academic progression, students must be able to understand the basis and contest the outcome."
+        likelihood_hint: 3
+        severity_hint: 4
+        article_refs: ["Art.13"]
+        nist_rmf_ref: "GOVERN 1.7"
+        iso42001_ref: "Clause A.6"
+
+  - pattern_id: MEDICAL_DIAGNOSIS
+    name: "Healthcare — Medical Diagnosis or Clinical Decision Support"
+    triggers:
+      annex_iii_category: essential_services
+      purpose_keywords: ["diagnosis", "clinical", "medical", "patient", "triage", "prognosis", "screening"]
+    risks:
+      - dimension: health_safety
+        title: "False negatives in medical screening causing delayed treatment"
+        description: "AI-based screening tools that produce false negatives may delay life-critical treatment. The clinical consequences of failure must be quantified."
+        likelihood_hint: 2
+        severity_hint: 5
+        article_refs: ["Art.9(2)(b)", "Art.14(1)"]
+        nist_rmf_ref: "MAP 5.1"
+        iso42001_ref: "Clause 6.1"
+      - dimension: human_oversight
+        title: "Clinician over-reliance on AI diagnostic suggestions"
+        description: "Studies show clinicians may defer to AI suggestions even when clinical judgement contradicts them. Human oversight may become nominal without workload safeguards."
+        likelihood_hint: 3
+        severity_hint: 5
+        article_refs: ["Art.14"]
+        nist_rmf_ref: "MANAGE 1.1"
+        iso42001_ref: "Clause A.9"
+
+  - pattern_id: MIGRATION_ASYLUM
+    name: "Migration / Asylum — Decision Support Risk Cluster"
+    triggers:
+      annex_iii_category: migration
+      purpose_keywords: ["asylum", "border", "visa", "migration", "refugee", "immigration"]
+    risks:
+      - dimension: fundamental_rights
+        title: "AI-assisted asylum decisions affecting right to protection"
+        description: "Errors in AI-assisted migration decisions can result in refoulement — return of persons to places where they face persecution. This is an absolute fundamental rights violation."
+        likelihood_hint: 2
+        severity_hint: 5
+        article_refs: ["Art.9(2)(a)"]
+        nist_rmf_ref: "MAP 1.5"
+        iso42001_ref: "Clause 6.1"
+      - dimension: transparency
+        title: "Applicants unable to understand factors influencing their assessment"
+        description: "Asylum seekers subject to AI-assisted assessment may not understand which factors were considered or how to address adverse outcomes."
+        likelihood_hint: 3
+        severity_hint: 4
+        article_refs: ["Art.13"]
+        nist_rmf_ref: "GOVERN 1.7"
+        iso42001_ref: "Clause A.6"

riskforge/_data/question_bank/data_governance.yaml

@@ -0,0 +1,57 @@
+schema_version: "1.0.0"
+dimension: data_governance
+questions:
+  - id: DG-001
+    text: "Is the provenance of all training, validation, and test datasets documented (source, collection date, license, version)?"
+    guidance: "Article 10(2) requires data governance practices including documentation of dataset provenance. TraceForge can automate this."
+    annex_iii_categories: [employment, education, law_enforcement, essential_services, biometric]
+    default_likelihood_hint: 2
+    default_severity_hint: 3
+    article_refs: ["Art.10(2)", "Art.10(3)"]
+    nist_rmf_ref: "GOVERN 1.7"
+    iso42001_ref: "Clause A.8"
+    regulatory_status: settled
+
+  - id: DG-002
+    text: "Have dataset licenses been reviewed to confirm lawful use for the intended AI application (including commercial use rights)?"
+    guidance: "Many public datasets have restrictive licenses that prohibit commercial use or redistribution. Legal review is required."
+    annex_iii_categories: [employment, education, law_enforcement]
+    default_likelihood_hint: 3
+    default_severity_hint: 3
+    article_refs: ["Art.10(2)", "Art.10(3)"]
+    nist_rmf_ref: "GOVERN 1.7"
+    iso42001_ref: "Clause A.8"
+    regulatory_status: settled
+
+  - id: DG-003
+    text: "Are data quality checks (completeness, consistency, accuracy) applied and documented before training and fine-tuning?"
+    guidance: "Article 10(2)(e) requires data governance practices including data quality assessment."
+    annex_iii_categories: [employment, education, law_enforcement, essential_services]
+    default_likelihood_hint: 2
+    default_severity_hint: 3
+    article_refs: ["Art.10(2)(e)"]
+    nist_rmf_ref: "GOVERN 1.7"
+    iso42001_ref: "Clause A.8"
+    regulatory_status: settled
+
+  - id: DG-004
+    text: "Is there a data retention and deletion schedule that covers both training data and inference logs?"
+    guidance: "Data retained beyond its purpose creates ongoing legal and privacy risk. GDPR Article 5(1)(e) requires storage limitation."
+    annex_iii_categories: [law_enforcement, employment, biometric, essential_services]
+    default_likelihood_hint: 2
+    default_severity_hint: 2
+    article_refs: ["Art.10(3)"]
+    nist_rmf_ref: "GOVERN 1.6"
+    iso42001_ref: "Clause A.8"
+    regulatory_status: settled
+
+  - id: DG-005
+    text: "Is there a data pipeline version control system ensuring reproducibility of training runs from a specific dataset version?"
+    guidance: "Reproducibility is essential for audit purposes. If a model must be retrained to fix a defect, the exact training conditions must be recoverable."
+    annex_iii_categories: [employment, law_enforcement, essential_services]
+    default_likelihood_hint: 2
+    default_severity_hint: 3
+    article_refs: ["Art.10", "Art.11"]
+    nist_rmf_ref: "GOVERN 1.7"
+    iso42001_ref: "Clause A.8"
+    regulatory_status: settled

