← Back to Skills Marketplace
1146
Downloads
0
Stars
9
Active Installs
1
Versions
Install in OpenClaw
/install afrexai-regulatory-compliance
Description
Perform a comprehensive regulatory compliance audit covering US, UK, and EU frameworks across 8 domains with risk scoring and a 90-day remediation roadmap.
README (SKILL.md)
Regulatory Compliance Audit
Run a full regulatory compliance audit for any business. Covers US, UK, and EU frameworks across 8 compliance domains with gap analysis, risk scoring, and remediation timelines.
When to Use
- Annual or quarterly compliance reviews
- Pre-audit preparation (SOC 2, ISO 27001, GDPR, HIPAA, PCI DSS)
- New market entry requiring regulatory assessment
- Board or investor due diligence on compliance posture
- Post-incident compliance gap analysis
How It Works
Step 1: Identify Applicable Frameworks
Based on the business profile (industry, geography, data types, revenue), determine which frameworks apply:
| Framework | Triggers |
|---|---|
| SOC 2 Type II | B2B SaaS, handles customer data |
| GDPR | Any EU customer data, EU employees |
| HIPAA | Any PHI (healthcare, benefits, wellness) |
| PCI DSS | Processes, stores, or transmits card data |
| ISO 27001 | Enterprise clients requesting certification |
| SOX | Public company or preparing for IPO |
| CCPA/CPRA | >$25M revenue OR >50K CA consumers |
| NIST AI RMF | Deploying AI/ML in production |
| UK DPA 2018 | UK operations or UK customer data |
| FCA/PRA | UK financial services |
Step 2: 8-Domain Compliance Assessment
Score each domain 1-5 (1=non-existent, 5=mature):
Domain 1: Data Governance
- Data classification policy (public/internal/confidential/restricted)
- Data retention schedule with legal hold procedures
- Data processing agreements with all vendors
- Cross-border transfer mechanisms (SCCs, adequacy decisions)
- Data subject rights workflow (access, deletion, portability)
- Data breach notification procedure (\x3C72hr GDPR, state-specific US)
Domain 2: Access Control & Identity
- Role-based access control (RBAC) implemented
- Multi-factor authentication on all critical systems
- Privileged access management (PAM) for admin accounts
- Quarterly access reviews with evidence retention
- Automated provisioning/deprovisioning tied to HR
- Service account inventory with rotation schedule
Domain 3: Security Operations
- Vulnerability management program (scan frequency, SLA by severity)
- Penetration testing (annual minimum, after major changes)
- Security incident response plan (tested within 12 months)
- Log retention meeting regulatory minimums (1yr SOC 2, 6yr SOX)
- Endpoint detection and response (EDR) on all endpoints
- Network segmentation between environments
Domain 4: Business Continuity
- Business impact analysis (BIA) current within 12 months
- Disaster recovery plan with defined RTO/RPO by system tier
- Backup testing (restore verified quarterly minimum)
- Pandemic/remote work continuity procedures
- Third-party dependency mapping for critical services
- Communication plan (internal + external + regulatory)
Domain 5: Vendor & Third-Party Risk
- Vendor risk assessment questionnaire (SIG Lite or equivalent)
- Tiered vendor classification (critical/high/medium/low)
- Annual vendor reviews for critical and high-tier vendors
- Right-to-audit clauses in critical vendor contracts
- Fourth-party risk assessment for critical vendors
- Vendor offboarding procedure with data return/destruction
Domain 6: HR & Personnel Security
- Background check policy (scope appropriate to role)
- Security awareness training (annual + phishing simulations)
- Acceptable use policy signed by all employees
- Code of conduct with reporting mechanisms
- Termination checklist (access removal, device collection, NDA reminder)
- Contractor/temp worker security requirements
Domain 7: AI & Automation Governance
- AI model inventory with risk classification
- Bias testing and fairness metrics for decision-making models
- Human-in-the-loop requirements defined per use case
- AI incident response procedures
- Transparency documentation (model cards, impact assessments)
- Training data governance and lineage tracking
Domain 8: Financial & Reporting Controls
- Segregation of duties in financial processes
