1ac716261c
Some checks failed
Build + Deploy / build-admin-compliance (push) Successful in 1m45s
Build + Deploy / build-backend-compliance (push) Successful in 4m42s
Build + Deploy / build-ai-sdk (push) Successful in 46s
Build + Deploy / build-developer-portal (push) Successful in 1m6s
Build + Deploy / build-tts (push) Successful in 1m14s
Build + Deploy / build-document-crawler (push) Successful in 31s
Build + Deploy / build-dsms-gateway (push) Successful in 24s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / loc-budget (push) Failing after 15s
CI / secret-scan (push) Has been skipped
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Successful in 2m27s
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / test-go (push) Failing after 37s
CI / test-python-backend (push) Successful in 42s
CI / test-python-document-crawler (push) Successful in 25s
CI / test-python-dsms-gateway (push) Successful in 23s
CI / validate-canonical-controls (push) Successful in 18s
Build + Deploy / trigger-orca (push) Successful in 4m35s
Neues Modul das den regulatorischen Spielraum fuer KI-Use-Cases deterministisch berechnet und optimale Konfigurationen vorschlaegt. Kernfeatures: - 13-Dimensionen Constraint-Space (DSGVO + AI Act) - 3-Zonen-Analyse: Verboten / Eingeschraenkt / Erlaubt - Deterministische Optimizer-Engine (kein LLM im Kern) - 28 Constraint-Regeln aus DSGVO, AI Act, EDPB Guidelines - 28 Tests (Golden Suite + Meta-Tests) - REST API: /sdk/v1/maximizer/* (9 Endpoints) - Frontend: 3-Zonen-Visualisierung, Dimension-Form, Score-Gauges [migration-approved] Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
462 lines
17 KiB
JSON
462 lines
17 KiB
JSON
{
|
|
"version": "1.0.0",
|
|
"regulations": ["DSGVO", "AI_Act", "BDSG", "EDPB_Guidelines"],
|
|
"rules": [
|
|
{
|
|
"id": "MC-AIA-PROHIBITED-001",
|
|
"obligation_id": "AIACT-OBL-001",
|
|
"regulation": "AI_Act",
|
|
"article_ref": "Art. 5 AI Act",
|
|
"title": "Verbotene KI-Praktiken",
|
|
"description": "Systeme mit verbotener Risikoeinstufung duerfen nicht eingesetzt werden",
|
|
"rule_type": "hard_prohibition",
|
|
"constraints": [
|
|
{
|
|
"if": {"risk_classification": "prohibited"},
|
|
"then": {"allowed": false}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"id": "MC-GDPR-ART22-001",
|
|
"obligation_id": "DSGVO-OBL-022",
|
|
"regulation": "DSGVO",
|
|
"article_ref": "Art. 22 DSGVO",
|
|
"title": "Verbot vollautomatisierter Entscheidungen mit erheblicher Wirkung",
|
|
"description": "Keine ausschliesslich automatisierten Entscheidungen mit rechtlicher oder aehnlich erheblicher Wirkung",
|
|
"rule_type": "hard_prohibition",
|
|
"constraints": [
|
|
{
|
|
"if": {"decision_impact": "high", "automation_level": "full"},
|
|
"then": {"allowed": false}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"id": "MC-GDPR-ART22-002",
|
|
"obligation_id": "DSGVO-OBL-022",
|
|
"regulation": "DSGVO",
|
|
"article_ref": "Art. 22 DSGVO",
|
|
"title": "Menschliche Ueberpruefung bei hoher Auswirkung",
|
|
"description": "Bei hoher Entscheidungswirkung muss menschliche Kontrolle gewaehrleistet sein",
|
|
"rule_type": "requirement",
|
|
"constraints": [
|
|
{
|
|
"if": {"decision_impact": "high"},
|
|
"then": {"required_values": {"human_in_loop": "required", "decision_binding": "human_review_required"}}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"id": "MC-GDPR-ART22-003",
|
|
"obligation_id": "DSGVO-OBL-022",
|
|
"regulation": "EDPB_Guidelines",
|
|
"article_ref": "Art. 22 DSGVO / EDPB Guidelines",
|
|
"title": "Echte menschliche Entscheidungsmacht erforderlich",
|
|
"description": "Pro-forma Human-in-Loop ohne echte Entscheidungsbefugnis genuegt nicht",
|
|
"rule_type": "requirement",
|
|
"constraints": [
|
|
{
|
|
"if": {"decision_impact": "high", "decision_binding": "fully_binding"},
