breakpilot-pwa/ai-compliance-sdk/internal/ucca/ai_act_module.go

package ucca

import (
	"fmt"
	"os"
	"path/filepath"
	"time"

	"gopkg.in/yaml.v3"
)

// ============================================================================
// AI Act Module
// ============================================================================
//
// This module implements the EU AI Act (Regulation 2024/1689) which establishes
// harmonized rules for artificial intelligence systems in the EU.
//
// The AI Act uses a risk-based approach:
// - Unacceptable Risk: Prohibited practices (Art. 5)
// - High Risk: Annex III systems with strict requirements (Art. 6-49)
// - Limited Risk: Transparency obligations (Art. 50)
// - Minimal Risk: No additional requirements
//
// Key roles:
// - Provider: Develops or places AI on market
// - Deployer: Uses AI systems in professional activity
// - Distributor: Makes AI available on market
// - Importer: Brings AI from third countries
//
// ============================================================================

// AIActRiskLevel represents the AI Act risk classification
type AIActRiskLevel string

const (
	AIActUnacceptable AIActRiskLevel = "unacceptable"
	AIActHighRisk     AIActRiskLevel = "high_risk"
	AIActLimitedRisk  AIActRiskLevel = "limited_risk"
	AIActMinimalRisk  AIActRiskLevel = "minimal_risk"
	AIActNotApplicable AIActRiskLevel = "not_applicable"
)

// AIActModule implements the RegulationModule interface for the AI Act
type AIActModule struct {
	obligations       []Obligation
	controls          []ObligationControl
	incidentDeadlines []IncidentDeadline
	decisionTree      *DecisionTree
	loaded            bool
}

// Annex III High-Risk AI Categories
var AIActAnnexIIICategories = map[string]string{
	"biometric":            "Biometrische Identifizierung und Kategorisierung",
	"critical_infrastructure": "Verwaltung und Betrieb kritischer Infrastruktur",
	"education":            "Allgemeine und berufliche Bildung",
	"employment":           "Beschaeftigung, Personalverwaltung, Zugang zu Selbststaendigkeit",
	"essential_services":   "Zugang zu wesentlichen privaten/oeffentlichen Diensten",
	"law_enforcement":      "Strafverfolgung",
	"migration":            "Migration, Asyl und Grenzkontrolle",
	"justice":              "Rechtspflege und demokratische Prozesse",
}

// NewAIActModule creates a new AI Act module, loading obligations from YAML
func NewAIActModule() (*AIActModule, error) {
	m := &AIActModule{
		obligations:       []Obligation{},
		controls:          []ObligationControl{},
		incidentDeadlines: []IncidentDeadline{},
	}

	// Try to load from YAML, fall back to hardcoded if not found
	if err := m.loadFromYAML(); err != nil {
		// Use hardcoded defaults
		m.loadHardcodedObligations()
	}

	m.buildDecisionTree()
	m.loaded = true

	return m, nil
}

// ID returns the module identifier
func (m *AIActModule) ID() string {
	return "ai_act"
}

// Name returns the human-readable name
func (m *AIActModule) Name() string {
	return "AI Act (EU KI-Verordnung)"
}

// Description returns a brief description
func (m *AIActModule) Description() string {
	return "EU-Verordnung 2024/1689 zur Festlegung harmonisierter Vorschriften fuer kuenstliche Intelligenz"
}

// IsApplicable checks if the AI Act applies to the organization
func (m *AIActModule) IsApplicable(facts *UnifiedFacts) bool {
	// AI Act applies if organization uses, provides, or deploys AI systems in the EU
	if !facts.AIUsage.UsesAI {
		return false
	}

	// Check if in EU or offering to EU
	if !facts.Organization.EUMember && !facts.DataProtection.OffersToEU {
		return false
	}

	return true
}

// GetClassification returns the AI Act risk classification as string
func (m *AIActModule) GetClassification(facts *UnifiedFacts) string {
	return string(m.ClassifyRisk(facts))
}

// ClassifyRisk determines the highest applicable AI Act risk level
func (m *AIActModule) ClassifyRisk(facts *UnifiedFacts) AIActRiskLevel {
	if !facts.AIUsage.UsesAI {
		return AIActNotApplicable
	}

