From 352d7112c92af53b0d2e465f73f6a9a190860e09 Mon Sep 17 00:00:00 2001 From: Benjamin Admin Date: Sun, 12 Apr 2026 22:35:48 +0200 Subject: [PATCH] feat: Domain YAML-Regeln (14 Regeln) + Field-Resolver fuer HR/Edu/HC 1. 14 neue YAML-Regeln in Kategorie K (Domain-Hochrisiko): - HR: 5 Regeln (Screening, Absagen=BLOCK, AGG, Bias, Performance) - Education: 3 Regeln (Noten, Minderjaehrige=BLOCK, Zugangssteuerung) - Healthcare: 4 Regeln (Diagnose, Triage, MDR=BLOCK, Gesundheitsdaten) 2. Field-Resolver: getHRContextValue(), getEducationContextValue(), getHealthcareContextValue() Co-Authored-By: Claude Opus 4.6 (1M context) --- .../internal/ucca/policy_engine.go | 89 +++++++- .../policies/ucca_policy_v1.yaml | 209 ++++++++++++++++++ 2 files changed, 297 insertions(+), 1 deletion(-) diff --git a/ai-compliance-sdk/internal/ucca/policy_engine.go b/ai-compliance-sdk/internal/ucca/policy_engine.go index 2798de1..d8ab3df 100644 --- a/ai-compliance-sdk/internal/ucca/policy_engine.go +++ b/ai-compliance-sdk/internal/ucca/policy_engine.go @@ -220,6 +220,7 @@ func (e *PolicyEngine) Evaluate(intake *UseCaseIntake) *AssessmentResult { RiskLevel: RiskLevelMINIMAL, Complexity: ComplexityLOW, RiskScore: 0, + Intake: *intake, TriggeredRules: []TriggeredRule{}, RequiredControls: []RequiredControl{}, RecommendedArchitecture: []PatternRecommendation{}, @@ -460,11 +461,97 @@ func (e *PolicyEngine) getFieldValue(field string, intake *UseCaseIntake) interf return nil } return e.getRetentionValue(parts[1], intake) + case "employee_monitoring": + return intake.EmployeeMonitoring + case "hr_decision_support": + return intake.HRDecisionSupport + case "works_council_consulted": + return intake.WorksCouncilConsulted + case "hr_context": + if len(parts) < 2 || intake.HRContext == nil { + return nil + } + return e.getHRContextValue(parts[1], intake) + case "education_context": + if len(parts) < 2 || intake.EducationContext == nil { + return nil + } + return e.getEducationContextValue(parts[1], intake) + case "healthcare_context": + if len(parts) < 2 || intake.HealthcareContext == nil { + return nil + } + return e.getHealthcareContextValue(parts[1], intake) } return nil } +func (e *PolicyEngine) getHRContextValue(field string, intake *UseCaseIntake) interface{} { + if intake.HRContext == nil { + return nil + } + switch field { + case "automated_screening": + return intake.HRContext.AutomatedScreening + case "automated_rejection": + return intake.HRContext.AutomatedRejection + case "candidate_ranking": + return intake.HRContext.CandidateRanking + case "bias_audits_done": + return intake.HRContext.BiasAuditsDone + case "agg_categories_visible": + return intake.HRContext.AGGCategoriesVisible + case "human_review_enforced": + return intake.HRContext.HumanReviewEnforced + case "performance_evaluation": + return intake.HRContext.PerformanceEvaluation + } + return nil +} + +func (e *PolicyEngine) getEducationContextValue(field string, intake *UseCaseIntake) interface{} { + if intake.EducationContext == nil { + return nil + } + switch field { + case "grade_influence": + return intake.EducationContext.GradeInfluence + case "exam_evaluation": + return intake.EducationContext.ExamEvaluation + case "student_selection": + return intake.EducationContext.StudentSelection + case "minors_involved": + return intake.EducationContext.MinorsInvolved + case "teacher_review_required": + return intake.EducationContext.TeacherReviewRequired + case "learning_adaptation": + return intake.EducationContext.LearningAdaptation + } + return nil +} + +func (e *PolicyEngine) getHealthcareContextValue(field string, intake *UseCaseIntake) interface{} { + if intake.HealthcareContext == nil { + return nil + } + switch field { + case "diagnosis_support": + return intake.HealthcareContext.DiagnosisSupport + case "treatment_recommendation": + return intake.HealthcareContext.TreatmentRecommend + case "triage_decision": + return intake.HealthcareContext.TriageDecision + case "patient_data_processed": + return intake.HealthcareContext.PatientDataProcessed + case "medical_device": + return intake.HealthcareContext.MedicalDevice + case "clinical_validation": + return intake.HealthcareContext.ClinicalValidation + } + return nil +} + func (e *PolicyEngine) getDataTypeValue(field string, intake *UseCaseIntake) interface{} { switch field { case "personal_data": @@ -927,7 +1014,7 @@ func (e *PolicyEngine) calculateBetrvgConflictScore(intake *UseCaseIntake) (int, } // Factor 6: Scoring / Ranking of employees (+10) - if intake.Outputs.Rankings || intake.Outputs.Recommendations { + if intake.Outputs.RankingsOrScores || intake.Outputs.RecommendationsToUsers { if intake.DataTypes.EmployeeData { score += 10 } diff --git a/ai-compliance-sdk/policies/ucca_policy_v1.yaml b/ai-compliance-sdk/policies/ucca_policy_v1.yaml index aadce89..ac53c9a 100644 --- a/ai-compliance-sdk/policies/ucca_policy_v1.yaml +++ b/ai-compliance-sdk/policies/ucca_policy_v1.yaml @@ -941,6 +941,215 @@ rules: gdpr_ref: "Art. 9(2)(h) DSGVO" rationale: "Gesundheitsdaten nur mit besonderen Schutzmaßnahmen" + # --------------------------------------------------------------------------- + # K. Domain-spezifische Hochrisiko-Fragen (Annex III) + # --------------------------------------------------------------------------- + + # HR / Recruiting (Annex III Nr. 4) + - id: R-HR-001 + category: "K. HR Hochrisiko" + title: "Automatisches Bewerber-Screening ohne Human Review" + description: "KI sortiert Bewerber vor ohne dass ein Mensch jede Empfehlung tatsaechlich prueft" + condition: + all_of: + - field: "hr_context.automated_screening" + operator: "equals" + value: true + - field: "hr_context.human_review_enforced" + operator: "equals" + value: false + effect: + risk_add: 20 + feasibility: CONDITIONAL + controls_add: [C_HUMAN_OVERSIGHT] + severity: WARN + gdpr_ref: "Art. 22 DSGVO + Annex III Nr. 4 AI Act" + rationale: "Ohne echtes Human Review droht Art. 22 DSGVO Verstoss" + + - id: R-HR-002 + category: "K. HR Hochrisiko" + title: "Automatisierte Absagen — Art. 22 DSGVO Risiko" + description: "KI generiert und versendet Absagen automatisch ohne menschliche Freigabe" + condition: + field: "hr_context.automated_rejection" + operator: "equals" + value: true + effect: + risk_add: 25 + feasibility: NO + art22_risk: true + severity: BLOCK + gdpr_ref: "Art. 22 Abs. 1 DSGVO" + rationale: "Vollautomatische Ablehnung = ausschliesslich automatisierte Entscheidung mit rechtlicher Wirkung" + + - id: R-HR-003 + category: "K. HR Hochrisiko" + title: "AGG-relevante Merkmale fuer KI erkennbar" + description: "System kann Merkmale nach § 1 AGG erkennen (Name, Foto, Alter → Proxy-Diskriminierung)" + condition: + field: "hr_context.agg_categories_visible" + operator: "equals" + value: true + effect: + risk_add: 15 + controls_add: [C_BIAS_AUDIT] + severity: WARN + gdpr_ref: "§ 1, § 3 Abs. 2 AGG" + rationale: "Proxy-Merkmale koennen indirekte Diskriminierung verursachen" + + - id: R-HR-004 + category: "K. HR Hochrisiko" + title: "Bewerber-Ranking ohne Bias-Audit" + description: "KI erstellt Bewerber-Rankings ohne regelmaessige Bias-Pruefung" + condition: + all_of: + - field: "hr_context.candidate_ranking" + operator: "equals" + value: true + - field: "hr_context.bias_audits_done" + operator: "equals" + value: false + effect: + risk_add: 15 + controls_add: [C_BIAS_AUDIT] + severity: WARN + gdpr_ref: "§ 22 AGG (Beweislastumkehr)" + rationale: "Ohne Bias-Audit keine Verteidigung bei AGG-Klage" + + - id: R-HR-005 + category: "K. HR Hochrisiko" + title: "KI-gestuetzte Mitarbeiterbewertung" + description: "KI bewertet Mitarbeiterleistung (Performance Review, KPI-Tracking)" + condition: + field: "hr_context.performance_evaluation" + operator: "equals" + value: true + effect: + risk_add: 20 + severity: WARN + gdpr_ref: "§ 87 Abs. 1 Nr. 6 BetrVG + § 94 BetrVG" + rationale: "Leistungsbewertung durch KI ist mitbestimmungspflichtig