{ "schemaVersion": "1.0", "item": { "slug": "afrexai-ai-governance", "name": "AI Governance Policy Builder", "source": "tencent", "type": "skill", "category": "其他", "sourceUrl": "https://clawhub.ai/1kalin/afrexai-ai-governance", "canonicalUrl": "https://clawhub.ai/1kalin/afrexai-ai-governance", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/afrexai-ai-governance", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-ai-governance", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "README.md", "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "slug": "afrexai-ai-governance", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-24T08:04:24.924Z", "expiresAt": "2026-05-01T08:04:24.924Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-ai-governance", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-ai-governance", "contentDisposition": "attachment; filename=\"afrexai-ai-governance-1.1.0.zip\"", "redirectLocation": null, "bodySnippet": null, "slug": "afrexai-ai-governance" }, "scope": "item", "summary": "Item download looks usable.", "detail": "Yavira can redirect you to the upstream package for this item.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/afrexai-ai-governance" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/afrexai-ai-governance", "agentPageUrl": "https://openagent3.xyz/skills/afrexai-ai-governance/agent", "manifestUrl": "https://openagent3.xyz/skills/afrexai-ai-governance/agent.json", "briefUrl": "https://openagent3.xyz/skills/afrexai-ai-governance/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "AI Governance Policy Builder", "body": "Build internal AI governance policies from scratch. Covers acceptable use, model selection, data handling, vendor contracts, compliance mapping, and board reporting." }, { "title": "When to Use", "body": "Writing or reviewing internal AI acceptable use policies\nEstablishing AI governance committees or review boards\nMapping AI usage to regulatory frameworks (EU AI Act, NIST, ISO 42001)\nEvaluating vendor AI terms and liability clauses\nPreparing board-level AI governance reports" }, { "title": "1. Acceptable Use Policy (AUP)", "body": "Every organization running AI needs a written AUP covering:\n\nPermitted Uses\n\nList approved AI tools by department and function\nDefine data classification tiers (public, internal, confidential, restricted)\nMap which data tiers can enter which AI systems\nSpecify approved vendors vs. shadow AI (employees using personal ChatGPT accounts)\n\nProhibited Uses\n\nCustomer PII in non-SOC2 models without anonymization\nAutonomous financial decisions above $[threshold] without human review\nHR screening/scoring without bias audit documentation\nAny use violating sector regulations (HIPAA, GDPR, SOX, PCI-DSS)\n\nShadow AI Detection\n\nSignalRisk LevelActionAPI calls to unknown AI endpointsHIGHBlock + investigateBrowser extensions with AI featuresMEDIUMAudit + approve/denyPersonal accounts on company devicesMEDIUMPolicy reminder + monitorExported data to AI training setsCRITICALImmediate review" }, { "title": "2. AI Model Selection & Procurement", "body": "Evaluation Scorecard (100 points)\n\nCriteriaWeightWhat to CheckData residency & sovereignty20Where is data processed? Stored? Can you choose region?Security certifications20SOC2 Type II, ISO 27001, HIPAA BAA, FedRAMPModel transparency15Training data provenance, bias testing, version controlContract terms15Data usage rights, indemnification, SLA, exit clausesPerformance & cost15Latency, accuracy benchmarks, token pricing, rate limitsIntegration & support15API stability, documentation quality, support SLA\n\nMinimum score for production deployment: 70/100\n\nRed Flags (automatic disqualification):\n\nVendor trains on your data without opt-out\nNo data processing agreement (DPA) available\nIndemnification excluded for AI outputs\nNo incident response SLA" }, { "title": "3. Data Handling & Classification", "body": "AI Data Flow Audit Template\n\nFor each AI integration, document:\n\nInput data: What goes in? Classification tier? PII present?\nProcessing: Where? Which model? Hosted or API? Region?\nOutput data: What comes out? Stored where? Retention period?\nTraining: Does vendor use your data for training? Opt-out confirmed?\nLogging: Are prompts/responses logged? Where? Who has access?\nDeletion: Can you request data deletion? Verified how?\n\nData Minimization Checklist\n\nOnly send minimum necessary data to AI systems\n Strip PII before processing where possible\n Use synthetic data for testing and development\n Implement input sanitization for prompt injection prevention\n Audit output for data leakage (model regurgitating training data)" }, { "title": "4. Regulatory Compliance Mapping", "body": "EU AI Act (effective Aug 2025, enforcement Feb 2025)\n\nRisk CategoryExamplesRequirementsUnacceptableSocial scoring, real-time biometric ID (most cases)BannedHigh-riskHR screening, credit scoring, medical devicesConformity assessment, human oversight, transparencyLimitedChatbots, deepfakesTransparency obligations (disclose AI use)MinimalSpam filters, game AINo requirements\n\nNIST AI RMF (Risk Management Framework)\n\nMap: Identify AI systems in use\nMeasure: Quantify risks per system\nManage: Implement controls proportional to risk\nGovern: Establish oversight structure and accountability\n\nISO 42001 (AI Management System)\n\nUseful for organizations wanting certified AI governance\nAligns with ISO 27001 (already have it? Easier path)\nCovers: AI policy, risk assessment, objectives, competence, documentation" }, { "title": "5. AI Governance Committee Structure", "body": "Recommended Composition\n\nChair: CTO or Chief AI Officer\nLegal: 1 representative (contracts, compliance)\nSecurity: CISO or delegate (data protection, incident response)\nBusiness: 1-2 department heads (use case prioritization)\nEthics: External advisor or designated internal role\nFinance: CFO delegate (budget, ROI tracking)\n\nMeeting Cadence\n\nMonthly: Review new AI use cases, vendor changes, incidents\nQuarterly: Policy updates, compliance audit, budget review\nAnnually: Full governance framework review, board report\n\nDecision Authority\n\nDecisionAuthority LevelNew AI tool (< $5K/year)Department head + security reviewNew AI tool (> $5K/year)Governance committee approvalCustomer-facing AICommittee + legal + CEO sign-offAI incident responseSecurity lead (immediate) → Committee (48h review)" }, { "title": "6. Vendor Contract Checklist", "body": "Before signing any AI vendor contract, confirm:\n\nData processing agreement (DPA) signed\n Your data is NOT used for model training (or explicit opt-out confirmed)\n Data residency requirements met (specify regions)\n Indemnification clause covers AI-generated output liability\n SLA includes uptime, latency, and support response time\n Exit clause: data export format, deletion timeline, transition support\n Security certifications current and verified (not expired)\n Incident notification timeline specified (72h or less)\n Subprocessor list provided with change notification rights\n Insurance coverage for AI-specific risks confirmed\n Price lock or cap on increases for contract duration\n Right to audit (or audit report access)" }, { "title": "7. Board Reporting Template", "body": "Quarterly AI Governance Report\n\nAI GOVERNANCE REPORT — Q[X] [YEAR]\n\n1. AI PORTFOLIO SUMMARY\n - Active AI systems: [count]\n - New deployments this quarter: [count]\n - Retired/replaced: [count]\n - Total AI spend: $[amount] (vs budget: $[amount])\n\n2. RISK DASHBOARD\n - High-risk systems: [count] — all compliant: [Y/N]\n - Open incidents: [count] — resolved this quarter: [count]\n - Shadow AI detections: [count] — remediated: [count]\n - Compliance gaps: [list]\n\n3. VALUE DELIVERED\n - Hours saved: [estimate]\n - Revenue attributed to AI: $[amount]\n - Cost reduction: $[amount]\n - Customer satisfaction impact: [metric]\n\n4. KEY DECISIONS NEEDED\n - [Decision 