	// Check for prohibited practices (Art. 5)
	if m.hasProhibitedPractice(facts) {
		return AIActUnacceptable
	}

	// Check for high-risk (Annex III)
	if m.hasHighRiskAI(facts) {
		return AIActHighRisk
	}

	// Check for limited risk (transparency requirements)
	if m.hasLimitedRiskAI(facts) {
		return AIActLimitedRisk
	}

	// Minimal risk - general AI usage
	if facts.AIUsage.UsesAI {
		return AIActMinimalRisk
	}

	return AIActNotApplicable
}

// hasProhibitedPractice checks if any prohibited AI practices are present
func (m *AIActModule) hasProhibitedPractice(facts *UnifiedFacts) bool {
	// Art. 5 AI Act - Prohibited practices
	if facts.AIUsage.SocialScoring {
		return true
	}
	if facts.AIUsage.EmotionRecognition && (facts.Sector.PrimarySector == "education" ||
		facts.AIUsage.EmploymentDecisions) {
		// Emotion recognition in workplace/education
		return true
	}
	if facts.AIUsage.PredictivePolicingIndividual {
		return true
	}
	// Biometric real-time remote identification in public spaces (with limited exceptions)
	if facts.AIUsage.BiometricIdentification && facts.AIUsage.LawEnforcement {
		// Generally prohibited, exceptions for specific law enforcement scenarios
		return true
	}

	return false
}

// hasHighRiskAI checks if any Annex III high-risk AI categories apply
func (m *AIActModule) hasHighRiskAI(facts *UnifiedFacts) bool {
	// Explicit high-risk flag
	if facts.AIUsage.HasHighRiskAI {
		return true
	}

	// Annex III categories
	if facts.AIUsage.BiometricIdentification {
		return true
	}
	if facts.AIUsage.CriticalInfrastructure {
		return true
	}
	if facts.AIUsage.EducationAccess {
		return true
	}
	if facts.AIUsage.EmploymentDecisions {
		return true
	}
	if facts.AIUsage.EssentialServices {
		return true
	}
	if facts.AIUsage.LawEnforcement {
		return true
	}
	if facts.AIUsage.MigrationAsylum {
		return true
	}
	if facts.AIUsage.JusticeAdministration {
		return true
	}

	// Also check if in critical infrastructure sector with AI
	if facts.Sector.IsKRITIS && facts.AIUsage.UsesAI {
		return true
	}

	return false
}

// hasLimitedRiskAI checks if limited risk transparency requirements apply
func (m *AIActModule) hasLimitedRiskAI(facts *UnifiedFacts) bool {
	// Explicit limited-risk flag
	if facts.AIUsage.HasLimitedRiskAI {
		return true
	}

	// AI that interacts with natural persons
	if facts.AIUsage.AIInteractsWithNaturalPersons {
		return true
	}

	// Deepfake generation
	if facts.AIUsage.GeneratesDeepfakes {
		return true
	}

	// Emotion recognition (not in prohibited contexts)
	if facts.AIUsage.EmotionRecognition &&
		facts.Sector.PrimarySector != "education" &&
		!facts.AIUsage.EmploymentDecisions {
		return true
	}

	// Chatbots and AI assistants typically fall here
	return false
}

// isProvider checks if organization is an AI provider
func (m *AIActModule) isProvider(facts *UnifiedFacts) bool {
	return facts.AIUsage.IsAIProvider
}

// isDeployer checks if organization is an AI deployer
func (m *AIActModule) isDeployer(facts *UnifiedFacts) bool {
	return facts.AIUsage.IsAIDeployer || (facts.AIUsage.UsesAI && !facts.AIUsage.IsAIProvider)
}

// isGPAIProvider checks if organization provides General Purpose AI
func (m *AIActModule) isGPAIProvider(facts *UnifiedFacts) bool {
	return facts.AIUsage.UsesGPAI && facts.AIUsage.IsAIProvider
}

// hasSystemicRiskGPAI checks if GPAI has systemic risk
func (m *AIActModule) hasSystemicRiskGPAI(facts *UnifiedFacts) bool {
	return facts.AIUsage.GPAIWithSystemicRisk
}