riskforge/_data/question_bank/discrimination.yaml

@@ -0,0 +1,46 @@
+schema_version: "1.0.0"
+dimension: discrimination
+questions:
+  - id: DI-001
+    text: "Has the training dataset been audited for representation imbalances across protected characteristics (gender, ethnicity, age, disability)?"
+    guidance: "Biased training data produces biased outputs. Article 10(2)(f) requires data governance measures to address biases."
+    annex_iii_categories: [employment, education, essential_services, law_enforcement]
+    default_likelihood_hint: 3
+    default_severity_hint: 4
+    article_refs: ["Art.10(2)(f)", "Art.9(2)(a)"]
+    nist_rmf_ref: "MEASURE 2.9"
+    iso42001_ref: "Clause A.7"
+    regulatory_status: settled
+
+  - id: DI-002
+    text: "Have demographic parity, equalised odds, or other fairness metrics been computed and documented for each protected group?"
+    guidance: "Quantified fairness metrics are required for meaningful bias assessment. Select metrics appropriate to the use case."
+    annex_iii_categories: [employment, education, essential_services]
+    default_likelihood_hint: 2
+    default_severity_hint: 4
+    article_refs: ["Art.9(7)", "Art.10(2)(f)"]
+    nist_rmf_ref: "MEASURE 2.9"
+    iso42001_ref: "Clause A.7"
+    regulatory_status: settled
+
+  - id: DI-003
+    text: "Does the system use proxy variables that may correlate with protected characteristics (e.g. postcode, school name, employment gaps)?"
+    guidance: "Proxy discrimination occurs when facially neutral features encode protected characteristics. Legal exposure exists even without intent."
+    annex_iii_categories: [employment, education, essential_services, law_enforcement]
+    default_likelihood_hint: 3
+    default_severity_hint: 4
+    article_refs: ["Art.9(2)(a)", "Art.10(2)(f)"]
+    nist_rmf_ref: "MEASURE 2.9"
+    iso42001_ref: "Clause A.7"
+    regulatory_status: settled
+
+  - id: DI-004
+    text: "Are bias test results documented and reviewed at each model update, not just at initial deployment?"
+    guidance: "Data drift and concept drift can re-introduce bias after initial mitigation. Continuous monitoring is required."
+    annex_iii_categories: [employment, education, essential_services]
+    default_likelihood_hint: 2
+    default_severity_hint: 3
+    article_refs: ["Art.9(7)", "Art.72"]
+    nist_rmf_ref: "MEASURE 2.9"
+    iso42001_ref: "Clause 9.1"
+    regulatory_status: settled

riskforge/_data/question_bank/fundamental_rights.yaml

@@ -0,0 +1,46 @@
+schema_version: "1.0.0"
+dimension: fundamental_rights
+questions:
+  - id: FR-001
+    text: "Has a fundamental rights impact assessment (FRIA) been conducted prior to deployment?"
+    guidance: "Article 9(2)(a) requires identification of known and foreseeable risks to fundamental rights. A FRIA is the standard mechanism for this."
+    annex_iii_categories: [law_enforcement, migration, biometric, employment]
+    default_likelihood_hint: null
+    default_severity_hint: null
+    article_refs: ["Art.9(2)(a)"]
+    nist_rmf_ref: "GOVERN 1.1"
+    iso42001_ref: "Clause 6.1"
+    regulatory_status: settled
+
+  - id: FR-002
+    text: "Could the system restrict or affect access to rights protected under the EU Charter of Fundamental Rights?"
+    guidance: "Consider right to an effective remedy, right to a fair trial, presumption of innocence, freedom of expression, right to education."
+    annex_iii_categories: [law_enforcement, justice, migration]
+    default_likelihood_hint: 2
+    default_severity_hint: 5
+    article_refs: ["Art.9(2)(a)"]
+    nist_rmf_ref: "MAP 1.5"
+    iso42001_ref: "Clause 6.1"
+    regulatory_status: settled
+
+  - id: FR-003
+    text: "Are affected individuals informed of the AI system's role in decisions that affect them, in a language they understand?"
+    guidance: "Transparency is a foundational right. The obligation to inform subjects is strengthened in high-risk AI contexts."
+    annex_iii_categories: [essential_services, law_enforcement, employment, education]
+    default_likelihood_hint: 2
+    default_severity_hint: 3
+    article_refs: ["Art.13", "Art.14"]
+    nist_rmf_ref: "GOVERN 1.7"
+    iso42001_ref: "Clause A.6"
+    regulatory_status: settled
+
+  - id: FR-004
+    text: "Is there a human review mechanism for decisions that significantly affect an individual's fundamental rights?"
+    guidance: "Purely automated decisions affecting fundamental rights require meaningful human oversight under Article 14."
+    annex_iii_categories: [law_enforcement, justice, employment, essential_services]
+    default_likelihood_hint: null
+    default_severity_hint: null
+    article_refs: ["Art.14"]
+    nist_rmf_ref: "MANAGE 1.1"
+    iso42001_ref: "Clause A.9"
+    regulatory_status: settled

riskforge/_data/question_bank/health_safety.yaml

@@ -0,0 +1,68 @@
+schema_version: "1.0.0"
+dimension: health_safety
+questions:
+  - id: HS-001
+    text: "Could the system's outputs directly influence a clinical, safety, or physical decision without mandatory human review?"
+    guidance: "Consider decisions about medication dosing, surgical planning, vehicle operation, equipment control, or emergency dispatch."
+    annex_iii_categories: [essential_services, critical_infrastructure, biometric]
+    default_likelihood_hint: 3
+    default_severity_hint: 4
+    article_refs: ["Art.9(2)(a)", "Art.14(1)"]
+    nist_rmf_ref: "MAP 1.5"
+    iso42001_ref: "Clause 6.1"
+    regulatory_status: settled
+
+  - id: HS-002
+    text: "Could a system failure (incorrect output, unavailability) cause physical harm to end users or third parties?"
+    guidance: "Failure modes include false negatives in medical screening, incorrect routing in emergency services, or missed safety-critical alerts."
+    annex_iii_categories: [critical_infrastructure, essential_services]
+    default_likelihood_hint: 2
+    default_severity_hint: 5
+    article_refs: ["Art.9(2)(b)"]
+    nist_rmf_ref: "MAP 5.1"
+    iso42001_ref: "Clause 6.1"
+    regulatory_status: settled
+
+  - id: HS-003
+    text: "Are there documented emergency override procedures that allow a human operator to immediately halt or override the system's decisions?"
+    guidance: "Article 14 requires human oversight mechanisms; this question checks whether the technical implementation exists."
+    annex_iii_categories: [biometric, critical_infrastructure, law_enforcement]
+    default_likelihood_hint: null
+    default_severity_hint: null
+    article_refs: ["Art.14(4)(e)"]
+    nist_rmf_ref: "MANAGE 1.1"
+    iso42001_ref: "Clause A.9"
+    regulatory_status: settled
+
+  - id: HS-004
+    text: "Has a failure mode and effects analysis (FMEA) or equivalent been conducted to identify safety-critical failure paths?"
+    guidance: "Systematic safety analysis documents are expected as part of the technical documentation under Article 11 and Annex IV."
+    annex_iii_categories: [critical_infrastructure, essential_services, biometric]
+    default_likelihood_hint: null
+    default_severity_hint: null
+    article_refs: ["Art.9(2)(c)", "Art.11"]
+    nist_rmf_ref: "MAP 5.2"
+    iso42001_ref: "Clause 6.1"
+    regulatory_status: settled
+
+  - id: HS-005
+    text: "Are system performance metrics (accuracy, error rates, latency) monitored in production with alerts for degradation?"
+    guidance: "Post-market monitoring under Article 72 requires tracking of actual performance against stated specifications."
+    annex_iii_categories: [critical_infrastructure, essential_services, employment]
+    default_likelihood_hint: 2
+    default_severity_hint: 3
+    article_refs: ["Art.9(7)", "Art.72"]
+    nist_rmf_ref: "MEASURE 2.5"
+    iso42001_ref: "Clause 9.1"
+    regulatory_status: settled
+
+  - id: HS-006
+    text: "Could vulnerable populations (elderly, children, people with disabilities) be disproportionately harmed by system errors?"
+    guidance: "Article 9(9) requires explicit consideration of impacts on children and other vulnerable groups."
+    annex_iii_categories: [essential_services, education, law_enforcement]
+    default_likelihood_hint: 3
+    default_severity_hint: 4
+    article_refs: ["Art.9(9)"]
+    nist_rmf_ref: "MAP 5.1"
+    iso42001_ref: "Clause 6.1"
+    regulatory_status: settled

