{ "policy_version": "f9c04-compliance-policy@0.1.0", "assessment_date": "2026-06-07", "source_cutoff": "2026-06-07", "classification": { "high_impact_domains": [ "education", "employment", "healthcare", "financial_access", "public_services" ], "high_impact_effects": [ "decide", "prioritize", "score", "rank", "select", "grant_or_deny" ], "transparency_effects": [ "generate_content", "guidance_and_prepare", "summarize", "recommend" ] }, "requirements": [ { "id": "AIMS_SCOPE", "framework": "ISO/IEC 42001", "label": "Alcance del sistema de gestión de IA", "question": "¿Qué sistemas, roles, datos, proveedores y entornos cubre el AIMS?", "artifact": "iso42001_aims_scope.md", "applies_to": "all", "owner_role": "governance_owner", "blocker_if_missing": false }, { "id": "AI_INVENTORY", "framework": "NIST AI RMF", "label": "Inventario de sistemas de IA", "question": "¿Sabemos qué sistemas existen, quién los opera y qué versión está viva?", "artifact": "ai_system_register.csv", "applies_to": "all", "owner_role": "technical_owner", "blocker_if_missing": false }, { "id": "AIACT_ART9_RISK_MANAGEMENT", "framework": "AI Act", "label": "Art. 9 · gestión de riesgos", "question": "¿El sistema tiene riesgos identificados, controles, owners y revisión residual?", "artifact": "risk_register.md", "applies_to": "high_risk_candidate", "owner_role": "risk_owner", "blocker_if_missing": true }, { "id": "AIACT_ART10_DATA_GOVERNANCE", "framework": "AI Act", "label": "Art. 10 · gobernanza de datos", "question": "¿Los datos tienen linaje, calidad, exclusiones y revisión de representatividad?", "artifact": "data_governance_pack.md", "applies_to": "high_risk_candidate", "owner_role": "data_owner", "blocker_if_missing": true }, { "id": "AIACT_ART11_ANNEXIV_TECH_DOC", "framework": "AI Act", "label": "Art. 11 + Annex IV · documentación técnica", "question": "¿Existe technical file versionado con finalidad, arquitectura, datos, evals y límites?", "artifact": "annex_iv_technical_file.md", "applies_to": "high_risk_candidate", "owner_role": "technical_owner", "blocker_if_missing": true }, { "id": "AIACT_ART12_RECORD_KEEPING", "framework": "AI Act", "label": "Art. 12 · record-keeping", "question": "¿Hay logs exportables que reconstruyan decisiones de sistema sin guardar más datos de los necesarios?", "artifact": "trace_evidence_sample.jsonl", "applies_to": "high_risk_candidate", "owner_role": "platform_owner", "blocker_if_missing": true }, { "id": "AIACT_ART13_INSTRUCTIONS", "framework": "AI Act", "label": "Art. 13 · instrucciones de uso", "question": "¿Quién despliega entiende finalidad, límites, datos, métricas y operación?", "artifact": "operator_manual.md", "applies_to": "high_risk_candidate", "owner_role": "product_owner", "blocker_if_missing": false }, { "id": "AIACT_ART14_HUMAN_OVERSIGHT", "framework": "AI Act", "label": "Art. 14 · supervisión humana", "question": "¿Hay revisión humana efectiva cuando el sistema influye en una decisión relevante?", "artifact": "human_oversight_playbook.md", "applies_to": "high_risk_candidate", "owner_role": "operations_owner", "blocker_if_missing": true }, { "id": "AIACT_ART15_QUALITY_ROBUSTNESS", "framework": "AI Act", "label": "Art. 15 · precisión, robustez y seguridad técnica", "question": "¿Hay evals, SLO, regresiones, appsec gate y monitorización?", "artifact": "eval_and_robustness_report.md", "applies_to": "production", "owner_role": "eval_owner", "blocker_if_missing": false }, { "id": "AIACT_ART17_QMS", "framework": "AI Act", "label": "Art. 17 · sistema de calidad", "question": "¿Cambios, proveedores, evidencias y acciones correctivas están controlados?", "artifact": "change_control_record.md", "applies_to": "provider_high_risk", "owner_role": "quality_owner", "blocker_if_missing": false }, { "id": "AIACT_ART27_FRIA", "framework": "AI Act", "label": "Art. 27 · evaluación de impacto cuando aplique", "question": "¿El despliegue necesita evaluación de impacto sobre derechos fundamentales?", "artifact": "fria_precheck.md", "applies_to": "high_risk_deployer", "owner_role": "governance_owner", "blocker_if_missing": false }, { "id": "AIACT_ART72_POST_MARKET", "framework": "AI Act", "label": "Art. 72 · seguimiento postdespliegue", "question": "¿Se monitoriza calidad, seguridad, cambios, incidencias y retirada?", "artifact": "post_deployment_monitoring_plan.md", "applies_to": "production", "owner_role": "operations_owner", "blocker_if_missing": false }, { "id": "GDPR_DPIA", "framework": "GDPR", "label": "DPIA/EIPD y minimización", "question": "¿El tratamiento de datos personales tiene finalidad, base, minimización, retención y derechos?", "artifact": "dpia_precheck.md", "applies_to": "personal_data", "owner_role": "privacy_owner", "blocker_if_missing": false }, { "id": "NIST_GOVERN_MAP_MEASURE_MANAGE", "framework": "NIST AI RMF", "label": "Govern, Map, Measure, Manage", "question": "¿La decisión está gobernada, mapeada, medida y gestionada con evidencias?", "artifact": "ai_rmf_crosswalk.md", "applies_to": "all", "owner_role": "governance_owner", "blocker_if_missing": false } ], "release_rules": { "decision_if_blocked": "revisar_antes", "decision_if_conditioned": "publicar_con_condiciones", "decision_if_ready": "publicar_con_seguimiento", "stale_after_days": 120, "accepted_status": "accepted", "condition_statuses": [ "partial", "stale" ], "missing_status": "missing" } }