← Back to Skills Marketplace
1kalin

AI Governance Policy Builder

by 1kalin · GitHub ↗ · v1.1.0
cross-platform ✓ Security Clean
640
Downloads
0
Stars
1
Active Installs
2
Versions
Install in OpenClaw
/install afrexai-ai-governance
Description
Framework to establish AI governance, assess AI maturity, manage algorithmic risks, conduct impact assessments, classify AI system risk, and ensure regulator...
README (SKILL.md)

AI Governance Policy Builder

Build internal AI governance policies from scratch. Covers acceptable use, model selection, data handling, vendor contracts, compliance mapping, and board reporting.

When to Use

  • Writing or reviewing internal AI acceptable use policies
  • Establishing AI governance committees or review boards
  • Mapping AI usage to regulatory frameworks (EU AI Act, NIST, ISO 42001)
  • Evaluating vendor AI terms and liability clauses
  • Preparing board-level AI governance reports

Governance Policy Framework

1. Acceptable Use Policy (AUP)

Every organization running AI needs a written AUP covering:

Permitted Uses

  • List approved AI tools by department and function
  • Define data classification tiers (public, internal, confidential, restricted)
  • Map which data tiers can enter which AI systems
  • Specify approved vendors vs. shadow AI (employees using personal ChatGPT accounts)

Prohibited Uses

  • Customer PII in non-SOC2 models without anonymization
  • Autonomous financial decisions above $[threshold] without human review
  • HR screening/scoring without bias audit documentation
  • Any use violating sector regulations (HIPAA, GDPR, SOX, PCI-DSS)

Shadow AI Detection

Signal Risk Level Action
API calls to unknown AI endpoints HIGH Block + investigate
Browser extensions with AI features MEDIUM Audit + approve/deny
Personal accounts on company devices MEDIUM Policy reminder + monitor
Exported data to AI training sets CRITICAL Immediate review

2. AI Model Selection & Procurement

Evaluation Scorecard (100 points)

Criteria Weight What to Check
Data residency & sovereignty 20 Where is data processed? Stored? Can you choose region?
Security certifications 20 SOC2 Type II, ISO 27001, HIPAA BAA, FedRAMP
Model transparency 15 Training data provenance, bias testing, version control
Contract terms 15 Data usage rights, indemnification, SLA, exit clauses
Performance & cost 15 Latency, accuracy benchmarks, token pricing, rate limits
Integration & support 15 API stability, documentation quality, support SLA

Minimum score for production deployment: 70/100

Red Flags (automatic disqualification):

  • Vendor trains on your data without opt-out
  • No data processing agreement (DPA) available
  • Indemnification excluded for AI outputs
  • No incident response SLA

3. Data Handling & Classification

AI Data Flow Audit Template

For each AI integration, document:

  1. Input data: What goes in? Classification tier? PII present?
  2. Processing: Where? Which model? Hosted or API? Region?
  3. Output data: What comes out? Stored where? Retention period?
  4. Training: Does vendor use your data for training? Opt-out confirmed?
  5. Logging: Are prompts/responses logged? Where? Who has access?
  6. Deletion: Can you request data deletion? Verified how?

Data Minimization Checklist

  • Only send minimum necessary data to AI systems
  • Strip PII before processing where possible
  • Use synthetic data for testing and development
  • Implement input sanitization for prompt injection prevention
  • Audit output for data leakage (model regurgitating training data)

4. Regulatory Compliance Mapping

EU AI Act (effective Aug 2025, enforcement Feb 2025)

Risk Category Examples Requirements
Unacceptable Social scoring, real-time biometric ID (most cases) Banned
High-risk HR screening, credit scoring, medical devices Conformity assessment, human oversight, transparency
Limited Chatbots, deepfakes Transparency obligations (disclose AI use)
Minimal Spam filters, game AI No requirements

NIST AI RMF (Risk Management Framework)

  • Map: Identify AI systems in use
  • Measure: Quantify risks per system
  • Manage: Implement controls proportional to risk
  • Govern: Establish oversight structure and accountability

ISO 42001 (AI Management System)

  • Useful for organizations wanting certified AI governance
  • Aligns with ISO 27001 (already have it? Easier path)
  • Covers: AI policy, risk assessment, objectives, competence, documentation

5. AI Governance Committee Structure

Recommended Composition

  • Chair: CTO or Chief AI Officer
  • Legal: 1 representative (contracts, compliance)
  • Security: CISO or delegate (data protection, incident response)
  • Business: 1-2 department heads (use case prioritization)
  • Ethics: External advisor or designated internal role
  • Finance: CFO delegate (budget, ROI tracking)