riskforge/_data/question_bank/human_oversight.yaml

@@ -0,0 +1,46 @@
+schema_version: "1.0.0"
+dimension: human_oversight
+questions:
+  - id: HO-001
+    text: "Can a human operator override or stop the AI system's output in real time without significant technical barriers?"
+    guidance: "Article 14(4)(e) requires the ability to intervene on or interrupt AI system operation. This must be technically implemented, not just policy-stated."
+    annex_iii_categories: [critical_infrastructure, law_enforcement, biometric]
+    default_likelihood_hint: null
+    default_severity_hint: null
+    article_refs: ["Art.14(4)(e)"]
+    nist_rmf_ref: "MANAGE 1.1"
+    iso42001_ref: "Clause A.9"
+    regulatory_status: settled
+
+  - id: HO-002
+    text: "Are human reviewers trained on the system's capabilities, limitations, and known biases before making decisions based on its output?"
+    guidance: "Untrained human reviewers provide illusory oversight. Article 14(3) requires deployers to assign oversight to qualified persons."
+    annex_iii_categories: [employment, law_enforcement, essential_services, education]
+    default_likelihood_hint: 3
+    default_severity_hint: 3
+    article_refs: ["Art.14(3)"]
+    nist_rmf_ref: "MANAGE 1.1"
+    iso42001_ref: "Clause A.9"
+    regulatory_status: settled
+
+  - id: HO-003
+    text: "Is the human oversight load (volume of cases reviewed per reviewer per day) realistic for meaningful review, not rubber-stamping?"
+    guidance: "Automation bias and review fatigue cause human oversight to become nominal. Workload design is a technical control."
+    annex_iii_categories: [employment, law_enforcement, essential_services]
+    default_likelihood_hint: 3
+    default_severity_hint: 4
+    article_refs: ["Art.14"]
+    nist_rmf_ref: "MANAGE 1.1"
+    iso42001_ref: "Clause A.9"
+    regulatory_status: settled
+
+  - id: HO-004
+    text: "Is the system designed to make its reasoning interpretable to human reviewers (e.g. via explainability methods, confidence scores, supporting evidence)?"
+    guidance: "Human oversight is only meaningful if the reviewer can understand what the system decided and why."
+    annex_iii_categories: [law_enforcement, employment, essential_services, education]
+    default_likelihood_hint: 2
+    default_severity_hint: 4
+    article_refs: ["Art.14(4)(c)"]
+    nist_rmf_ref: "MEASURE 1.1"
+    iso42001_ref: "Clause A.6"
+    regulatory_status: settled