1: context + recommendation]\n - [Decision 2: context + recommendation]\n\n5. NEXT QUARTER PRIORITIES\n - [Priority 1]\n - [Priority 2]" }, { "title": "8. Incident Response for AI Systems", "body": "AI-Specific Incident Categories\n\nCategoryExampleResponse TimeData breach via AIModel leaks PII in outputImmediate — invoke security IR planHallucination causing harmWrong medical/legal/financial advice acted on4h — document, notify affected partiesBias detectedDiscriminatory output in hiring/lending24h — suspend system, audit, remediatePrompt injectionAttacker manipulates AI behaviorImmediate — block vector, patchCost overrunRunaway API calls4h — rate limit, investigate, capVendor incidentProvider breach or outagePer vendor SLA — activate backup\n\nPost-Incident Review Template\n\nWhat happened (factual timeline)\nImpact (who/what affected, cost, duration)\nRoot cause (not blame — systems thinking)\nFixes applied (immediate + permanent)\nPolicy/process changes needed\nBoard notification required? (Y/N + rationale)" }, { "title": "Cost of NOT Having AI Governance", "body": "Company SizeAnnual Risk Without Governance15-50 employees$50K-$200K (shadow AI waste, compliance fines)50-200 employees$200K-$800K (data incidents, vendor lock-in, redundant tools)200-1000 employees$800K-$3M (regulatory penalties, IP exposure, audit failures)1000+ employees$3M-$15M+ (class action, regulatory enforcement, reputational damage)" }, { "title": "90-Day Implementation Roadmap", "body": "Month 1: Foundation\n\nDraft acceptable use policy\nInventory all AI systems in use (including shadow AI)\nClassify data flowing through each system\nIdentify governance committee members\n\nMonth 2: Controls\n\nFinalize and distribute AUP\nImplement vendor evaluation scorecard for new purchases\nSet up AI incident response procedures\nBegin regulatory compliance mapping\n\nMonth 3: Operationalize\n\nFirst governance committee meeting\nDeliver first board report\nEstablish monitoring for shadow AI\nSchedule quarterly policy review cycle\n\nBuilt by AfrexAI — AI operations infrastructure for mid-market companies.\n\nGet the full industry-specific context pack for your sector ($47): https://afrexai-cto.github.io/context-packs/\n\nCalculate your AI automation ROI: https://afrexai-cto.github.io/ai-revenue-calculator/\n\nSet up your AI agent workforce in 5 minutes: https://afrexai-cto.github.io/agent-setup/\n\nNeed all 10 industry packs? $197 for the complete bundle: https://buy.stripe.com/aEUaGJ2Xd0rI6zKfZ7" } ], "body": "AI Governance Policy Builder\n\nBuild internal AI governance policies from scratch. Covers acceptable use, model selection, data handling, vendor contracts, compliance mapping, and board reporting.\n\nWhen to Use\nWriting or reviewing internal AI acceptable use policies\nEstablishing AI governance committees or review boards\nMapping AI usage to regulatory frameworks (EU AI Act, NIST, ISO 42001)\nEvaluating vendor AI terms and liability clauses\nPreparing board-level AI governance reports\nGovernance Policy Framework\n1. Acceptable Use Policy (AUP)\n\nEvery organization running AI needs a written AUP covering:\n\nPermitted Uses\n\nList approved AI tools by department and function\nDefine data classification tiers (public, internal, confidential, restricted)\nMap which data tiers can enter which AI systems\nSpecify approved vendors vs. shadow AI (employees using personal ChatGPT accounts)\n\nProhibited Uses\n\nCustomer PII in non-SOC2 models without anonymization\nAutonomous financial decisions above $[threshold] without human review\nHR screening/scoring without bias audit documentation\nAny use violating sector regulations (HIPAA, GDPR, SOX, PCI-DSS)\n\nShadow AI Detection\n\nSignal\tRisk Level\tAction\nAPI calls to unknown AI endpoints\tHIGH\tBlock + investigate\nBrowser extensions with AI features\tMEDIUM\tAudit + approve/deny\nPersonal accounts on company devices\tMEDIUM\tPolicy reminder + monitor\nExported data to AI training sets\tCRITICAL\tImmediate review\n2. AI Model Selection & Procurement\n\nEvaluation Scorecard (100 points)\n\nCriteria\tWeight\tWhat to Check\nData residency & sovereignty\t20\tWhere is data processed? Stored? Can you choose region?