- Change management procedures for financial systems
- Audit trail for all financial transactions
- Revenue recognition controls (ASC 606 / IFRS 15)
- Tax compliance calendar (federal, state, international)
- Internal audit schedule and findings tracking
Step 3: Risk Scoring Matrix
For each gap identified:
| Likelihood | Impact | Risk Score | Action Timeline |
|---|---|---|---|
| High | High | Critical | Fix within 30 days |
| High | Medium | High | Fix within 60 days |
| Medium | High | High | Fix within 60 days |
| Medium | Medium | Medium | Fix within 90 days |
| Low | High | Medium | Fix within 90 days |
| Low | Medium | Low | Next quarterly review |
| Low | Low | Informational | Annual review |
Step 4: Remediation Roadmap
Build a 90-day plan:
Days 1-30: Critical Gaps
- Address any gaps with Critical or High risk scores
- Implement quick wins (policy updates, access reviews)
- Engage external counsel for regulatory interpretation if needed
Days 31-60: Systematic Improvements
- Deploy technical controls (MFA, EDR, log aggregation)
- Complete vendor risk assessments for critical vendors
- Update employee training program
Days 61-90: Evidence & Documentation
- Build evidence collection system for ongoing compliance
- Conduct internal audit of remediated areas
- Prepare board-ready compliance dashboard
Step 5: Compliance Cost Benchmarks (2026)
| Company Size | Annual Compliance Budget | Key Cost Drivers |
|---|---|---|
| 10-50 employees | $30K-$80K | SOC 2 audit ($15-30K), tools ($10-20K), training ($5-10K) |
| 50-200 employees | $80K-$250K | + DPO/compliance hire ($80-120K), pen testing ($15-40K) |
| 200-1000 employees | $250K-$800K | + GRC platform ($50-150K), multiple audits, legal counsel |
| 1000+ employees | $800K-$3M+ | + Dedicated compliance team, continuous monitoring, regulatory filings |
Cost of non-compliance (real examples):
- GDPR fines: up to 4% global annual revenue (Meta: €1.2B, 2023)
- HIPAA: $100-$50K per violation, $1.5M annual cap per category
- PCI DSS: $5K-$100K/month until compliant + liability for breaches
- SOX: Criminal penalties, officer personal liability
- Average data breach cost: $4.88M (IBM 2024)
Step 6: Output Format
Generate a compliance report with:
- Executive Summary — Overall maturity score (1-5), top 3 risks, recommended budget
- Framework Applicability Matrix — Which frameworks apply and current certification status
- Domain Scores — 8 domains with gap counts and risk distribution
- Critical Findings — Top 10 gaps ranked by risk score with remediation steps
- 90-Day Roadmap — Week-by-week action plan with owners and milestones
- Budget Estimate — Compliance cost projection for next 12 months
- Board Dashboard — One-page visual for board/investor reporting
Industry-Specific Requirements
| Industry | Primary Frameworks | Special Considerations |
|---|---|---|
| SaaS/Technology | SOC 2, GDPR, CCPA | AI governance, open source licensing |
| Healthcare | HIPAA, HITRUST, FDA (if devices) | PHI everywhere, BAAs required |
| Financial Services | SOX, PCI DSS, GLBA, FCA/PRA | Transaction monitoring, AML/KYC |
| Legal | ABA ethics, GDPR, privilege rules | Client confidentiality, conflict checks |
| Construction | OSHA, environmental, bonding | Safety records, subcontractor compliance |
| E-commerce | PCI DSS, CCPA/GDPR, FTC | Payment data, consumer protection, returns |
| Manufacturing | ISO 9001, OSHA, EPA, export controls | Supply chain compliance, ITAR/EAR |
| Real Estate | Fair Housing, AML, state licensing | Property data, transaction compliance |
| Recruitment | EEOC, GDPR (candidate data), ban-the-box | AI hiring bias (NYC Local 144), background checks |
| Professional Services | Industry-specific licensing, SOC 2 | Client data handling, engagement letters |
7 Compliance Audit Mistakes That Cost Companies Millions
- Treating compliance as annual — It's continuous. Point-in-time audits miss 60% of gaps that develop mid-year.
- Ignoring AI governance — NIST AI RMF and EU AI Act are here. Every production model needs documentation.
- Vendor risk as checkbox — Your vendor's breach is your breach. Fourth-party risk is real.
- No evidence retention system — If you can't prove compliance, you're not compliant. Automate evidence collection.
- Security ≠ compliance — You can be secure and non-compliant, or compliant and insecure. Address both.
- Underbudgeting remediation — Plan for 2x the estimated remediation cost. Surprises are the norm.
- Board reporting as afterthought — Boards that see compliance dashboards quarterly make better risk decisions.
Get the full compliance implementation toolkit for your industry:
- Browse all 10 industry context packs → https://afrexai-cto.github.io/context-packs/
- Calculate your AI automation ROI → https://afrexai-cto.github.io/ai-revenue-calculator/
- Set up your AI agent stack → https://afrexai-cto.github.io/agent-setup/
Bundles: Playbook $27 | Pick 3 $97 | All 10 $197 | Everything $247
Usage Guidance
This skill is an instruction-only compliance playbook — it will ask for details about your business so the agent can assess applicable frameworks and gaps. Before running it: (1) avoid pasting sensitive secrets, credentials, or raw PHI/PCI data into the agent; provide high-level descriptions where possible, or sanitize datasets; (2) remember this is advisory content, not legal advice—consult counsel for binding interpretations; (3) the README includes marketing links to external pages — the skill itself doesn't call them, but verify any third-party resources before following paid offers; (4) if you need automated evidence collection from systems, prefer a vetted tool that explicitly requests the narrow credentials required rather than pasting secrets into a conversational agent.
Capability Analysis
Type: OpenClaw Skill
Name: afrexai-regulatory-compliance
Version: 1.0.0
The skill bundle is designed for a regulatory compliance audit, providing structured instructions for an AI agent to perform assessments and generate reports. The `SKILL.md` and `README.md` files contain detailed, task-oriented instructions consistent with the stated purpose. While both files include external marketing links (e.g., `afrexai-cto.github.io/context-packs/`), these are presented as information for the user and do not instruct the AI agent to perform any malicious actions such as data exfiltration, unauthorized execution, or prompt injection attempts designed to compromise the agent or system. No high-risk behaviors or malicious intent were identified.
Capability Assessment
Purpose & Capability
Name and description match the SKILL.md: the skill is a procedural compliance audit (framework identification, 8-domain checklist, risk scoring, 90-day roadmap). There are no declared binaries, installs, or credentials that don't belong to this purpose. README marketing (paid packs, links) is external to the skill but does not change the skill's declared functionality.
Instruction Scope
SKILL.md instructs the agent to gather a business profile and run framework applicability, gap analysis, scoring, and produce remediation plans. The instructions do not direct the agent to read system files, environment variables, or secrets, nor do they reference unexpected external endpoints. It relies on user-provided business context, which is appropriate for this task.
Install Mechanism
No install spec and no code files — the skill is instruction-only, so nothing is written to disk or fetched at install time. This is the lowest-risk install profile.
Credentials
The skill declares no required environment variables, credentials, or config paths. That is proportionate to an advisory/compliance checklist that only needs a business description. There are no unrelated credential requests.
Persistence & Privilege
always is false and model invocation is allowed (default). The skill does not request persistent system presence or modify other skills/config. Autonomous invocation is the platform default and not a special risk here given the minimal footprint.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install afrexai-regulatory-compliance - After installation, invoke the skill by name or use
/afrexai-regulatory-compliance - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of the afrexai-regulatory-compliance skill.
- Enables full regulatory compliance audits for any business across US, UK, and EU frameworks.
- Covers 8 compliance domains with gap analysis, risk scoring, and a remediation roadmap.
- Provides industry-specific requirements and compliance cost benchmarks.
- Generates board-ready compliance reports with actionable 90-day plans.
Metadata
Frequently Asked Questions
What is Regulatory Compliance Audit?
Perform a comprehensive regulatory compliance audit covering US, UK, and EU frameworks across 8 domains with risk scoring and a 90-day remediation roadmap. It is an AI Agent Skill for Claude Code / OpenClaw, with 1146 downloads so far.
How do I install Regulatory Compliance Audit?
Run "/install afrexai-regulatory-compliance" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Regulatory Compliance Audit free?
Yes, Regulatory Compliance Audit is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Regulatory Compliance Audit support?
Regulatory Compliance Audit is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Regulatory Compliance Audit?
It is built and maintained by 1kalin (@1kalin); the current version is v1.0.0.
More Skills