// requiresFRIA checks if Fundamental Rights Impact Assessment is required
func (m *AIActModule) requiresFRIA(facts *UnifiedFacts) bool {
	// FRIA required for public bodies and certain high-risk deployers
	if !m.hasHighRiskAI(facts) {
		return false
	}

	// Public authorities using high-risk AI
	if facts.Organization.IsPublicAuthority {
		return true
	}

	// Certain categories always require FRIA
	if facts.AIUsage.EssentialServices {
		return true
	}
	if facts.AIUsage.EmploymentDecisions {
		return true
	}
	if facts.AIUsage.EducationAccess {
		return true
	}

	return false
}

// DeriveObligations derives all applicable AI Act obligations
func (m *AIActModule) DeriveObligations(facts *UnifiedFacts) []Obligation {
	if !m.IsApplicable(facts) {
		return []Obligation{}
	}

	riskLevel := m.ClassifyRisk(facts)
	var result []Obligation

	for _, obl := range m.obligations {
		if m.obligationApplies(obl, riskLevel, facts) {
			// Copy and customize obligation
			customized := obl
			customized.RegulationID = m.ID()
			result = append(result, customized)
		}
	}

	return result
}

// obligationApplies checks if a specific obligation applies
func (m *AIActModule) obligationApplies(obl Obligation, riskLevel AIActRiskLevel, facts *UnifiedFacts) bool {
	switch obl.AppliesWhen {
	case "uses_ai":
		return facts.AIUsage.UsesAI
	case "high_risk":
		return riskLevel == AIActHighRisk || riskLevel == AIActUnacceptable
	case "high_risk_provider":
		return (riskLevel == AIActHighRisk || riskLevel == AIActUnacceptable) && m.isProvider(facts)
	case "high_risk_deployer":
		return (riskLevel == AIActHighRisk || riskLevel == AIActUnacceptable) && m.isDeployer(facts)
	case "high_risk_deployer_fria":
		return (riskLevel == AIActHighRisk || riskLevel == AIActUnacceptable) && m.isDeployer(facts) && m.requiresFRIA(facts)
	case "limited_risk":
		return riskLevel == AIActLimitedRisk || riskLevel == AIActHighRisk
	case "gpai_provider":
		return m.isGPAIProvider(facts)
	case "gpai_systemic_risk":
		return m.hasSystemicRiskGPAI(facts)
	case "":
		// No condition = applies to all AI users
		return facts.AIUsage.UsesAI
	default:
		return facts.AIUsage.UsesAI
	}
}

// DeriveControls derives all applicable AI Act controls
func (m *AIActModule) DeriveControls(facts *UnifiedFacts) []ObligationControl {
	if !m.IsApplicable(facts) {
		return []ObligationControl{}
	}

	var result []ObligationControl
	for _, ctrl := range m.controls {
		ctrl.RegulationID = m.ID()
		result = append(result, ctrl)
	}

	return result
}

// GetDecisionTree returns the AI Act applicability decision tree
func (m *AIActModule) GetDecisionTree() *DecisionTree {
	return m.decisionTree
}

// GetIncidentDeadlines returns AI Act incident reporting deadlines
func (m *AIActModule) GetIncidentDeadlines(facts *UnifiedFacts) []IncidentDeadline {
	riskLevel := m.ClassifyRisk(facts)
	if riskLevel != AIActHighRisk && riskLevel != AIActUnacceptable {
		return []IncidentDeadline{}
	}

	return m.incidentDeadlines
}

// ============================================================================
// YAML Loading
// ============================================================================

func (m *AIActModule) loadFromYAML() error {
	// Search paths for YAML file
	searchPaths := []string{
		"policies/obligations/ai_act_obligations.yaml",
		filepath.Join(".", "policies", "obligations", "ai_act_obligations.yaml"),
		filepath.Join("..", "policies", "obligations", "ai_act_obligations.yaml"),
		filepath.Join("..", "..", "policies", "obligations", "ai_act_obligations.yaml"),
		"/app/policies/obligations/ai_act_obligations.yaml",
	}

	var data []byte
	var err error
	for _, path := range searchPaths {
		data, err = os.ReadFile(path)
		if err == nil {
			break
		}
	}

	if err != nil {
		return fmt.Errorf("AI Act obligations YAML not found: %w", err)
	}

	var config NIS2ObligationsConfig // Reuse same config structure
	if err := yaml.Unmarshal(data, &config); err != nil {
		return fmt.Errorf("failed to parse AI Act YAML: %w", err)
	}