\nSecurity certifications\t20\tSOC2 Type II, ISO 27001, HIPAA BAA, FedRAMP\nModel transparency\t15\tTraining data provenance, bias testing, version control\nContract terms\t15\tData usage rights, indemnification, SLA, exit clauses\nPerformance & cost\t15\tLatency, accuracy benchmarks, token pricing, rate limits\nIntegration & support\t15\tAPI stability, documentation quality, support SLA\n\nMinimum score for production deployment: 70/100\n\nRed Flags (automatic disqualification):\n\nVendor trains on your data without opt-out\nNo data processing agreement (DPA) available\nIndemnification excluded for AI outputs\nNo incident response SLA\n3. Data Handling & Classification\n\nAI Data Flow Audit Template\n\nFor each AI integration, document:\n\nInput data: What goes in? Classification tier? PII present?\nProcessing: Where? Which model? Hosted or API? Region?\nOutput data: What comes out? Stored where? Retention period?\nTraining: Does vendor use your data for training? Opt-out confirmed?\nLogging: Are prompts/responses logged? Where? Who has access?\nDeletion: Can you request data deletion? Verified how?\n\nData Minimization Checklist\n\n Only send minimum necessary data to AI systems\n Strip PII before processing where possible\n Use synthetic data for testing and development\n Implement input sanitization for prompt injection prevention\n Audit output for data leakage (model regurgitating training data)\n4. Regulatory Compliance Mapping\n\nEU AI Act (effective Aug 2025, enforcement Feb 2025)\n\nRisk Category\tExamples\tRequirements\nUnacceptable\tSocial scoring, real-time biometric ID (most cases)\tBanned\nHigh-risk\tHR screening, credit scoring, medical devices\tConformity assessment, human oversight, transparency\nLimited\tChatbots, deepfakes\tTransparency obligations (disclose AI use)\nMinimal\tSpam filters, game AI\tNo requirements\n\nNIST AI RMF (Risk Management Framework)\n\nMap: Identify AI systems in use\nMeasure: Quantify risks per system\nManage: Implement controls proportional to risk\nGovern: Establish oversight structure and accountability\n\nISO 42001 (AI Management System)\n\nUseful for organizations wanting certified AI governance\nAligns with ISO 27001 (already have it? Easier path)\nCovers: AI policy, risk assessment, objectives, competence, documentation\n5. AI Governance Committee Structure\n\nRecommended Composition\n\nChair: CTO or Chief AI Officer\nLegal: 1 representative (contracts, compliance)\nSecurity: CISO or delegate (data protection, incident response)\nBusiness: 1-2 department heads (use case prioritization)\nEthics: External advisor or designated internal role\nFinance: CFO delegate (budget, ROI tracking)\n\nMeeting Cadence\n\nMonthly: Review new AI use cases, vendor changes, incidents\nQuarterly: Policy updates, compliance audit, budget review\nAnnually: Full governance framework review, board report\n\nDecision Authority\n\nDecision\tAuthority Level\nNew AI tool (< $5K/year)\tDepartment head + security review\nNew AI tool (> $5K/year)\tGovernance committee approval\nCustomer-facing AI\tCommittee + legal + CEO sign-off\nAI incident response\tSecurity lead (immediate) → Committee (48h review)\n6. Vendor Contract Checklist\n\nBefore signing any AI vendor contract, confirm:\n\n Data processing agreement (DPA) signed\n Your data is NOT used for model training (or explicit opt-out confirmed)\n Data residency requirements met (specify regions)\n Indemnification clause covers AI-generated output liability\n SLA includes uptime, latency, and support response time\n Exit clause: data export format, deletion timeline, transition support\n Security certifications current and verified (not expired)\n Incident notification timeline specified (72h or less)\n Subprocessor list provided with change notification rights\n Insurance coverage for AI-specific risks confirmed\n Price lock or cap on increases for contract duration\n Right to audit (or audit report access)\n7. Board Reporting Template\n\nQuarterly AI Governance Report\n\nAI GOVERNANCE REPORT — Q[X] [YEAR]\n\n1. AI PORTFOLIO SUMMARY\n - Active AI systems: [count]\n - New deployments this quarter: [count]\n - Retired/replaced: [count]\n - Total AI spend: $[amount] (vs budget: $[amount])\n\n2. RISK DASHBOARD\n - High-risk systems: [count] — all compliant: [Y/N]\n - Open incidents: [count] — resolved this quarter: [count]\n - Shadow AI detections: [count] — remediated: [count]\n - Compliance gaps: [list]\n\n3. VALUE DELIVERED\n - Hours saved: [estimate]\n - Revenue attributed to AI: $[amount]\n - Cost reduction: $[amount]\n - Customer satisfaction impact: [metric]\n\n4. KEY DECISIONS NEEDED\n - [Decision 1: context + recommendation]\n - [Decision 2: context + recommendation]\n\n5. NEXT QUARTER PRIORITIES\n - [Priority 1]\n - [Priority 2]\n\n8. Incident Response for AI Systems\n\nAI-Specific Incident Categories\n\nCategory\tExample\tResponse Time\nData breach via AI\tModel leaks PII in output\tImmediate — invoke security IR plan\nHallucination causing harm\tWrong medical/legal/financial advice acted on\t4h — document, notify affected parties\nBias detected\tDiscriminatory output in hiring/lending\t24h — suspend system, audit, remediate\nPrompt injection\tAttacker manipulates AI behavior\tImmediate — block vector, patch\nCost overrun\tRunaway API calls\t4h — rate limit, investigate, cap\nVendor incident\tProvider breach or outage\tPer vendor SLA — activate backup\n\nPost-Incident Review Template\n\nWhat happened (factual timeline)\nImpact (who/what affected, cost, duration)\nRoot cause (not blame — systems thinking)\nFixes applied (immediate + permanent)\nPolicy/process changes needed\nBoard notification required? (Y/N + rationale)\nCost of NOT Having AI Governance\nCompany Size\tAnnual Risk Without Governance\n15-50 employees\t$50K-$200K (shadow AI waste, compliance fines)\n50-200 employees\t$200K-$800K (data incidents, vendor lock-in, redundant tools)\n200-1000 employees\t$800K-$3M (regulatory penalties, IP exposure, audit failures)\n1000+ employees\t$3M-$15M+ (class action, regulatory enforcement, reputational damage)\n90-Day Implementation Roadmap\n\nMonth 1: Foundation\n\nDraft acceptable use policy\nInventory all AI systems in use (including shadow AI)\nClassify data flowing through each system\nIdentify governance committee members\n\nMonth 2: Controls\n\nFinalize and distribute AUP\nImplement vendor evaluation scorecard for new purchases\nSet up AI incident response procedures\nBegin regulatory compliance mapping\n\nMonth 3: Operationalize\n\nFirst governance committee meeting\nDeliver first board report\nEstablish monitoring for shadow AI\nSchedule quarterly policy review cycle\n\nBuilt by AfrexAI — AI operations infrastructure for mid-market companies.\n\nGet the full industry-specific context pack for your sector ($47): https://afrexai-cto.github.io/context-packs/\n\nCalculate your AI automation ROI: https://afrexai-cto.github.io/ai-revenue-calculator/\n\nSet up your AI agent workforce in 5 minutes: https://afrexai-cto.github.io/agent-setup/\n\nNeed all 10 industry packs? $197 for the complete bundle: https://buy.stripe.com/aEUaGJ2Xd0rI6zKfZ7" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/1kalin/afrexai-ai-governance", "publisherUrl": "https://clawhub.ai/1kalin/afrexai-ai-governance", "owner": "1kalin", "version": "1.1.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/afrexai-ai-governance", "downloadUrl": "https://openagent3.xyz/downloads/afrexai-ai-governance", "agentUrl": "https://openagent3.xyz/skills/afrexai-ai-governance/agent", "manifestUrl": "https://openagent3.xyz/skills/afrexai-ai-governance/agent.json", "briefUrl": "https://openagent3.xyz/skills/afrexai-ai-governance/agent.md" } }