Meeting Cadence

  • Monthly: Review new AI use cases, vendor changes, incidents
  • Quarterly: Policy updates, compliance audit, budget review
  • Annually: Full governance framework review, board report

Decision Authority

Decision Authority Level
New AI tool (\x3C $5K/year) Department head + security review
New AI tool (> $5K/year) Governance committee approval
Customer-facing AI Committee + legal + CEO sign-off
AI incident response Security lead (immediate) → Committee (48h review)

6. Vendor Contract Checklist

Before signing any AI vendor contract, confirm:

  • Data processing agreement (DPA) signed
  • Your data is NOT used for model training (or explicit opt-out confirmed)
  • Data residency requirements met (specify regions)
  • Indemnification clause covers AI-generated output liability
  • SLA includes uptime, latency, and support response time
  • Exit clause: data export format, deletion timeline, transition support
  • Security certifications current and verified (not expired)
  • Incident notification timeline specified (72h or less)
  • Subprocessor list provided with change notification rights
  • Insurance coverage for AI-specific risks confirmed
  • Price lock or cap on increases for contract duration
  • Right to audit (or audit report access)

7. Board Reporting Template

Quarterly AI Governance Report

AI GOVERNANCE REPORT — Q[X] [YEAR]

1. AI PORTFOLIO SUMMARY
   - Active AI systems: [count]
   - New deployments this quarter: [count]
   - Retired/replaced: [count]
   - Total AI spend: $[amount] (vs budget: $[amount])

2. RISK DASHBOARD
   - High-risk systems: [count] — all compliant: [Y/N]
   - Open incidents: [count] — resolved this quarter: [count]
   - Shadow AI detections: [count] — remediated: [count]
   - Compliance gaps: [list]

3. VALUE DELIVERED
   - Hours saved: [estimate]
   - Revenue attributed to AI: $[amount]
   - Cost reduction: $[amount]
   - Customer satisfaction impact: [metric]

4. KEY DECISIONS NEEDED
   - [Decision 1: context + recommendation]
   - [Decision 2: context + recommendation]

5. NEXT QUARTER PRIORITIES
   - [Priority 1]
   - [Priority 2]

8. Incident Response for AI Systems

AI-Specific Incident Categories

Category Example Response Time
Data breach via AI Model leaks PII in output Immediate — invoke security IR plan
Hallucination causing harm Wrong medical/legal/financial advice acted on 4h — document, notify affected parties
Bias detected Discriminatory output in hiring/lending 24h — suspend system, audit, remediate
Prompt injection Attacker manipulates AI behavior Immediate — block vector, patch
Cost overrun Runaway API calls 4h — rate limit, investigate, cap
Vendor incident Provider breach or outage Per vendor SLA — activate backup

Post-Incident Review Template

  1. What happened (factual timeline)
  2. Impact (who/what affected, cost, duration)
  3. Root cause (not blame — systems thinking)
  4. Fixes applied (immediate + permanent)
  5. Policy/process changes needed
  6. Board notification required? (Y/N + rationale)

Cost of NOT Having AI Governance

Company Size Annual Risk Without Governance
15-50 employees $50K-$200K (shadow AI waste, compliance fines)
50-200 employees $200K-$800K (data incidents, vendor lock-in, redundant tools)
200-1000 employees $800K-$3M (regulatory penalties, IP exposure, audit failures)
1000+ employees $3M-$15M+ (class action, regulatory enforcement, reputational damage)

90-Day Implementation Roadmap

Month 1: Foundation

  • Draft acceptable use policy
  • Inventory all AI systems in use (including shadow AI)
  • Classify data flowing through each system
  • Identify governance committee members

Month 2: Controls

  • Finalize and distribute AUP
  • Implement vendor evaluation scorecard for new purchases
  • Set up AI incident response procedures
  • Begin regulatory compliance mapping

Month 3: Operationalize

  • First governance committee meeting
  • Deliver first board report
  • Establish monitoring for shadow AI
  • Schedule quarterly policy review cycle

Built by AfrexAI — AI operations infrastructure for mid-market companies.