	// Convert YAML to internal structures
	m.convertObligations(config.Obligations)
	m.convertControls(config.Controls)
	m.convertIncidentDeadlines(config.IncidentDeadlines)

	return nil
}

func (m *AIActModule) convertObligations(yamlObls []ObligationYAML) {
	for _, y := range yamlObls {
		obl := Obligation{
			ID:              y.ID,
			RegulationID:    "ai_act",
			Title:           y.Title,
			Description:     y.Description,
			AppliesWhen:     y.AppliesWhen,
			Category:        ObligationCategory(y.Category),
			Responsible:     ResponsibleRole(y.Responsible),
			Priority:        ObligationPriority(y.Priority),
			ISO27001Mapping: y.ISO27001,
			HowToImplement:  y.HowTo,
		}

		// Convert legal basis
		for _, lb := range y.LegalBasis {
			obl.LegalBasis = append(obl.LegalBasis, LegalReference{
				Norm:    lb.Norm,
				Article: lb.Article,
			})
		}

		// Convert deadline
		if y.Deadline != nil {
			obl.Deadline = &Deadline{
				Type:     DeadlineType(y.Deadline.Type),
				Duration: y.Deadline.Duration,
			}
			if y.Deadline.Date != "" {
				if t, err := time.Parse("2006-01-02", y.Deadline.Date); err == nil {
					obl.Deadline.Date = &t
				}
			}
		}

		// Convert sanctions
		if y.Sanctions != nil {
			obl.Sanctions = &SanctionInfo{
				MaxFine:           y.Sanctions.MaxFine,
				PersonalLiability: y.Sanctions.PersonalLiability,
			}
		}

		// Convert evidence
		for _, e := range y.Evidence {
			obl.Evidence = append(obl.Evidence, EvidenceItem{Name: e, Required: true})
		}

		m.obligations = append(m.obligations, obl)
	}
}

func (m *AIActModule) convertControls(yamlCtrls []ControlYAML) {
	for _, y := range yamlCtrls {
		ctrl := ObligationControl{
			ID:              y.ID,
			RegulationID:    "ai_act",
			Name:            y.Name,
			Description:     y.Description,
			Category:        y.Category,
			WhatToDo:        y.WhatToDo,
			ISO27001Mapping: y.ISO27001,
			Priority:        ObligationPriority(y.Priority),
		}
		m.controls = append(m.controls, ctrl)
	}
}

func (m *AIActModule) convertIncidentDeadlines(yamlDeadlines []IncidentDeadlineYAML) {
	for _, y := range yamlDeadlines {
		deadline := IncidentDeadline{
			RegulationID: "ai_act",
			Phase:        y.Phase,
			Deadline:     y.Deadline,
			Content:      y.Content,
			Recipient:    y.Recipient,
		}
		for _, lb := range y.LegalBasis {
			deadline.LegalBasis = append(deadline.LegalBasis, LegalReference{
				Norm:    lb.Norm,
				Article: lb.Article,
			})
		}
		m.incidentDeadlines = append(m.incidentDeadlines, deadline)
	}
}

// ============================================================================
// Hardcoded Fallback
// ============================================================================

func (m *AIActModule) loadHardcodedObligations() {
	// Key AI Act deadlines
	prohibitedPracticesDeadline := time.Date(2025, 2, 2, 0, 0, 0, 0, time.UTC)
	transparencyDeadline := time.Date(2026, 8, 2, 0, 0, 0, 0, time.UTC)
	gpaiDeadline := time.Date(2025, 8, 2, 0, 0, 0, 0, time.UTC)