|
|
"then": {"required_values": {"decision_binding": "human_review_required"}}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"id": "MC-GDPR-ART9-001",
|
|
"obligation_id": "DSGVO-OBL-009",
|
|
"regulation": "DSGVO",
|
|
"article_ref": "Art. 9 DSGVO",
|
|
"title": "Besondere Datenkategorien erfordern spezielle Rechtsgrundlage",
|
|
"description": "Verarbeitung sensibler Daten nur mit Einwilligung oder oeffentlichem Interesse",
|
|
"rule_type": "requirement",
|
|
"constraints": [
|
|
{
|
|
"if": {"data_type": "sensitive"},
|
|
"then": {"required_values": {"legal_basis": "consent"}, "required_controls": ["C_EXPLICIT_CONSENT"]}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"id": "MC-GDPR-ART9-002",
|
|
"obligation_id": "DSGVO-OBL-009",
|
|
"regulation": "DSGVO",
|
|
"article_ref": "Art. 9 DSGVO",
|
|
"title": "Biometrische Daten erfordern erhoehte Pruefung",
|
|
"description": "Biometrische Daten loesen verstaerkte Rechtsgrundlagen-Pruefung und Transparenzpflicht aus",
|
|
"rule_type": "escalation_gate",
|
|
"constraints": [
|
|
{
|
|
"if": {"data_type": "biometric"},
|
|
"then": {"required_values": {"legal_basis": "consent", "transparency_required": "true"}, "required_controls": ["C_EXPLICIT_CONSENT", "C_DSFA"]}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"id": "MC-AIA-HR-001",
|
|
"obligation_id": "AIACT-OBL-HR-001",
|
|
"regulation": "AI_Act",
|
|
"article_ref": "Annex III Nr. 4 AI Act",
|
|
"title": "KI im HR-Bereich ist Hochrisiko",
|
|
"description": "KI-Systeme im Bereich Beschaeftigung mit hoher Auswirkung erfordern Hochrisiko-Einstufung",
|
|
"rule_type": "classification_rule",
|
|
"constraints": [
|
|
{
|
|
"if": {"domain": "hr", "decision_impact": "high"},
|
|
"then": {"set_risk_classification": "high", "required_values": {"logging_required": "true", "transparency_required": "true"}, "required_controls": ["C_TRANSPARENCY", "C_ACCESS_LOGGING"]}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"id": "MC-AIA-HR-002",
|
|
"obligation_id": "AIACT-OBL-HR-002",
|
|
"regulation": "AI_Act",
|
|
"article_ref": "Annex III Nr. 4 AI Act",
|
|
"title": "HR-Ranking und Bewerberauswahl als Hochrisiko",
|
|
"description": "KI fuer Bewerber-Ranking oder -Klassifikation muss als Hochrisiko bewertet werden",
|
|
"rule_type": "classification_rule",
|
|
"constraints": [
|
|
{
|
|
"if": {"domain": "hr", "decision_impact": "medium"},
|
|
"then": {"set_risk_classification": "high", "required_values": {"logging_required": "true"}}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"id": "MC-AIA-HIGHRISK-001",
|
|
"obligation_id": "AIACT-OBL-OVERSIGHT",
|
|
"regulation": "AI_Act",
|
|
"article_ref": "Art. 14 AI Act",
|
|
"title": "Hochrisiko-KI erfordert Human Oversight",
|
|
"description": "Hochrisiko-KI-Systeme muessen wirksame menschliche Aufsicht ermoeglichen",
|
|
"rule_type": "requirement",
|
|
"constraints": [
|
|
{
|
|
"if": {"risk_classification": "high"},
|
|
"then": {"required_values": {"human_in_loop": "required"}, "required_controls": ["C_CONTESTATION"]}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"id": "MC-AIA-HIGHRISK-002",
|
|
"obligation_id": "AIACT-OBL-LOGGING",
|
|
"regulation": "AI_Act",
|
|
"article_ref": "Art. 12 AI Act",
|
|
"title": "Hochrisiko-KI erfordert Logging",
|
|
"description": "Hochrisiko-KI-Systeme muessen Betrieb und Vorfaelle protokollieren koennen",
|
|
"rule_type": "requirement",
|
|
"constraints": [
|
|
{
|
|
"if": {"risk_classification": "high"},
|
|
"then": {"required_values": {"logging_required": "true"}, "required_controls": ["C_ACCESS_LOGGING"]}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"id": "MC-AIA-HIGHRISK-003",
|
|
"obligation_id": "AIACT-OBL-TRANSPARENCY",
|
|
"regulation": "AI_Act",
|
|
"article_ref": "Art. 13 AI Act",
|
|
"title": "Hochrisiko-KI erfordert Transparenz",
|
|
"description": "Hochrisiko-KI-Systeme muessen Transparenzanforderungen erfuellen",
|
|
"rule_type": "requirement",
|
|
"constraints": [
|
|
{
|
|
"if": {"risk_classification": "high"},
|
|
"then": {"required_values": {"transparency_required": "true"}, "required_controls": ["C_TRANSPARENCY"]}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"id": "MC-AIA-HIGHRISK-004",
|
|
"obligation_id": "AIACT-OBL-EXPLAIN",
|
|
"regulation": "AI_Act",
|
|
"article_ref": "Art. 13 AI Act",
|
|
"title": "Hochrisiko-KI erfordert Mindest-Erklaerbarkeit",
|
|
"description": "Hochrisiko-Systeme muessen ein Mindestmass an Erklaerbarkeit bieten",
|
|
"rule_type": "requirement",
|
|
"constraints": [
|
|
{
|
|
"if": {"risk_classification": "high", "explainability": "none"},
|
|
"then": {"required_values": {"explainability": "basic"}}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"id": "MC-AIA-TRANS-001",
|
|
"obligation_id": "AIACT-OBL-TRANS-USER",
|
|
"regulation": "AI_Act",
|
|
"article_ref": "Art. 52 AI Act",
|
|
"title": "KI-Interaktion erfordert Nutzerbenachrichtigung",
|
|
"description": "Nutzer muessen ueber die KI-Interaktion informiert werden",
|
|
"rule_type": "requirement",
|
|
"constraints": [
|
|
{
|
|
"if": {"deployment_scope": "external"},
|
|
"then": {"required_values": {"transparency_required": "true"}}
|
|
},
|
|
{
|
|
"if": {"deployment_scope": "public"},
|
|
"then": {"required_values": {"transparency_required": "true"}}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"id": "MC-GDPR-PRINCIPLES-001",
|
|
"obligation_id": "DSGVO-OBL-005",
|
|
"regulation": "DSGVO",
|
|
"article_ref": "Art. 5 DSGVO",
|
|
"title": "Datenminimierung bei personenbezogenen Daten",
|
|
"description": "Personenbezogene Datenverarbeitung erfordert Datenminimierungsmassnahmen",
|
|
"rule_type": "requirement",
|
|
"constraints": [
|
|
{
|
|
"if": {"data_type": "personal"},
|
|
"then": {"required_controls": ["C_RETENTION_POLICY"]}
|
|
},
|
|
{
|
|
"if": {"data_type": "sensitive"},
|
|
"then": {"required_controls": ["C_RETENTION_POLICY", "C_ENCRYPTION"]}
|
|
},
|
|
{
|
|
"if": {"data_type": "biometric"},
|
|
"then": {"required_controls": ["C_RETENTION_POLICY", "C_ENCRYPTION"]}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"id": "MC-GDPR-INFO-001",
|
|
"obligation_id": "DSGVO-OBL-013",
|
|
"regulation": "DSGVO",
|
|
"article_ref": "Art. 13-14 DSGVO",
|
|
"title": "Informationspflicht bei personenbezogenen Daten",
|
|
"description": "Betroffene muessen ueber die Verarbeitung personenbezogener Daten informiert werden",
|
|
"rule_type": "requirement",
|
|
"constraints": [
|
|
{
|
|
"if": {"data_type": "personal", "transparency_required": "false"},
|
|
"then": {"required_values": {"transparency_required": "true"}}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"id": "MC-GDPR-RIGHTS-001",
|
|
"obligation_id": "DSGVO-OBL-015",
|
|
"regulation": "DSGVO",
|
|
"article_ref": "Art. 15 DSGVO",
|
|
"title": "Erklaerbarkeit bei hoher Auswirkung",
|
|
"description": "Bei hoher Entscheidungswirkung muss die Verarbeitung erklaerbar sein",
|
|
"rule_type": "requirement",
|
|
"constraints": [
|
|
{
|
|
"if": {"decision_impact": "high", "explainability": "none"},
|
|
"then": {"required_values": {"explainability": "basic"}}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"id": "MC-GDPR-DPIA-001",
|
|
"obligation_id": "DSGVO-OBL-035",
|
|
"regulation": "DSGVO",
|
|
"article_ref": "Art. 35 DSGVO",
|
|
"title": "DSFA bei hohem Risiko",
|
|
"description": "Hohe Entscheidungswirkung mit personenbezogenen Daten erfordert DSFA-Screening",
|
|
"rule_type": "requirement",
|
|
"constraints": [
|
|
{
|
|
"if": {"decision_impact": "high", "data_type": "personal"},
|
|
"then": {"required_controls": ["C_DSFA"]}
|
|
},
|
|
{
|
|