riskforge/_data/question_bank/privacy.yaml

@@ -0,0 +1,57 @@
+schema_version: "1.0.0"
+dimension: privacy
+questions:
+  - id: PR-001
+    text: "Does the system process personal data or special category data (health, biometric, ethnicity, religion)?"
+    guidance: "Processing of special category data triggers additional obligations under GDPR Article 9 and EU AI Act Article 10(5)."
+    annex_iii_categories: [biometric, health, law_enforcement, employment]
+    default_likelihood_hint: null
+    default_severity_hint: null
+    article_refs: ["Art.10(5)"]
+    nist_rmf_ref: "GOVERN 1.6"
+    iso42001_ref: "Clause A.8"
+    regulatory_status: settled
+
+  - id: PR-002
+    text: "Has a Data Protection Impact Assessment (DPIA) been conducted and approved by the Data Protection Officer?"
+    guidance: "GDPR Article 35 requires a DPIA for high-risk processing. High-risk AI systems typically trigger this threshold."
+    annex_iii_categories: [biometric, law_enforcement, employment, essential_services]
+    default_likelihood_hint: null
+    default_severity_hint: null
+    article_refs: ["Art.10", "Art.9(2)(a)"]
+    nist_rmf_ref: "GOVERN 1.6"
+    iso42001_ref: "Clause A.8"
+    regulatory_status: settled
+
+  - id: PR-003
+    text: "Is data minimisation enforced — does the model use only the minimum personal data necessary for the intended purpose?"
+    guidance: "GDPR data minimisation and purpose limitation principles apply to AI systems processing personal data."
+    annex_iii_categories: [biometric, employment, essential_services, education]
+    default_likelihood_hint: 2
+    default_severity_hint: 3
+    article_refs: ["Art.10(3)", "Art.10(5)"]
+    nist_rmf_ref: "GOVERN 1.6"
+    iso42001_ref: "Clause A.8"
+    regulatory_status: settled
+
+  - id: PR-004
+    text: "Has the training data been scanned for inadvertent PII inclusion, and is PII redaction/pseudonymisation applied before training?"
+    guidance: "Training data containing real PII creates privacy risk. Automated PII detection tools (e.g. TraceForge) can surface this."
+    annex_iii_categories: [biometric, employment, health]
+    default_likelihood_hint: 3
+    default_severity_hint: 4
+    article_refs: ["Art.10(3)", "Art.10(5)"]
+    nist_rmf_ref: "GOVERN 1.6"
+    iso42001_ref: "Clause A.8"
+    regulatory_status: settled
+
+  - id: PR-005
+    text: "Are model outputs screened to prevent accidental reproduction of training data PII (membership inference / data extraction attacks)?"
+    guidance: "Large models can memorise and reproduce training data verbatim. This is an active attack surface requiring specific mitigations."
+    annex_iii_categories: [biometric, law_enforcement, employment]
+    default_likelihood_hint: 2
+    default_severity_hint: 4
+    article_refs: ["Art.9(2)(a)", "Art.15"]
+    nist_rmf_ref: "MEASURE 2.5"
+    iso42001_ref: "Clause A.9"
+    regulatory_status: settled