und diskriminierungsriskant" + + # Education (Annex III Nr. 3) + - id: R-EDU-001 + category: "K. Bildung Hochrisiko" + title: "KI beeinflusst Notenvergabe" + description: "KI erstellt Notenvorschlaege oder beeinflusst Bewertungen" + condition: + field: "education_context.grade_influence" + operator: "equals" + value: true + effect: + risk_add: 20 + controls_add: [C_HUMAN_OVERSIGHT] + dsfa_recommended: true + severity: WARN + gdpr_ref: "Annex III Nr. 3 AI Act" + rationale: "Notenvergabe hat erhebliche Auswirkungen auf Bildungschancen" + + - id: R-EDU-002 + category: "K. Bildung Hochrisiko" + title: "Minderjaehrige betroffen ohne Lehrkraft-Review" + description: "KI-System betrifft Minderjaehrige und Lehrkraft prueft nicht jedes Ergebnis" + condition: + all_of: + - field: "education_context.minors_involved" + operator: "equals" + value: true + - field: "education_context.teacher_review_required" + operator: "equals" + value: false + effect: + risk_add: 25 + feasibility: NO + severity: BLOCK + gdpr_ref: "Art. 24 EU-Grundrechtecharta + Annex III Nr. 3 AI Act" + rationale: "KI-Entscheidungen ueber Minderjaehrige ohne Lehrkraft-Kontrolle sind unzulaessig" + + - id: R-EDU-003 + category: "K. Bildung Hochrisiko" + title: "KI steuert Zugang zu Bildungsangeboten" + description: "KI beeinflusst Zulassung, Kursempfehlungen oder Einstufungen" + condition: + field: "education_context.student_selection" + operator: "equals" + value: true + effect: + risk_add: 20 + dsfa_recommended: true + severity: WARN + gdpr_ref: "Art. 14 EU-Grundrechtecharta (Recht auf Bildung)" + rationale: "Zugangssteuerung zu Bildung ist hochrisiko nach AI Act" + + # Healthcare (Annex III Nr. 5) + - id: R-HC-001 + category: "K. Gesundheit Hochrisiko" + title: "KI unterstuetzt Diagnosen" + description: "KI erstellt Diagnosevorschlaege oder wertet Bildgebung aus" + condition: + field: "healthcare_context.diagnosis_support" + operator: "equals" + value: true + effect: + risk_add: 20 + dsfa_recommended: true + controls_add: [C_HUMAN_OVERSIGHT] + severity: WARN + gdpr_ref: "Annex III Nr. 5 AI Act + MDR (EU) 2017/745" + rationale: "Diagnoseunterstuetzung erfordert hoechste Genauigkeit und Human Oversight" + + - id: R-HC-002 + category: "K. Gesundheit Hochrisiko" + title: "Triage-Entscheidung durch KI" + description: "KI priorisiert Patienten nach Dringlichkeit" + condition: + field: "healthcare_context.triage_decision" + operator: "equals" + value: true + effect: + risk_add: 30 + feasibility: CONDITIONAL + controls_add: [C_HUMAN_OVERSIGHT] + dsfa_recommended: true + severity: WARN + gdpr_ref: "Annex III Nr. 5 AI Act" + rationale: "Lebenskritische Priorisierung erfordert maximale Sicherheit" + + - id: R-HC-003 + category: "K. Gesundheit Hochrisiko" + title: "Medizinprodukt ohne klinische Validierung" + description: "System ist als Medizinprodukt eingestuft aber nicht klinisch validiert" + condition: + all_of: + - field: "healthcare_context.medical_device" + operator: "equals" + value: true + - field: "healthcare_context.clinical_validation" + operator: "equals" + value: false + effect: + risk_add: 30 + feasibility: NO + severity: BLOCK + gdpr_ref: "MDR (EU) 2017/745 Art. 61" + rationale: "Medizinprodukte ohne klinische Validierung duerfen nicht in Verkehr gebracht werden" + + - id: R-HC-004 + category: "K. Gesundheit Hochrisiko" + title: "Gesundheitsdaten ohne besondere Schutzmassnahmen" + description: "Gesundheitsdaten (Art. 9 DSGVO) werden verarbeitet" + condition: + field: "healthcare_context.patient_data_processed" + operator: "equals" + value: true + effect: + risk_add: 15 + dsfa_recommended: true + controls_add: [C_DSFA] + severity: WARN + gdpr_ref: "Art. 9 DSGVO" + rationale: "Gesundheitsdaten sind besondere Kategorien mit erhoehtem Schutzbedarf" + # --------------------------------------------------------------------------- # G. Aggregation & Ergebnis # ---------------------------------------------------------------------------