"if": {"decision_impact": "high", "data_type": "sensitive"},
|
|
"then": {"required_controls": ["C_DSFA"]}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"id": "MC-GDPR-SEC-001",
|
|
"obligation_id": "DSGVO-OBL-032",
|
|
"regulation": "DSGVO",
|
|
"article_ref": "Art. 32 DSGVO",
|
|
"title": "Sicherheitsmassnahmen bei personenbezogenen Daten",
|
|
"description": "Personenbezogene Daten erfordern angemessene technische und organisatorische Massnahmen",
|
|
"rule_type": "requirement",
|
|
"constraints": [
|
|
{
|
|
"if": {"data_type": "personal"},
|
|
"then": {"required_controls": ["C_ENCRYPTION"]}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"id": "MC-GDPR-SEC-002",
|
|
"obligation_id": "DSGVO-OBL-032",
|
|
"regulation": "DSGVO",
|
|
"article_ref": "Art. 32 DSGVO",
|
|
"title": "Audit-Logging bei mittlerer bis hoher Auswirkung",
|
|
"description": "Entscheidungen mit mittlerer oder hoher Auswirkung muessen protokolliert werden",
|
|
"rule_type": "requirement",
|
|
"constraints": [
|
|
{
|
|
"if": {"decision_impact": "medium"},
|
|
"then": {"required_values": {"logging_required": "true"}}
|
|
},
|
|
{
|
|
"if": {"decision_impact": "high"},
|
|
"then": {"required_values": {"logging_required": "true"}}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"id": "MC-GDPR-PBD-001",
|
|
"obligation_id": "DSGVO-OBL-025",
|
|
"regulation": "DSGVO",
|
|
"article_ref": "Art. 25 DSGVO",
|
|
"title": "Privacy by Design bei personenbezogenen Daten",
|
|
"description": "KI-Systeme mit personenbezogenen Daten muessen Privacy by Design implementieren",
|
|
"rule_type": "requirement",
|
|
"constraints": [
|
|
{
|
|
"if": {"data_type": "personal", "deployment_scope": "public"},
|
|
"then": {"required_patterns": ["P_PRE_ANON", "P_NAMESPACE_ISOLATION"]}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"id": "MC-AIA-EDUCATION-001",
|
|
"obligation_id": "AIACT-OBL-EDU-001",
|
|
"regulation": "AI_Act",
|
|
"article_ref": "Annex III Nr. 3 AI Act",
|
|
"title": "KI im Bildungsbereich mit hoher Auswirkung ist Hochrisiko",
|
|
"description": "KI-Systeme im Bildungsbereich mit hoher Entscheidungswirkung erfordern Hochrisiko-Einstufung",
|
|
"rule_type": "classification_rule",
|
|
"constraints": [
|
|
{
|
|
"if": {"domain": "education", "decision_impact": "high"},
|
|
"then": {"set_risk_classification": "high", "required_values": {"logging_required": "true", "transparency_required": "true"}}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"id": "MC-AIA-FINANCE-001",
|
|
"obligation_id": "AIACT-OBL-FIN-001",
|
|
"regulation": "AI_Act",
|
|
"article_ref": "Annex III Nr. 5 AI Act",
|
|
"title": "KI fuer Kreditvergabe und Versicherung ist Hochrisiko",
|
|
"description": "KI-Systeme fuer wesentliche Dienste wie Kreditvergabe oder Versicherung erfordern Hochrisiko-Einstufung",
|
|
"rule_type": "classification_rule",
|
|
"constraints": [
|
|
{
|
|
"if": {"domain": "finance", "decision_impact": "high"},
|
|
"then": {"set_risk_classification": "high", "required_values": {"human_in_loop": "required", "logging_required": "true", "transparency_required": "true"}}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"id": "MC-AIA-HEALTH-001",
|
|
"obligation_id": "AIACT-OBL-HEALTH-001",
|
|
"regulation": "AI_Act",
|
|
"article_ref": "Annex III Nr. 5 AI Act",
|
|
"title": "KI im Gesundheitsbereich mit hoher Auswirkung ist Hochrisiko",
|
|
"description": "KI-Systeme im Gesundheitsbereich mit hoher Auswirkung erfordern Hochrisiko-Einstufung",
|
|
"rule_type": "classification_rule",
|
|
"constraints": [
|
|
{
|
|
"if": {"domain": "health", "decision_impact": "high"},
|
|
"then": {"set_risk_classification": "high", "required_values": {"human_in_loop": "required", "logging_required": "true", "explainability": "high"}}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"id": "MC-GDPR-LAWFULNESS-001",
|
|
"obligation_id": "DSGVO-OBL-006",
|
|
"regulation": "DSGVO",
|
|
"article_ref": "Art. 6 DSGVO",
|
|
"title": "Vollautomatisierung mit personenbezogenen Daten erfordert Einwilligung oder Vertrag",
|
|
"description": "Vollautomatisierte Verarbeitung personenbezogener Daten muss auf Einwilligung oder Vertrag basieren",
|
|
"rule_type": "requirement",
|
|
"constraints": [
|
|
{
|
|
"if": {"automation_level": "full", "data_type": "personal"},
|
|
"then": {"required_controls": ["C_EXPLICIT_CONSENT"]}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"id": "MC-AIA-BLACKBOX-001",
|
|
"obligation_id": "AIACT-OBL-EXPLAIN-002",
|
|
"regulation": "AI_Act",
|
|
"article_ref": "Art. 13 AI Act",
|
|
"title": "Blackbox-Modelle bei hoher Auswirkung erfordern erhoehte Erklaerbarkeit",
|
|
"description": "Blackbox-LLM-Modelle mit hoher Entscheidungswirkung muessen mindestens Basic-Erklaerbarkeit bieten",
|
|
"rule_type": "requirement",
|
|
"constraints": [
|
|
{
|
|
"if": {"model_type": "blackbox_llm", "decision_impact": "high", "explainability": "none"},
|
|
"then": {"required_values": {"explainability": "basic"}}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"id": "MC-GDPR-PROFILING-001",
|
|
"obligation_id": "DSGVO-OBL-PROFILING",
|
|
"regulation": "EDPB_Guidelines",
|
|
"article_ref": "Art. 22 DSGVO / EDPB Profiling Guidelines",
|
|
"title": "Profiling mit erheblicher Wirkung erfordert Transparenz und Fairness",
|
|
"description": "Ranking- und Klassifikationssysteme mit hoher Auswirkung muessen Fairness- und Transparenzpruefung bestehen",
|
|
"rule_type": "requirement",
|
|
"constraints": [
|
|
{
|
|
"if": {"decision_impact": "high", "deployment_scope": "external"},
|
|
"then": {"required_values": {"transparency_required": "true", "explainability": "basic"}, "required_controls": ["C_CONTESTATION"]}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"id": "MC-OPT-META-001",
|
|
"obligation_id": "OPT-DERIVED-001",
|
|
"regulation": "AI_Act",
|
|
"article_ref": "Abgeleitet aus AI Act + DSGVO",
|
|
"title": "Optimierungsregel: Vollautomatisierung auf Assistenz reduzieren",
|
|
"description": "Wenn Vollautomatisierung bei hoher Wirkung blockiert ist, naechste konforme Konfiguration vorschlagen",
|
|
"rule_type": "optimizer_rule",
|
|
"constraints": [
|
|
{
|
|
"if": {"automation_level": "full", "decision_impact": "high"},
|
|
"then": {"required_values": {"automation_level": "assistive", "human_in_loop": "required", "decision_binding": "human_review_required"}}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"id": "MC-OPT-META-002",
|
|
"obligation_id": "OPT-DERIVED-002",
|
|
"regulation": "DSGVO",
|
|
"article_ref": "Abgeleitet aus DSGVO Grundsaetze",
|
|
"title": "Optimierungsregel: Datensensitivitaet reduzieren",
|
|
"description": "Wenn sensible Daten ohne Notwendigkeitsnachweis vorgeschlagen werden, geringere Datentiefe empfehlen",
|
|
"rule_type": "optimizer_rule",
|
|
"constraints": [
|
|
{
|
|
"if": {"data_type": "sensitive", "decision_impact": "low"},
|
|
"then": {"required_values": {"data_type": "personal"}}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"id": "MC-OPT-META-003",
|
|
"obligation_id": "OPT-DERIVED-003",
|
|
"regulation": "AI_Act",
|
|
"article_ref": "Abgeleitet aus AI Act + DSGVO",
|
|
"title": "Optimierungsregel: Maximale Contestability bei Profiling",
|
|
"description": "Wenn Profiling nicht vermeidbar ist, Contestability und Transparenz maximieren",
|
|
"rule_type": "optimizer_rule",
|
|
"constraints": [
|
|
{
|
|
"if": {"decision_impact": "high", "deployment_scope": "public"},
|
|
"then": {"required_values": {"transparency_required": "true", "explainability": "high"}, "required_controls": ["C_CONTESTATION"]}
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|