riskforge/_data/question_bank/robustness.yaml

@@ -0,0 +1,57 @@
+schema_version: "1.0.0"
+dimension: robustness
+questions:
+  - id: RO-001
+    text: "Has the system been tested against out-of-distribution inputs, edge cases, and adversarial perturbations?"
+    guidance: "Article 9(7) and Article 15 require testing of AI systems against the intended purpose and reasonably foreseeable misuse."
+    annex_iii_categories: [critical_infrastructure, law_enforcement, essential_services, biometric]
+    default_likelihood_hint: 2
+    default_severity_hint: 4
+    article_refs: ["Art.9(7)", "Art.15"]
+    nist_rmf_ref: "MEASURE 2.5"
+    iso42001_ref: "Clause A.9"
+    regulatory_status: settled
+
+  - id: RO-002
+    text: "Are accuracy, precision, recall, and calibration metrics documented across all relevant demographic subgroups?"
+    guidance: "Aggregate metrics can mask poor performance for subpopulations. Slice-level evaluation is required for high-risk systems."
+    annex_iii_categories: [employment, education, law_enforcement, essential_services]
+    default_likelihood_hint: 2
+    default_severity_hint: 4
+    article_refs: ["Art.9(7)", "Art.10(2)(f)"]
+    nist_rmf_ref: "MEASURE 2.5"
+    iso42001_ref: "Clause A.9"
+    regulatory_status: settled
+
+  - id: RO-003
+    text: "Is there a defined performance floor (minimum acceptable metric threshold) below which the system is taken offline?"
+    guidance: "A defined performance floor ensures degraded models do not remain in production. This is a key operational control."
+    annex_iii_categories: [critical_infrastructure, law_enforcement, essential_services]
+    default_likelihood_hint: 2
+    default_severity_hint: 4
+    article_refs: ["Art.9(7)", "Art.72"]
+    nist_rmf_ref: "MANAGE 1.3"
+    iso42001_ref: "Clause 9.1"
+    regulatory_status: settled
+
+  - id: RO-004
+    text: "Are model degradation scenarios (data drift, concept drift, distribution shift) monitored and have defined response procedures?"
+    guidance: "Models degrade over time as real-world data distributions shift. Post-market monitoring under Article 72 requires detection and response."
+    annex_iii_categories: [essential_services, employment, law_enforcement]
+    default_likelihood_hint: 3
+    default_severity_hint: 3
+    article_refs: ["Art.72"]
+    nist_rmf_ref: "MEASURE 2.5"
+    iso42001_ref: "Clause 9.1"
+    regulatory_status: settled
+
+  - id: RO-005
+    text: "Has the system been tested for resistance to prompt injection, model inversion, or membership inference attacks (if applicable)?"
+    guidance: "LLM-based and generative AI systems face specific adversarial risks not covered by traditional ML robustness testing."
+    annex_iii_categories: [law_enforcement, critical_infrastructure, biometric]
+    default_likelihood_hint: 2
+    default_severity_hint: 4
+    article_refs: ["Art.15"]
+    nist_rmf_ref: "MEASURE 2.5"
+    iso42001_ref: "Clause A.9"
+    regulatory_status: pending_implementing_act

riskforge/_data/question_bank/transparency.yaml

@@ -0,0 +1,46 @@
+schema_version: "1.0.0"
+dimension: transparency
+questions:
+  - id: TR-001
+    text: "Are users notified that they are interacting with or being assessed by an AI system?"
+    guidance: "Article 13 requires providers to ensure a sufficient level of transparency to enable users to interpret the system's output. Notification is a baseline."
+    annex_iii_categories: [employment, education, essential_services, law_enforcement]
+    default_likelihood_hint: null
+    default_severity_hint: null
+    article_refs: ["Art.13(1)"]
+    nist_rmf_ref: "GOVERN 1.7"
+    iso42001_ref: "Clause A.6"
+    regulatory_status: settled
+
+  - id: TR-002
+    text: "Is an explanation of the system's decision-making logic available to affected individuals upon request?"
+    guidance: "GDPR Article 22 provides a right not to be subject to solely automated decisions. An explanation capability is a key technical control."
+    annex_iii_categories: [employment, essential_services, law_enforcement, education]
+    default_likelihood_hint: 2
+    default_severity_hint: 4
+    article_refs: ["Art.13", "Art.14"]
+    nist_rmf_ref: "GOVERN 1.7"
+    iso42001_ref: "Clause A.6"
+    regulatory_status: settled
+
+  - id: TR-003
+    text: "Does the system documentation include clear capability limitations, known failure modes, and out-of-distribution behaviour?"
+    guidance: "Article 13(3)(b) requires information about the system's capabilities and limitations for the benefit of deployers."
+    annex_iii_categories: [employment, essential_services, education, law_enforcement]
+    default_likelihood_hint: 2
+    default_severity_hint: 3
+    article_refs: ["Art.13(3)(b)"]
+    nist_rmf_ref: "GOVERN 1.7"
+    iso42001_ref: "Clause A.6"
+    regulatory_status: settled
+
+  - id: TR-004
+    text: "Are system confidence scores or uncertainty estimates communicated to human operators making decisions based on system output?"
+    guidance: "Operators making high-stakes decisions based on AI output need calibrated uncertainty estimates to exercise appropriate oversight."
+    annex_iii_categories: [law_enforcement, essential_services, employment]
+    default_likelihood_hint: 3
+    default_severity_hint: 3
+    article_refs: ["Art.13", "Art.14(4)"]
+    nist_rmf_ref: "MEASURE 1.1"
+    iso42001_ref: "Clause A.6"
+    regulatory_status: settled