	m.obligations = []Obligation{
		{
			ID:           "AIACT-OBL-001",
			RegulationID: "ai_act",
			Title:        "Verbotene KI-Praktiken vermeiden",
			Description:  "Sicherstellung, dass keine verbotenen KI-Praktiken eingesetzt werden (Social Scoring, Ausnutzung von Schwaechen, unterschwellige Manipulation, unzulaessige biometrische Identifizierung).",
			LegalBasis:   []LegalReference{{Norm: "Art. 5 AI Act", Article: "Verbotene Praktiken"}},
			Category:     CategoryCompliance,
			Responsible:  RoleManagement,
			Deadline:     &Deadline{Type: DeadlineAbsolute, Date: &prohibitedPracticesDeadline},
			Sanctions:    &SanctionInfo{MaxFine: "35 Mio. EUR oder 7% Jahresumsatz", PersonalLiability: false},
			Evidence:     []EvidenceItem{{Name: "KI-Inventar mit Risikobewertung", Required: true}, {Name: "Dokumentierte Pruefung auf verbotene Praktiken", Required: true}},
			Priority:     PriorityCritical,
			AppliesWhen:  "uses_ai",
		},
		{
			ID:           "AIACT-OBL-002",
			RegulationID: "ai_act",
			Title:        "Risikomanagementsystem fuer Hochrisiko-KI",
			Description:  "Einrichtung eines Risikomanagementsystems fuer Hochrisiko-KI-Systeme: Risikoidentifikation, -bewertung, -minderung und kontinuierliche Ueberwachung.",
			LegalBasis:   []LegalReference{{Norm: "Art. 9 AI Act", Article: "Risikomanagementsystem"}},
			Category:     CategoryGovernance,
			Responsible:  RoleKIVerantwortlicher,
			Sanctions:    &SanctionInfo{MaxFine: "15 Mio. EUR oder 3% Jahresumsatz", PersonalLiability: false},
			Evidence:     []EvidenceItem{{Name: "Risikomanagement-Dokumentation", Required: true}, {Name: "Risikobewertungen pro KI-System", Required: true}},
			Priority:     PriorityCritical,
			AppliesWhen:  "high_risk",
			ISO27001Mapping: []string{"A.5.1.1", "A.8.2"},
		},
		{
			ID:           "AIACT-OBL-003",
			RegulationID: "ai_act",
			Title:        "Technische Dokumentation erstellen",
			Description:  "Erstellung umfassender technischer Dokumentation vor Inverkehrbringen: Systembeschreibung, Design-Spezifikationen, Entwicklungsprozess, Leistungsmetriken.",
			LegalBasis:   []LegalReference{{Norm: "Art. 11 AI Act", Article: "Technische Dokumentation"}},
			Category:     CategoryGovernance,
			Responsible:  RoleKIVerantwortlicher,
			Sanctions:    &SanctionInfo{MaxFine: "15 Mio. EUR oder 3% Jahresumsatz", PersonalLiability: false},
			Evidence:     []EvidenceItem{{Name: "Technische Dokumentation nach Anhang IV", Required: true}, {Name: "Systemarchitektur-Dokumentation", Required: true}},
			Priority:     PriorityHigh,
			AppliesWhen:  "high_risk_provider",
		},
		{
			ID:           "AIACT-OBL-004",
			RegulationID: "ai_act",
			Title:        "Protokollierungsfunktion implementieren",
			Description:  "Hochrisiko-KI-Systeme muessen automatische Protokolle (Logs) erstellen: Nutzungszeitraum, Eingabedaten, Identitaet der verifizierenden Personen.",
			LegalBasis:   []LegalReference{{Norm: "Art. 12 AI Act", Article: "Aufzeichnungspflichten"}},
			Category:     CategoryTechnical,
			Responsible:  RoleITLeitung,
			Deadline:     &Deadline{Type: DeadlineRelative, Duration: "Aufbewahrung mindestens 6 Monate"},
			Sanctions:    &SanctionInfo{MaxFine: "15 Mio. EUR oder 3% Jahresumsatz", PersonalLiability: false},
			Evidence:     []EvidenceItem{{Name: "Log-System-Dokumentation", Required: true}, {Name: "Aufbewahrungsrichtlinie", Required: true}},
			Priority:     PriorityHigh,
			AppliesWhen:  "high_risk",
			ISO27001Mapping: []string{"A.12.4"},
		},
		{
			ID:           "AIACT-OBL-005",
			RegulationID: "ai_act",
			Title:        "Menschliche Aufsicht sicherstellen",
			Description:  "Hochrisiko-KI muss menschliche Aufsicht ermoeglichen: Verstehen von Faehigkeiten und Grenzen, Ueberwachung, Eingreifen oder Abbrechen koennen.",
			LegalBasis:   []LegalReference{{Norm: "Art. 14 AI Act", Article: "Menschliche Aufsicht"}},
			Category:     CategoryOrganizational,
			Responsible:  RoleKIVerantwortlicher,
			Sanctions:    &SanctionInfo{MaxFine: "15 Mio. EUR oder 3% Jahresumsatz", PersonalLiability: false},
			Evidence:     []EvidenceItem{{Name: "Aufsichtskonzept", Required: true}, {Name: "Schulungsnachweise fuer Bediener", Required: true}, {Name: "Notfall-Abschaltprozedur", Required: true}},
			Priority:     PriorityCritical,
			AppliesWhen:  "high_risk",
		},
		{
			ID:           "AIACT-OBL-006",
			RegulationID: "ai_act",
			Title:        "Betreiberpflichten fuer Hochrisiko-KI",
			Description:  "Betreiber von Hochrisiko-KI muessen: Technische und organisatorische Massnahmen treffen, Eingabedaten pruefen, Betrieb ueberwachen, Protokolle aufbewahren.",
			LegalBasis:   []LegalReference{{Norm: "Art. 26 AI Act", Article: "Pflichten der Betreiber"}},
			Category:     CategoryOrganizational,
			Responsible:  RoleKIVerantwortlicher,
			Sanctions:    &SanctionInfo{MaxFine: "15 Mio. EUR oder 3% Jahresumsatz", PersonalLiability: false},
			Evidence:     []EvidenceItem{{Name: "Betriebskonzept", Required: true}, {Name: "Monitoring-Dokumentation", Required: true}},
			Priority:     PriorityHigh,
			AppliesWhen:  "high_risk_deployer",
		},
		{
			ID:           "AIACT-OBL-007",
			RegulationID: "ai_act",
			Title:        "Grundrechte-Folgenabschaetzung (FRIA)",
			Description:  "Betreiber von Hochrisiko-KI in sensiblen Bereichen muessen vor Einsatz eine Grundrechte-Folgenabschaetzung durchfuehren.",
			LegalBasis:   []LegalReference{{Norm: "Art. 27 AI Act", Article: "Grundrechte-Folgenabschaetzung"}},
			Category:     CategoryGovernance,
			Responsible:  RoleKIVerantwortlicher,
			Sanctions:    &SanctionInfo{MaxFine: "15 Mio. EUR oder 3% Jahresumsatz", PersonalLiability: false},
			Evidence:     []EvidenceItem{{Name: "FRIA-Dokumentation", Required: true}, {Name: "Risikobewertung Grundrechte", Required: true}},
			Priority:     PriorityCritical,
			AppliesWhen:  "high_risk_deployer_fria",
		},
		{
			ID:           "AIACT-OBL-008",
			RegulationID: "ai_act",
			Title:        "Transparenzpflichten fuer KI-Interaktionen",
			Description:  "Bei KI-Systemen, die mit natuerlichen Personen interagieren: Kennzeichnung der KI-Interaktion, Information ueber KI-generierte Inhalte, Kennzeichnung von Deep Fakes.",
			LegalBasis:   []LegalReference{{Norm: "Art. 50 AI Act", Article: "Transparenzpflichten"}},
			Category:     CategoryOrganizational,
			Responsible:  RoleKIVerantwortlicher,
			Deadline:     &Deadline{Type: DeadlineAbsolute, Date: &transparencyDeadline},
			Sanctions:    &SanctionInfo{MaxFine: "15 Mio. EUR oder 3% Jahresumsatz", PersonalLiability: false},
			Evidence:     []EvidenceItem{{Name: "Kennzeichnungskonzept", Required: true}, {Name: "Nutzerhinweise", Required: true}},
			Priority:     PriorityHigh,
			AppliesWhen:  "limited_risk",
		},
		{
			ID:           "AIACT-OBL-009",
			RegulationID: "ai_act",
			Title:        "GPAI-Modell Dokumentation",
			Description:  "Anbieter von GPAI-Modellen muessen technische Dokumentation erstellen, Informationen fuer nachgelagerte Anbieter bereitstellen und Urheberrechtsrichtlinie einhalten.",
			LegalBasis:   []LegalReference{{Norm: "Art. 53 AI Act", Article: "Pflichten der Anbieter von GPAI-Modellen"}},
			Category:     CategoryGovernance,
			Responsible:  RoleKIVerantwortlicher,
			Deadline:     &Deadline{Type: DeadlineAbsolute, Date: &gpaiDeadline},
			Sanctions:    &SanctionInfo{MaxFine: "15 Mio. EUR oder 3% Jahresumsatz", PersonalLiability: false},
			Evidence:     []EvidenceItem{{Name: "GPAI-Dokumentation", Required: true}, {Name: "Trainingsdaten-Summary", Required: true}},
			Priority:     PriorityHigh,
			AppliesWhen:  "gpai_provider",
		},
		{
			ID:           "AIACT-OBL-010",
			RegulationID: "ai_act",
			Title:        "KI-Kompetenz sicherstellen",
			Description:  "Anbieter und Betreiber muessen sicherstellen, dass Personal mit ausreichender KI-Kompetenz ausgestattet ist.",
			LegalBasis:   []LegalReference{{Norm: "Art. 4 AI Act", Article: "KI-Kompetenz"}},
			Category:     CategoryTraining,
			Responsible:  RoleManagement,
			Deadline:     &Deadline{Type: DeadlineAbsolute, Date: &prohibitedPracticesDeadline},
			Sanctions:    &SanctionInfo{MaxFine: "7,5 Mio. EUR oder 1% Jahresumsatz", PersonalLiability: false},
			Evidence:     []EvidenceItem{{Name: "Schulungsnachweise", Required: true}, {Name: "Kompetenzmatrix", Required: true}},
			Priority:     PriorityMedium,
			AppliesWhen:  "uses_ai",
		},
		{
			ID:           "AIACT-OBL-011",
			RegulationID: "ai_act",
			Title:        "EU-Datenbank-Registrierung",
			Description:  "Registrierung in der EU-Datenbank fuer Hochrisiko-KI-Systeme vor Inverkehrbringen (Anbieter) bzw. Inbetriebnahme (Betreiber).",
			LegalBasis:   []LegalReference{{Norm: "Art. 49 AI Act", Article: "Registrierung"}},
			Category:     CategoryMeldepflicht,
			Responsible:  RoleKIVerantwortlicher,
			Deadline:     &Deadline{Type: DeadlineRelative, Duration: "Vor Inverkehrbringen/Inbetriebnahme"},
			Sanctions:    &SanctionInfo{MaxFine: "15 Mio. EUR oder 3% Jahresumsatz", PersonalLiability: false},
			Evidence:     []EvidenceItem{{Name: "Registrierungsbestaetigung", Required: true}, {Name: "EU-Datenbank-Eintrag", Required: true}},
			Priority:     PriorityHigh,
			AppliesWhen:  "high_risk",
		},
	}

	// Hardcoded controls
	m.controls = []ObligationControl{
		{
			ID:           "AIACT-CTRL-001",
			RegulationID: "ai_act",
			Name:         "KI-Inventar",
			Description:  "Fuehrung eines vollstaendigen Inventars aller KI-Systeme",
			Category:     "Governance",
			WhatToDo:     "Erfassung aller KI-Systeme mit Risikoeinstufung, Zweck, Anbieter, Betreiber",
			ISO27001Mapping: []string{"A.8.1"},
			Priority:     PriorityCritical,
		},
		{
			ID:           "AIACT-CTRL-002",
			RegulationID: "ai_act",
			Name:         "KI-Governance-Struktur",
			Description:  "Etablierung einer KI-Governance mit klaren Verantwortlichkeiten",
			Category:     "Governance",
			WhatToDo:     "Benennung eines KI-Verantwortlichen, Einrichtung eines KI-Boards",
			Priority:     PriorityHigh,
		},
		{
			ID:           "AIACT-CTRL-003",
			RegulationID: "ai_act",
			Name:         "Bias-Testing und Fairness",
			Description:  "Regelmaessige Pruefung auf Verzerrungen und Diskriminierung",
			Category:     "Technisch",
			WhatToDo:     "Implementierung von Bias-Detection, Fairness-Metriken, Datensatz-Audits",
			Priority:     PriorityHigh,
		},
		{
			ID:           "AIACT-CTRL-004",
			RegulationID: "ai_act",
			Name:         "Model Monitoring",
			Description:  "Kontinuierliche Ueberwachung der KI-Modellleistung",
			Category:     "Technisch",
			WhatToDo:     "Drift-Detection, Performance-Monitoring, Anomalie-Erkennung",
			Priority:     PriorityHigh,
		},
	}

	// Hardcoded incident deadlines
	m.incidentDeadlines = []IncidentDeadline{
		{
			RegulationID: "ai_act",
			Phase:        "Schwerwiegender Vorfall melden",
			Deadline:     "unverzueglich",
			Content:      "Meldung schwerwiegender Vorfaelle bei Hochrisiko-KI-Systemen: Tod, schwere Gesundheitsschaeden, schwerwiegende Grundrechtsverletzungen, schwere Schaeden an Eigentum oder Umwelt.",
			Recipient:    "Zustaendige Marktaufsichtsbehoerde",
			LegalBasis:   []LegalReference{{Norm: "Art. 73 AI Act"}},
		},
		{
			RegulationID: "ai_act",
			Phase:        "Fehlfunktion melden (Anbieter)",
			Deadline:     "15 Tage",
			Content:      "Anbieter von Hochrisiko-KI melden Fehlfunktionen, die einen schwerwiegenden Vorfall darstellen koennten.",
			Recipient:    "Marktaufsichtsbehoerde des Herkunftslandes",
			LegalBasis:   []LegalReference{{Norm: "Art. 73 Abs. 1 AI Act"}},
		},
	}
}

// ============================================================================
// Decision Tree
// ============================================================================

func (m *AIActModule) buildDecisionTree() {
	m.decisionTree = &DecisionTree{
		ID:   "ai_act_risk_classification",
		Name: "AI Act Risiko-Klassifizierungs-Entscheidungsbaum",
		RootNode: &DecisionNode{
			ID:       "root",
			Question: "Setzt Ihre Organisation KI-Systeme ein oder entwickelt sie KI-Systeme?",
			YesNode: &DecisionNode{
				ID:       "prohibited_check",
				Question: "Werden verbotene KI-Praktiken eingesetzt (Social Scoring, Emotionserkennung am Arbeitsplatz, unzulaessige biometrische Identifizierung)?",
				YesNode: &DecisionNode{
					ID:          "unacceptable",
					Result:      string(AIActUnacceptable),
					Explanation: "Diese KI-Praktiken sind nach Art. 5 AI Act verboten und muessen unverzueglich eingestellt werden.",
				},
				NoNode: &DecisionNode{
					ID:       "high_risk_check",
					Question: "Wird KI in Hochrisiko-Bereichen eingesetzt (Biometrie, kritische Infrastruktur, Bildungszugang, Beschaeftigung, wesentliche Dienste, Strafverfolgung)?",
					YesNode: &DecisionNode{
						ID:          "high_risk",
						Result:      string(AIActHighRisk),
						Explanation: "Hochrisiko-KI-Systeme nach Anhang III unterliegen umfassenden Anforderungen an Risikomanagemment, Dokumentation, Transparenz und menschliche Aufsicht.",
					},
					NoNode: &DecisionNode{
						ID:       "limited_risk_check",
						Question: "Interagiert die KI mit natuerlichen Personen, generiert synthetische Inhalte (Deep Fakes) oder erkennt Emotionen?",
						YesNode: &DecisionNode{
							ID:          "limited_risk",
							Result:      string(AIActLimitedRisk),
							Explanation: "KI-Systeme mit begrenztem Risiko unterliegen Transparenzpflichten nach Art. 50 AI Act.",
						},
						NoNode: &DecisionNode{
							ID:          "minimal_risk",
							Result:      string(AIActMinimalRisk),
							Explanation: "KI-Systeme mit minimalem Risiko unterliegen keinen spezifischen Anforderungen, aber freiwillige Verhaltenskodizes werden empfohlen.",
						},
					},
				},
			},
			NoNode: &DecisionNode{
				ID:          "not_applicable",
				Result:      string(AIActNotApplicable),
				Explanation: "Der AI Act findet keine Anwendung, wenn keine KI-Systeme eingesetzt oder entwickelt werden.",
			},
		},
	}
}