Get the full industry-specific context pack for your sector ($47): https://afrexai-cto.github.io/context-packs/

Calculate your AI automation ROI: https://afrexai-cto.github.io/ai-revenue-calculator/

Set up your AI agent workforce in 5 minutes: https://afrexai-cto.github.io/agent-setup/

Need all 10 industry packs? $197 for the complete bundle: https://buy.stripe.com/aEUaGJ2Xd0rI6zKfZ7

Usage Guidance
This skill is instruction-only and presents checklists and templates that match its stated purpose. Before using it operationally: 1) Review and adapt all placeholders (thresholds, timelines, jurisdictional rules) to your organization and local law — the document is a template, not legal advice. 2) Do not paste sensitive or real PII/API keys into online demo pages or third-party tools linked from the README (the README links to external afrexai-cto.github.io pages that offer paid content). Verify any external vendor/site before sharing confidential information. 3) Have legal/compliance and security teams review contract clauses and regulatory mappings before adopting them. 4) Note some minor content inaccuracies/truncation in the files — treat the skill as a starting point and validate details against authoritative sources.
Capability Analysis
Type: OpenClaw Skill Name: afrexai-ai-governance Version: 1.1.0 The skill bundle is a comprehensive documentation and template set for building AI governance policies. All files (_meta.json, SKILL.md, README.md) contain only descriptive text, policy frameworks, templates, and informational links. There is no executable code, no instructions for the AI agent to perform malicious actions (e.g., data exfiltration, unauthorized command execution, persistence, or prompt injection to subvert its purpose), and no obfuscation. The external links are purely promotional and do not trigger any actions within the skill itself.
Capability Assessment
Purpose & Capability
The name and description (AI governance policy builder) align with the SKILL.md and README content: templates, scorecards, committee structures, and regulatory mapping. There are no unrelated requirements (no credentials, binaries, or config paths) that would be disproportionate to the stated purpose.
Instruction Scope
SKILL.md is prose and templates only; it does not instruct the agent to run shell commands, access local files or system state, or send data to external endpoints. It does not request or mention environment variables or other secrets. Some content contains placeholders (e.g., $[threshold]) and truncated lines that require user tailoring, but this is content-quality, not a security concern.
Install Mechanism
There is no install spec and no code files. Being instruction-only, nothing is downloaded or written to disk by the skill itself, which minimizes installation risk.
Credentials
The skill declares no required environment variables, credentials, or config paths. That is proportionate for a policy/template skill; it does not request secrets or unrelated credentials.
Persistence & Privilege
Flags show always:false and default model invocation behavior. The skill does not request persistent system presence or attempt to modify other skill configurations; no elevated privileges are requested.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install afrexai-ai-governance
  3. After installation, invoke the skill by name or use /afrexai-ai-governance
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
**Summary:** Major update focusing on practical policy templates and governance structures for organizational AI. - Introduces a comprehensive AI policy builder, including Acceptable Use Policy, procurement scorecards, and board-level governance reporting. - Adds clear frameworks for data handling, regulatory mapping (EU AI Act, NIST, ISO 42001), and vendor contract review. - Replaces prior theoretical/maturity model content with practical checklists, templates, and committee structures. - Provides actionable risk controls for shadow AI, incident response, and compliance tracking. - Delivers concise, real-world tools for organizations establishing or updating internal AI governance programs.
v1.0.0
Initial release of a comprehensive AI governance and responsible AI framework. - Provides a step-by-step maturity model to assess organizational AI governance readiness. - Includes templates and YAML structures for AI system inventory, risk classification, and governance documentation. - Maps to leading regulatory frameworks (EU AI Act, NIST AI RMF, ISO 42001) for compliance guidance. - Supplies risk assessment tools: EU AI Act decision tree and weighted internal risk tier rubric. - Delivers detailed templates for conducting AI impact assessments covering ethics, fairness, and explainability. - Supports building trustworthy, compliant, and accountable AI programs for any organization.
Metadata
Slug afrexai-ai-governance
Version 1.1.0
License
All-time Installs 1
Active Installs 1
Total Versions 2
Frequently Asked Questions

What is AI Governance Policy Builder?

Framework to establish AI governance, assess AI maturity, manage algorithmic risks, conduct impact assessments, classify AI system risk, and ensure regulator... It is an AI Agent Skill for Claude Code / OpenClaw, with 640 downloads so far.

How do I install AI Governance Policy Builder?

Run "/install afrexai-ai-governance" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is AI Governance Policy Builder free?

Yes, AI Governance Policy Builder is completely free (open-source). You can download, install and use it at no cost.

Which platforms does AI Governance Policy Builder support?

AI Governance Policy Builder is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created AI Governance Policy Builder?

It is built and maintained by 1kalin (@1kalin); the current version is v1.1.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments