{ "generated": "2026-03-27T19:29:35.842Z", "total": 36, "domains": [ "coding", "education", "enterprise", "general", "healthcare", "legal", "policy", "research", "writing" ], "entries": [ { "id": "bug-fix-prioritization", "framework_id": "4d-framework", "title": "Bug Fix Prioritization", "domain": "coding", "file": "coding-bug-fix-prioritization.yaml", "dimensions": { "delegation": { "description": "Should this task be automated, augmented, or agentic?", "example": "AI suggests bug fix priorities based on impact and frequency.", "antipattern": "Letting AI fully decide bug fix order without human input." }, "description": { "description": "What context/framing makes the AI most useful here?", "example": "Provide bug reports, user impact, and historical data.", "antipattern": "No context, leading to poor prioritization." }, "discernment": { "description": "How do you evaluate if the AI output is trustworthy?", "example": "Cross-check AI prioritization with product manager feedback.", "antipattern": "Accepting AI priorities without review." }, "diligence": { "description": "What human accountability is required after AI involvement?", "example": "Product manager must approve final bug fix order.", "antipattern": "Deploying fixes based solely on AI suggestions." } }, "score_hints": { "delegation": 0.2, "description": 0.3, "discernment": 0.3, "diligence": 0.2 }, "summary": "Should this task be automated, augmented, or agentic?", "tags": [ "bug-fix", "prioritization", "coding" ], "contributor": "Dakan & Feller", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Human delegates triage scope, AI prioritizes bugs with context provided, human discerns the ranked list, diligence locks in the fix order — looping back to description if root cause is unclear.", "sequence": [ { "step": 1, "d": "delegation", "label": "Agree on AI triage autonomy", "example_prompts": [ { "speaker": "human", "text": "I have 20 open bugs. Can you rank them by user impact and estimated fix time without me reviewing each one?" }, { "speaker": "ai", "text": "I can rank by impact category and complexity estimate. I'd recommend you confirm the top 5 before engineering schedules — want me to auto-assign the bottom 10 to backlog?" }, { "speaker": "human", "text": "Auto-assign backlog tier, surface the top 10 for my review." } ], "triggers_next": "Triage scope and backlog rule agreed." }, { "step": 2, "d": "description", "label": "Provide bug list and product context", "example_prompts": [ { "speaker": "human", "text": "Here are the 20 bug reports with user complaint frequency and affected feature areas." }, { "speaker": "ai", "text": "Should I weight payment-flow bugs higher than UI bugs?" }, { "speaker": "human", "text": "Yes — payment and data-loss bugs are P0 regardless of frequency." } ], "triggers_next": "AI has priority rules and full bug context." }, { "step": 3, "d": "discernment", "label": "Evaluate prioritized list", "example_prompts": [ { "speaker": "human", "text": "Bug #7 is ranked P1 but I know it's a duplicate of #12 — remove it." }, { "speaker": "ai", "text": "Understood. Do you want me to merge the user complaint counts or keep them separate?" }, { "speaker": "human", "text": "Merge them — #12 now carries the combined weight." } ], "triggers_next": "Prioritized list is validated and de-duplicated.", "loop_back": { "to": "description", "condition": "Root cause of a high-priority bug is unclear or disputed.", "reason": "More engineering context is needed before ranking is meaningful." } }, { "step": 4, "d": "diligence", "label": "Commit to fix schedule and document", "example_prompts": [ { "speaker": "human", "text": "Engineering lead, confirm sprint assignment for P0 and P1 items." }, { "speaker": "human", "text": "Log the AI-generated ranking and the manual overrides in Jira for audit." } ], "triggers_next": "Sprint is committed. Cycle restarts at next triage session.", "can_restart": true } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Triage scope agreed." }, { "from": "description", "to": "discernment", "trigger": "AI delivers ranked list." }, { "from": "discernment", "to": "diligence", "trigger": "List validated and overrides applied." }, { "from": "discernment", "to": "description", "trigger": "Root cause unclear — needs more context.", "is_loop_back": true }, { "from": "diligence", "to": "delegation", "trigger": "Next triage session — restart.", "is_cycle_restart": true } ] } }, { "id": "code-review-triage", "framework_id": "4d-framework", "title": "Code Review Triage", "domain": "coding", "file": "coding-code-review-triage.yaml", "dimensions": { "delegation": { "description": "Should this task be automated, augmented, or agentic?", "example": "Use AI to triage code review comments, flagging those needing human attention.", "antipattern": "Fully automating code review without human oversight." }, "description": { "description": "What context/framing makes the AI most useful here?", "example": "Provide repository context and recent commit history for accurate triage.", "antipattern": "No context, leading to irrelevant triage suggestions." }, "discernment": { "description": "How do you evaluate if the AI output is trustworthy?", "example": "Compare flagged comments against senior developer feedback.", "antipattern": "Accepting AI triage without validation." }, "diligence": { "description": "What human accountability is required after AI involvement?", "example": "Human must review flagged comments before merging.", "antipattern": "Merging code based solely on AI triage." } }, "score_hints": { "delegation": 0.2, "description": 0.3, "discernment": 0.3, "diligence": 0.2 }, "summary": "Should this task be automated, augmented, or agentic?", "tags": [ "code-review", "triage", "automation" ], "contributor": "Dakan & Feller", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Human negotiates AI review scope, provides code context, evaluates findings, then approves — looping back to scope if false-positive rate is high.", "sequence": [ { "step": 1, "d": "delegation", "label": "Negotiate AI review scope and autonomy", "example_prompts": [ { "speaker": "human", "text": "Can you automatically approve style-only comments and flag logic and security issues for me?" }, { "speaker": "ai", "text": "I can flag logic and security issues with confidence levels. I'd recommend human approval for all security findings — want me to auto-close only style nits?" }, { "speaker": "human", "text": "Yes — auto-close style nits, surface everything else with a severity label." } ], "triggers_next": "Autonomy boundaries and severity thresholds are agreed." }, { "step": 2, "d": "description", "label": "Provide repository and PR context", "example_prompts": [ { "speaker": "human", "text": "Here is the PR diff, our style guide link, and the three open issues this PR addresses." }, { "speaker": "ai", "text": "Got it. Should I cross-reference the open issues when flagging findings?" }, { "speaker": "human", "text": "Yes — link any finding to the relevant issue if there's a match." } ], "triggers_next": "AI has enough context to begin analysis." }, { "step": 3, "d": "discernment", "label": "Evaluate AI triage findings", "example_prompts": [ { "speaker": "human", "text": "Walk me through your findings. Item 4 — is that a real security issue or a false positive?" }, { "speaker": "ai", "text": "Item 4 is likely a false positive given the existing sanitization in line 42. I flagged it because the pattern matches a known injection vector — but the guard is already in place." }, { "speaker": "human", "text": "Agreed, dismiss item 4. The rest look valid." } ], "triggers_next": "Human has validated which findings are actionable.", "loop_back": { "to": "delegation", "condition": "More than 30% of findings are false positives.", "reason": "Scope or severity thresholds need renegotiation." } }, { "step": 4, "d": "diligence", "label": "Approve findings and document decisions", "example_prompts": [ { "speaker": "human", "text": "Senior engineer, please sign off on items 1, 2, 3, and 5 before we merge." }, { "speaker": "human", "text": "I'll add a comment to the PR logging which items were AI-flagged and which were human-dismissed." } ], "triggers_next": "PR is approved and decisions are documented. Cycle restarts for the next PR.", "can_restart": true } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Autonomy level and severity thresholds agreed." }, { "from": "description", "to": "discernment", "trigger": "AI completes triage analysis." }, { "from": "discernment", "to": "diligence", "trigger": "Human validates findings as actionable." }, { "from": "discernment", "to": "delegation", "trigger": "False-positive rate too high — re-scope.", "is_loop_back": true }, { "from": "diligence", "to": "delegation", "trigger": "New PR arrives — restart cycle.", "is_cycle_restart": true } ] } }, { "id": "refactoring-suggestions", "framework_id": "4d-framework", "title": "Refactoring Suggestions", "domain": "coding", "file": "coding-refactoring-suggestions.yaml", "dimensions": { "delegation": { "description": "Should this task be automated, augmented, or agentic?", "example": "AI proposes refactoring opportunities, human reviews and approves.", "antipattern": "AI automatically refactors code without human review." }, "description": { "description": "What context/framing makes the AI most useful here?", "example": "Provide codebase structure and known pain points.", "antipattern": "No context, leading to generic suggestions." }, "discernment": { "description": "How do you evaluate if the AI output is trustworthy?", "example": "Validate suggestions against test coverage and code quality metrics.", "antipattern": "Accepting AI refactoring without testing." }, "diligence": { "description": "What human accountability is required after AI involvement?", "example": "Developer must run tests and review changes.", "antipattern": "Merging AI-refactored code without testing." } }, "score_hints": { "delegation": 0.2, "description": 0.3, "discernment": 0.3, "diligence": 0.2 }, "summary": "Should this task be automated, augmented, or agentic?", "tags": [ "refactoring", "suggestions", "coding" ], "contributor": "Dakan & Feller", "version": "1.0.0", "collaboration": { "pattern": "iterative", "description": "Human and AI iterate through multiple refactoring passes — each pass re-negotiates scope, provides updated code context, evaluates suggestions, and commits accepted changes.", "sequence": [ { "step": 1, "d": "delegation", "label": "Scope the refactoring pass", "example_prompts": [ { "speaker": "human", "text": "I want to reduce coupling in this module. Can you suggest where to start?" }, { "speaker": "ai", "text": "I see three high-coupling hotspots. Should I suggest refactors for all three in this pass or focus on the most impactful one?" }, { "speaker": "human", "text": "Focus on the most impactful hotspot first — we'll iterate." } ], "triggers_next": "Refactoring focus for this pass is agreed." }, { "step": 2, "d": "description", "label": "Provide current code and constraints", "example_prompts": [ { "speaker": "human", "text": "Here is the current module, the interface contracts it must preserve, and our no-breaking-changes constraint." }, { "speaker": "ai", "text": "Are there performance benchmarks I should keep in mind?" }, { "speaker": "human", "text": "Latency must stay under 50ms for the main path — flag anything that might affect it." } ], "triggers_next": "AI has code, contracts, and performance constraints." }, { "step": 3, "d": "discernment", "label": "Evaluate refactoring suggestions", "example_prompts": [ { "speaker": "human", "text": "Suggestion 2 breaks the existing interface — reject that one." }, { "speaker": "ai", "text": "Understood. Suggestion 3 is an alternative that preserves the interface — want me to elaborate?" }, { "speaker": "human", "text": "Yes, and check if it affects the 50ms path." } ], "triggers_next": "Accepted suggestions are identified and validated." }, { "step": 4, "d": "diligence", "label": "Commit accepted changes and verify", "example_prompts": [ { "speaker": "human", "text": "Running benchmark — 43ms, within budget. Committing suggestion 3." }, { "speaker": "human", "text": "Adding a commit note: AI-suggested refactor, human-validated against interface and perf budget." } ], "triggers_next": "Changes committed. Begin next iteration with remaining hotspots.", "can_restart": true } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Refactoring scope for this pass agreed." }, { "from": "description", "to": "discernment", "trigger": "AI delivers suggestions for this pass." }, { "from": "discernment", "to": "diligence", "trigger": "Accepted suggestions validated." }, { "from": "diligence", "to": "delegation", "trigger": "Remaining hotspots — begin next iteration.", "is_cycle_restart": true } ] } }, { "id": "test-case-generation", "framework_id": "4d-framework", "title": "Test Case Generation", "domain": "coding", "file": "coding-test-case-generation.yaml", "dimensions": { "delegation": { "description": "Should this task be automated, augmented, or agentic?", "example": "AI generates test cases, developer reviews and integrates.", "antipattern": "AI-generated tests merged without human review." }, "description": { "description": "What context/framing makes the AI most useful here?", "example": "Provide function signatures and edge case requirements.", "antipattern": "No context, leading to incomplete tests." }, "discernment": { "description": "How do you evaluate if the AI output is trustworthy?", "example": "Run generated tests and check coverage improvements.", "antipattern": "Accepting tests without execution." }, "diligence": { "description": "What human accountability is required after AI involvement?", "example": "Developer must validate and maintain test suite.", "antipattern": "Relying solely on AI for test maintenance." } }, "score_hints": { "delegation": 0.2, "description": 0.3, "discernment": 0.3, "diligence": 0.2 }, "summary": "Should this task be automated, augmented, or agentic?", "tags": [ "test-case", "generation", "coding" ], "contributor": "Dakan & Feller", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Human delegates test scope, provides spec and edge cases, evaluates AI-generated tests, then merges after CI passes — looping back to description if coverage gaps appear.", "sequence": [ { "step": 1, "d": "delegation", "label": "Define test generation scope", "example_prompts": [ { "speaker": "human", "text": "Generate unit tests for this module. Can you also decide which edge cases to include?" }, { "speaker": "ai", "text": "I can generate tests and propose edge cases, but I'd recommend you confirm the coverage targets — what's the minimum acceptable coverage percentage?" }, { "speaker": "human", "text": "90% line coverage minimum. Flag anything you're uncertain about." } ], "triggers_next": "Coverage targets and uncertainty-flagging rule agreed." }, { "step": 2, "d": "description", "label": "Provide spec, examples, and constraints", "example_prompts": [ { "speaker": "human", "text": "Here's the function spec, three existing test examples, and the list of known edge cases from the bug history." }, { "speaker": "ai", "text": "Should I test for concurrency issues or only sequential inputs?" }, { "speaker": "human", "text": "Sequential only for now — concurrency tests are a separate workstream." } ], "triggers_next": "AI has spec, examples, and constraint boundaries." }, { "step": 3, "d": "discernment", "label": "Review generated tests for correctness", "example_prompts": [ { "speaker": "human", "text": "Test #8 asserts the wrong return type — it should be a string, not null." }, { "speaker": "ai", "text": "Corrected. Also, I flagged test #12 as potentially flaky due to time-dependent assertion — want me to mock the clock?" }, { "speaker": "human", "text": "Yes, mock the clock for #12." } ], "triggers_next": "Tests pass review and CI runs green.", "loop_back": { "to": "description", "condition": "Coverage is below target or significant edge cases are missing.", "reason": "More spec detail or explicit edge case guidance is needed." } }, { "step": 4, "d": "diligence", "label": "Approve tests and add to codebase", "example_prompts": [ { "speaker": "human", "text": "Tests pass CI at 93% coverage. Merging to main." }, { "speaker": "human", "text": "Added a comment noting which tests were AI-generated for future reference." } ], "triggers_next": "Tests merged. Cycle restarts for next module.", "can_restart": true } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Coverage targets agreed." }, { "from": "description", "to": "discernment", "trigger": "AI delivers test suite." }, { "from": "discernment", "to": "diligence", "trigger": "Tests validated and CI passes." }, { "from": "discernment", "to": "description", "trigger": "Coverage gaps require more spec detail.", "is_loop_back": true }, { "from": "diligence", "to": "delegation", "trigger": "Next module — restart.", "is_cycle_restart": true } ] } }, { "id": "ai-equity-curriculum", "framework_id": "unesco-ai-ethics", "title": "Equitable AI Curriculum Design", "domain": "education", "file": "education-ai-equity-curriculum.yaml", "dimensions": { "human-dignity": { "description": "The curriculum is designed to serve learners of all backgrounds with equal dignity — ensuring AI education does not embed cultural bias, exclude learners with disabilities, or reinforce existing power imbalances between those who \"understand AI\" and those who do not.\n", "example": "Curriculum designer: \"Our AI literacy course uses examples from Silicon Valley companies exclusively. Is that consistent with human dignity for our predominantly African and Middle Eastern student body?\" AI: \"No — a curriculum that presents only one cultural context for AI normalizes a particular worldview as 'default.' UNESCO's principle of human dignity includes cultural respect and non-discrimination in education. I recommend auditing every case study and example for cultural diversity, and co-designing at least 30% of examples with students from the communities you serve.\"\n", "antipattern": "Designing an AI curriculum that treats a single cultural or economic context as universal — producing graduates who understand AI through one lens and are unprepared to question whose interests AI systems serve.\n" }, "environment": { "description": "The curriculum addresses the environmental cost of AI — training compute, data center energy, hardware lifecycle — and teaches learners to make environmentally informed decisions about AI system design.\n", "example": "AI: \"For the environmental module, I recommend three content blocks: (1) The energy cost of model training — a GPT-4-scale model consumes more electricity than 100 US households for a year. (2) Inference at scale — even deployed models have a per-query energy footprint that multiplies across billions of users. (3) Sustainable design choices — model distillation, efficient architectures, and green compute options. Make the environmental calculation a required component of every student capstone project.\"\n", "antipattern": "Teaching AI design without any environmental impact component — producing AI practitioners who optimize for performance and cost but are blind to ecological externalities.\n" }, "privacy": { "description": "The curriculum teaches learners to design privacy-protective AI systems and applies privacy principles to the educational technology used to deliver the course itself — including AI-powered learning platforms.\n", "example": "Human: \"Our LMS uses an AI engagement tracker that monitors keystroke patterns. Is that consistent with the privacy principle for our students?\" AI: \"That is a surveillance tool applied to learners without meaningful consent. UNESCO's privacy principle applies to learners in educational settings — they have the right to know what data is collected, why, and how to opt out. The curriculum should both teach privacy by design and practice it: audit the LMS, disclose data collection to students, and provide a genuine opt-out that does not disadvantage learning outcomes.\"\n", "antipattern": "Teaching AI privacy principles in the classroom while using AI-powered surveillance tools on students without their informed consent — undermining the curriculum's own ethical foundation.\n" }, "transparency": { "description": "The curriculum is transparent about its own design: learning objectives, assessment criteria, AI tools used in teaching, and the limitations of what the curriculum covers — including what it cannot teach.\n", "example": "AI: \"For course transparency, I recommend publishing three documents to students at enrollment: (1) What AI tools are used in this course and how their data is used. (2) What the curriculum does not cover — students should know if advanced mathematics or specific programming languages are prerequisites for deeper engagement. (3) Assessment criteria in plain language — not just rubrics, but what the institution considers 'AI literacy' and why.\"\n", "antipattern": "Presenting an AI curriculum as comprehensive when it primarily covers one paradigm (e.g., large language models) without disclosing to students what is outside its scope.\n" }, "accountability": { "description": "The curriculum has a community accountability mechanism: a student-community advisory board reviews the curriculum annually, findings are published, and the institution commits to responsive updates based on community input.\n", "example": "AI closes the cycle: \"Accountability structure for the curriculum: (1) Student advisory board — meets each semester, reviews content for relevance, equity, and cultural appropriateness. (2) Community review — annual open review inviting alumni, employers, and community organizations. (3) Published update log — every curriculum change is documented and explained to students. (4) Redress pathway — students can formally flag curriculum concerns with a 30-day response commitment from academic leadership.\"\n", "antipattern": "Reviewing the AI curriculum only through internal faculty committees without any mechanism for student or community input — producing curricula that serve institutional interests over learner needs.\n" } }, "score_hints": { "human-dignity": 0.25, "environment": 0.15, "privacy": 0.2, "transparency": 0.2, "accountability": 0.2 }, "summary": "", "tags": [ "education", "curriculum-design", "ai-literacy", "equity", "unesco" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Dignity audit identifies cultural and accessibility gaps in curriculum content → environmental module is designed with concrete metrics for learners → privacy audit of teaching tools and curriculum privacy content → transparency documents are published to students at enrollment → community accountability structure is established with annual review cycle. Loops back to human-dignity if transparency review reveals undisclosed content biases.\n", "sequence": [ { "step": 1, "d": "human-dignity", "label": "Audit curriculum content for cultural equity and accessibility", "example_prompts": [ { "speaker": "human", "text": "We're designing a new AI ethics and literacy course for undergraduates. Start with dignity — what do we audit first?" }, { "speaker": "ai", "text": "Three dignity audits before any content is finalized: (1) Cultural diversity — review every case study, example, and reading for cultural representation. Who are the AI leaders referenced? Whose AI failures are discussed? Is the student body's own cultural context represented? (2) Accessibility — is the curriculum accessible to learners with visual, auditory, and cognitive disabilities? AI tools used must meet WCAG 2.1 AA minimum. (3) Power balance — does the curriculum teach students to be AI consumers or AI critical agents? UNESCO's dignity principle requires the latter." }, { "speaker": "human", "text": "Case studies are 90% US-centric. Accessibility audit reveals the primary AI demo tool has no screen reader support." } ], "triggers_next": "Dignity gaps identified — cultural diversity gap and accessibility gap documented." }, { "step": 2, "d": "environment", "label": "Design the environmental impact module", "example_prompts": [ { "speaker": "human", "text": "How do we teach AI's environmental footprint in a way that is accurate and actionable for undergraduates?" }, { "speaker": "ai", "text": "Three-week module structure: Week 1 — The hidden cost of AI: training compute, data center water use, hardware mining. Use ML CO2 Impact calculator as a hands-on exercise. Week 2 — Inference at scale: how each AI query has an energy cost; cumulative impact of billions of queries. Week 3 — Sustainable AI design: model distillation, efficient architectures, green compute providers. Capstone requirement: every student project must include an energy footprint estimate as part of the design documentation." }, { "speaker": "human", "text": "We'll add the environmental footprint requirement to the capstone rubric." } ], "triggers_next": "Environmental module designed with concrete student deliverables." }, { "step": 3, "d": "privacy", "label": "Audit teaching tools and design privacy curriculum content", "example_prompts": [ { "speaker": "human", "text": "Our LMS has an AI engagement tracker. Should we keep it?" }, { "speaker": "ai", "text": "The engagement tracker must meet three conditions to be consistent with UNESCO privacy principles: (1) Informed consent — students must be told exactly what is tracked, why, and for how long. (2) Data minimization — only data necessary for the educational purpose is collected. (3) Opt-out without penalty — a student who opts out must not be disadvantaged in grading or participation. If the tracker does not meet all three, it must be reconfigured or replaced. For the curriculum content: I recommend a dedicated privacy by design module where students audit a real AI system's data practices." }, { "speaker": "human", "text": "We'll reconfigure the tracker: opt-out available, data deleted after semester ends." } ], "triggers_next": "Teaching tool privacy audit complete; privacy curriculum module designed." }, { "step": 4, "d": "transparency", "label": "Publish curriculum transparency documents to students", "example_prompts": [ { "speaker": "human", "text": "What transparency documents should students receive at enrollment?" }, { "speaker": "ai", "text": "Three documents at enrollment: (1) AI tools disclosure — list every AI tool used in the course, what data it collects, and how students can opt out. (2) Curriculum scope notice — what this course covers and what it does not; prerequisites and pathways for deeper study. (3) Assessment transparency — plain-language explanation of what 'AI literacy' means for this institution's graduates and how each assessment criterion maps to that definition. Publish all three on the course page, not buried in the LMS." }, { "speaker": "human", "text": "All three documents drafted and published to the course page." } ], "triggers_next": "Transparency documents published to students at enrollment.", "loop_back": { "to": "human-dignity", "condition": "Transparency review reveals that undisclosed content biases exist in the curriculum.", "reason": "Dignity audit must be re-run if new biases are uncovered through transparency review." } }, { "step": 5, "d": "accountability", "label": "Establish community accountability and annual review cycle", "example_prompts": [ { "speaker": "human", "text": "How do we build genuine accountability into the curriculum governance?" }, { "speaker": "ai", "text": "Four-part accountability structure: (1) Student advisory board — 6 student representatives, meets each semester, reviews curriculum for equity and relevance. Board recommendations are responded to in writing within 30 days. (2) Annual community review — open event inviting alumni, employers, civil society. Findings are published. (3) Public curriculum changelog — every update is documented and explained to enrolled and prospective students. (4) Formal redress pathway — students can file curriculum concerns with a named academic ombudsperson; 30-day response commitment. This structure makes accountability real, not nominal." }, { "speaker": "human", "text": "Student advisory board established. First community review scheduled for end of academic year." } ], "triggers_next": "Community accountability structure operational with annual review committed.", "can_restart": true } ], "transitions": [ { "from": "human-dignity", "to": "environment", "trigger": "Dignity gaps identified and documented." }, { "from": "environment", "to": "privacy", "trigger": "Environmental module designed with student deliverables." }, { "from": "privacy", "to": "transparency", "trigger": "Teaching tool audit complete and privacy module designed." }, { "from": "transparency", "to": "human-dignity", "trigger": "Undisclosed content biases found — dignity audit re-run.", "is_loop_back": true }, { "from": "transparency", "to": "accountability", "trigger": "Transparency documents published." }, { "from": "accountability", "to": "human-dignity", "trigger": "Annual community review triggers next curriculum cycle.", "is_cycle_restart": true } ] } }, { "id": "course-design", "framework_id": "4d-framework", "title": "AI-Augmented Course Design", "domain": "education", "file": "education-course-design.yaml", "dimensions": { "delegation": { "description": "AI can accelerate the scaffolding work of course design: generating draft learning objectives from a topic brief, suggesting module sequencing options, proposing assessment formats, brainstorming reading list candidates, and drafting rubric language. The instructor must own: the pedagogical strategy, the theoretical framework underlying the course, the sequencing rationale, and all decisions about what students will actually experience. Pedagogical authority cannot be delegated.", "example": "A professor designing a new undergraduate ethics course asks AI to generate a draft list of possible weekly topics aligned with her stated course arc (from foundational theory to applied cases). She uses this list as a stimulus to compare against her own planned sequence, adopting two AI-suggested topics she had overlooked and discarding three that don't serve her theoretical framework.", "antipattern": "Asking AI to design the full course — objectives, module structure, readings, assignments, assessments — and adopting the output with cosmetic changes, without grounding the design in a coherent pedagogical theory or ensuring it reflects the instructor's scholarly expertise." }, "description": { "description": "Provide AI with detailed instructional design context: course level and credit hours, student profile and prerequisite knowledge, program-level learning outcomes the course must serve, your pedagogical philosophy, assessment philosophy, any accreditation or institutional constraints, and the thematic arc you want the course to trace. Precision in the brief yields useful scaffolding.", "example": "Prompt: 'Help me draft learning objectives for a 3-credit upper-division course on algorithmic bias. Students are CS seniors with strong technical backgrounds but limited social science exposure. Program outcome: graduates can evaluate the societal impact of technology systems. I want the course to move from conceptual foundations (weeks 1-4) to case analysis (weeks 5-10) to policy and design response (weeks 11-14). Use Bloom's Taxonomy verbs appropriate to the upper-division level.'", "antipattern": "Prompting: 'Write learning objectives for a course on AI ethics.' Without specifying student level, program context, Bloom's taxonomy tier, or the course's theoretical arc, AI produces generic objectives that could apply to any course at any level and serve no specific program outcome." }, "discernment": { "description": "Evaluate AI-generated course design elements against pedagogical soundness, alignment to Bloom's Taxonomy, internal coherence, and fit with your students' actual preparation. Check that assessment types genuinely measure the stated learning objectives, that the workload is realistic, and that reading suggestions are current, credible, and accessible to your student population.", "example": "An instructor reviews AI-generated weekly learning objectives and notices three of them are knowledge-level objectives (define, identify, list) in weeks designed for upper-division analysis. She revises them upward to analysis and evaluation verbs to match the cognitive demand appropriate for the course level.", "antipattern": "Adopting AI-generated course syllabi and assessment designs without checking internal alignment — using multiple-choice exams to assess objectives that require critical analysis, or setting a reading workload that AI estimated without accounting for the actual length and density of the suggested texts." }, "diligence": { "description": "Verify the accuracy of all factual content AI contributes to course materials. Document the AI's role in course design per your institution's academic integrity and transparency policies. Ensure the final course design meets accreditation requirements, reflects current disciplinary knowledge, and embodies your own scholarly judgment and professional responsibility as the instructor of record.", "example": "A faculty member building a new public health law course uses AI to draft a draft syllabus framework, then spends three hours reviewing it against her institution's course approval criteria, the program's accreditation standards, and current public health law scholarship — revising heavily before submission for curricular approval.", "antipattern": "Submitting an AI-generated course proposal to a curriculum committee without personally verifying that the proposed learning objectives meet accreditation standards, that the reading list contains accurate and current citations, or that the assessment strategy is pedagogically defensible under institutional review." } }, "score_hints": { "delegation": 0.2, "description": 0.3, "discernment": 0.25, "diligence": 0.25 }, "summary": "AI can accelerate the scaffolding work of course design: generating draft learning objectives from a topic brief, suggesting module sequencing options, proposing assessment formats, brainstorming read", "tags": [ "course-design", "curriculum", "higher-education", "instructional-design" ], "contributor": "Rick Dakan & Joseph Feller / Anthropic", "reference": "https://aifluencyframework.org", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Instructor delegates curriculum scaffolding, provides learning goals and constraints, evaluates AI-drafted structure, then approves — looping back to description if pedagogical alignment is off.", "sequence": [ { "step": 1, "d": "delegation", "label": "Agree on AI's curriculum design role", "example_prompts": [ { "speaker": "human", "text": "Help me design a 10-week course on data literacy. You propose the weekly themes — I'll adjust." }, { "speaker": "ai", "text": "Should I sequence from concepts to tools, or mix both throughout?" }, { "speaker": "human", "text": "Concepts first, tools introduced in week 4 after foundations are set." } ], "triggers_next": "AI's design role and pedagogical sequencing approach agreed." }, { "step": 2, "d": "description", "label": "Provide learning outcomes and constraints", "example_prompts": [ { "speaker": "human", "text": "Students are undergraduates with no statistics background. By week 10 they should be able to read and critique a published data study." }, { "speaker": "ai", "text": "Should I include assessment design or only the content structure?" }, { "speaker": "human", "text": "Include weekly assessments — short, formative, no exams." } ], "triggers_next": "AI has learner profile, outcomes, and assessment approach." }, { "step": 3, "d": "discernment", "label": "Evaluate curriculum structure", "example_prompts": [ { "speaker": "human", "text": "Week 6 introduces regression too early — students won't have the algebra foundation yet." }, { "speaker": "ai", "text": "I can move regression to week 8 and use week 6 for data visualization instead." }, { "speaker": "human", "text": "Do that. Also add a prerequisite check activity in week 1." } ], "triggers_next": "Curriculum validated for pedagogical soundness.", "loop_back": { "to": "description", "condition": "Curriculum consistently misaligns with stated learning outcomes or student level.", "reason": "Learning goals or student profile constraints need to be re-specified." } }, { "step": 4, "d": "diligence", "label": "Approve and document", "example_prompts": [ { "speaker": "human", "text": "Department curriculum committee reviews and approves the final structure." }, { "speaker": "human", "text": "Filing AI-assisted design notes in the course development record." } ], "triggers_next": "Curriculum approved. Cycle restarts when course is revised.", "can_restart": true } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Design role and sequencing approach agreed." }, { "from": "description", "to": "discernment", "trigger": "AI delivers curriculum draft." }, { "from": "discernment", "to": "diligence", "trigger": "Structure validated." }, { "from": "discernment", "to": "description", "trigger": "Persistent misalignment — re-specify goals.", "is_loop_back": true }, { "from": "diligence", "to": "delegation", "trigger": "Course revision cycle — restart.", "is_cycle_restart": true } ] } }, { "id": "lesson-planning", "framework_id": "4d-framework", "title": "AI-Assisted Lesson Planning for Educators", "domain": "education", "file": "education-lesson-planning.yaml", "dimensions": { "delegation": { "description": "Identify which lesson planning elements AI can accelerate versus which require the teacher's direct professional judgment. AI handles well: generating activity ideas, drafting discussion questions, suggesting differentiation strategies, proposing assessment rubrics, and creating example problems. Teachers must retain: selecting content aligned to standards, setting the pedagogical arc across a unit, understanding individual student needs, and making final instructional decisions.", "example": "A 7th-grade science teacher asks AI to generate five hands-on activity ideas for a lesson on cellular respiration at a middle school level, then selects the one that fits her lab budget and her students' prior knowledge, adapts it to her pacing, and writes her own formative assessment questions.", "antipattern": "Pasting an AI-generated full lesson plan directly into the school's curriculum system without reviewing it for standard alignment, age appropriateness, or fit with the specific class's learning trajectory — treating AI as a replacement for pedagogical expertise rather than a brainstorming assistant." }, "description": { "description": "Provide AI with specific instructional context: subject and grade level, concrete learning objectives tied to standards, the students' current skill level and prior knowledge, the available time and resources, the preferred pedagogical approach, and any accessibility or differentiation needs. Generic requests produce generic plans.", "example": "Prompt: 'Help me plan a 50-minute 8th-grade ELA lesson on identifying unreliable narrators. Students have read chapters 1-5 of The Outsiders. Objective: students can cite textual evidence to explain how Ponyboy's perspective limits the reader's understanding of events. Pedagogy: discussion-based with a short collaborative activity. Class includes 3 ELL students and 2 students with reading IEPs.'", "antipattern": "Prompting: 'Write a lesson plan about unreliable narrators for middle school.' This produces a generic template disconnected from the specific text students are reading, the actual learning objective, the class's composition, and the teacher's instructional context." }, "discernment": { "description": "Evaluate AI-generated lesson plans and activities critically before adopting them. Check standard alignment, age appropriateness of content and vocabulary, timing realism, whether suggested activities match your students' actual readiness, and whether the pedagogical sequence makes instructional sense. AI does not know your students; you do.", "example": "A teacher reviews an AI-generated lesson plan and notices the suggested 'exit ticket' question requires inferential reasoning two grade levels above her current class's demonstrated ability. She replaces it with a scaffolded sentence-starter version that matches where her students actually are.", "antipattern": "Implementing AI-suggested activities without mentally simulating how your specific students will respond — discovering mid-lesson that the activity assumes prior knowledge students don't have, or that the timing estimate was wildly optimistic for the class's working pace." }, "diligence": { "description": "Maintain professional responsibility for every lesson you deliver. Verify that AI-suggested content is factually accurate, that activities are safe and appropriate for your students, and that lesson plans meet the curricular standards your students are accountable for. Your professional judgment is the final quality gate, not the AI.", "example": "An educator uses AI-generated lesson scaffolding as a starting framework, then personally verifies that all factual content aligns with state science standards, removes an activity that requires materials not available in her classroom, and adds a culturally responsive example relevant to her students' community.", "antipattern": "Delivering an AI-generated lesson that contains a factual error (e.g., an incorrect historical date or a flawed science explanation) because the teacher assumed the AI's content was accurate and did not independently verify it before presenting it to students." } }, "score_hints": { "delegation": 0.25, "description": 0.3, "discernment": 0.25, "diligence": 0.2 }, "summary": "Identify which lesson planning elements AI can accelerate versus which require the teacher's direct professional judgment. AI handles well: generating activity ideas, drafting discussion questions, su", "tags": [ "education", "lesson-planning", "pedagogy", "curriculum" ], "contributor": "Rick Dakan & Joseph Feller / Anthropic", "reference": "https://aifluencyframework.org", "version": "1.0.0", "collaboration": { "pattern": "linear", "description": "Teacher delegates lesson scaffolding, provides class context and learning objective, evaluates the AI plan, then uses it in class — single pass per lesson.", "sequence": [ { "step": 1, "d": "delegation", "label": "Define AI's lesson design role", "example_prompts": [ { "speaker": "human", "text": "Draft a 45-minute lesson plan on photosynthesis for 8th graders. You propose the activities." }, { "speaker": "ai", "text": "Should I include a hands-on activity or keep it lecture and discussion?" }, { "speaker": "human", "text": "Include one hands-on activity — the class has lab access." } ], "triggers_next": "AI's design role and activity type agreed." }, { "step": 2, "d": "description", "label": "Provide class context and objectives", "example_prompts": [ { "speaker": "human", "text": "Class of 28 students, mixed ability. Objective: understand the light-dependent reactions. Prior knowledge: cell structure." }, { "speaker": "ai", "text": "Any students with specific accessibility needs I should account for?" }, { "speaker": "human", "text": "One student uses screen-reader-compatible materials — flag anything visual-only." } ], "triggers_next": "AI has class profile, objective, and accessibility constraints." }, { "step": 3, "d": "discernment", "label": "Evaluate lesson plan quality", "example_prompts": [ { "speaker": "human", "text": "The lab activity takes 20 minutes but the setup alone is 10 — tighten it." }, { "speaker": "ai", "text": "I can use a pre-setup version with materials already in place. Reduces activity time to 12 minutes." }, { "speaker": "human", "text": "Good — and flag the visual diagram for accessibility adaptation." } ], "triggers_next": "Lesson plan validated for timing and inclusivity." }, { "step": 4, "d": "diligence", "label": "Approve and deliver", "example_prompts": [ { "speaker": "human", "text": "Head of department reviews lesson plan — approved." }, { "speaker": "human", "text": "Noting AI-drafted plan in the lesson record for reflection." } ], "triggers_next": "Lesson delivered. New lesson requires a fresh cycle." } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Design role and activity type agreed." }, { "from": "description", "to": "discernment", "trigger": "AI delivers lesson plan." }, { "from": "discernment", "to": "diligence", "trigger": "Plan validated." }, { "from": "diligence", "to": "delegation", "trigger": "New lesson — fresh cycle.", "is_cycle_restart": true } ] } }, { "id": "student-career-planning", "framework_id": "4d-framework", "title": "Student Career Planning with AI", "domain": "education", "file": "education-student-career-planning.yaml", "dimensions": { "delegation": { "description": "Students can productively delegate to AI: resume drafting from bullet points they supply, generating practice interview questions for a target role, exploring career paths in an unfamiliar field, drafting cover letter frameworks, and researching industry norms. Students must retain: decisions about which opportunities align with their values and goals, truthful representation of their own experiences, and final responsibility for all submitted application materials.", "example": "A college junior asks AI to suggest ten career paths where her combination of biology major and data analytics minor would be valued, then researches the top three that interest her and uses that understanding to craft her own narrative about why she is pursuing biostatistics.", "antipattern": "Having AI write a cover letter that fabricates or exaggerates the student's experiences, then submitting it as an accurate representation — or using AI to answer interview questions on the student's behalf via an earpiece during a live interview." }, "description": { "description": "Share with AI your actual skills, experiences, target roles, industry context, career constraints, and personal goals. The more accurately you describe yourself and your situation, the more useful the AI's suggestions will be. Vague or inflated self-descriptions lead to advice that fits a fictional version of you, not your real situation.", "example": "Prompt: 'I'm a 3rd-year environmental engineering student with a 3.4 GPA, one summer internship at a municipal water authority doing stormwater modeling, and a Python project analyzing local air quality data. I want to work in climate tech after graduation, preferably at a company working on water or air quality monitoring. Help me identify specific entry-level roles to target and the skills I should develop this year.'", "antipattern": "Prompting: 'I'm a student who wants a good job in tech. What should I do?' This produces generic career advice applicable to millions of people and useless for the student's actual situation, skills, and industry interest." }, "discernment": { "description": "Evaluate AI career advice critically. Verify that suggested roles actually exist and match what you want. Check salary ranges and job market realities against current sources like Bureau of Labor Statistics data or industry salary surveys, not just AI assertions. Assess whether AI suggestions genuinely fit your personal values, lifestyle needs, and long-term goals — not just what sounds impressive.", "example": "A student receives AI-generated advice suggesting she pursue a specific niche certification. She researches the certification independently, reads LinkedIn profiles of people who hold it, talks to two professionals in the field, and determines the certification is valued by only one employer segment — not the area she actually wants to work in.", "antipattern": "Following AI career advice without verification — enrolling in a bootcamp AI recommended, discovering it is not recognized by employers in the target field, or pursuing a role because AI said it pays well without checking current market data or speaking with anyone actually working in that field." }, "diligence": { "description": "Own every career decision you make. AI is a thinking partner, not a career counselor with knowledge of your full life context. Build your own understanding of your field. Ensure all application materials truthfully represent your actual experiences. Develop a personal policy for how you use AI in your professional development so your skills and judgment grow alongside your AI fluency.", "example": "A student uses AI to generate a list of potential resume bullet points based on her internship activities, then rewrites each one in her own voice, ensures they accurately reflect what she did, and has her university career center review the final document — treating AI as a drafting scaffold, not the author.", "antipattern": "Submitting AI-generated job applications with exaggerated credentials, relying entirely on AI career advice without informational interviews or real-world research, or using AI so heavily in application writing that the student cannot speak authentically about the experiences described in their own materials." } }, "score_hints": { "delegation": 0.25, "description": 0.3, "discernment": 0.25, "diligence": 0.2 }, "summary": "Students can productively delegate to AI: resume drafting from bullet points they supply, generating practice interview questions for a target role, exploring career paths in an unfamiliar field, draf", "tags": [ "career-planning", "student", "resume", "professional-development" ], "contributor": "Rick Dakan & Joseph Feller / Anthropic", "reference": "https://aifluencyframework.org", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Advisor delegates initial career path research, provides student profile, evaluates AI recommendations for fit, then presents to student — looping back if recommendations miss the student's actual goals.", "sequence": [ { "step": 1, "d": "delegation", "label": "Define AI's research role", "example_prompts": [ { "speaker": "human", "text": "Research career options for a student interested in environmental science with a data analytics minor." }, { "speaker": "ai", "text": "Should I focus on entry-level roles or also include graduate pathways?" }, { "speaker": "human", "text": "Both — the student hasn't decided on grad school yet." } ], "triggers_next": "Research scope and career path types agreed." }, { "step": 2, "d": "description", "label": "Provide student profile and goals", "example_prompts": [ { "speaker": "human", "text": "GPA 3.4, strong in statistics, weaker in field work. Interested in policy impact, not just research." }, { "speaker": "ai", "text": "Should I weight roles that offer remote work options?" }, { "speaker": "human", "text": "Yes — student is geographically constrained for the next 2 years." } ], "triggers_next": "AI has full student profile and constraint set." }, { "step": 3, "d": "discernment", "label": "Evaluate career path recommendations", "example_prompts": [ { "speaker": "human", "text": "Option 3 (field monitoring) doesn't fit — student has limited mobility." }, { "speaker": "ai", "text": "Replacing with environmental data analyst roles at NGOs — policy-adjacent and remote-friendly." }, { "speaker": "human", "text": "Good. Option 5 seems too senior for entry-level — adjust expectations." } ], "triggers_next": "Recommendations validated for fit and realistic expectations.", "loop_back": { "to": "description", "condition": "Recommendations consistently miss student's stated values or constraints.", "reason": "Student profile needs richer goal or constraint detail." } }, { "step": 4, "d": "diligence", "label": "Present to student and document", "example_prompts": [ { "speaker": "human", "text": "Presenting AI-curated options to the student — student picks two to explore." }, { "speaker": "human", "text": "Documenting the advisory session and noting which options were AI-generated." } ], "triggers_next": "Session complete. Next advising session begins new cycle.", "can_restart": true } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Research scope agreed." }, { "from": "description", "to": "discernment", "trigger": "AI delivers career options." }, { "from": "discernment", "to": "diligence", "trigger": "Options validated for fit." }, { "from": "discernment", "to": "description", "trigger": "Recommendations miss goals — re-profile student.", "is_loop_back": true }, { "from": "diligence", "to": "delegation", "trigger": "Next advising session — restart.", "is_cycle_restart": true } ] } }, { "id": "ai-ethics-board-setup", "framework_id": "wef-responsible-ai", "title": "AI Ethics Board Setup", "domain": "enterprise", "file": "enterprise-ai-ethics-board-setup.yaml", "dimensions": { "strategy": { "description": "The ethics board's mandate is grounded in the organization's AI strategy — it exists to protect the organization's stated values and purpose, not to slow down deployment. The strategic framing determines what questions the board is designed to answer.\n", "example": "CEO: \"We want an AI ethics board. But I need it to help us move responsibly, not to be a blocker.\" AI: \"That framing is exactly right — and it should be written into the board's charter. The WEF Playbook frames an ethics board as a 'responsible acceleration' function: its job is to identify and resolve ethical risks early, when changes are cheap, not to review finished products. Define two things in the charter: (1) The board's purpose — protect the organization's stated values in AI deployment. (2) The board's success metric — time from ethics flag to resolution, not number of deployments blocked.\"\n", "antipattern": "Creating an ethics board whose implicit purpose is to say 'no' to AI initiatives — producing a governance structure that is adversarial to the product teams it is supposed to guide.\n" }, "governance": { "description": "The board's governance structure is designed with clear composition, real decision authority, defined escalation paths, and a cadence that can keep pace with the organization's AI deployment rhythm.\n", "example": "AI: \"For an ethics board with real authority, four design decisions: (1) Composition — include external independent members (at least 30%) who are not employees and have no financial interest in deployment speed. (2) Authority — the board must have explicit pause authority for deployments that fail ethics review; advisory-only boards are theater. (3) Escalation — define who the board escalates to when deadlocked: CEO, audit committee, or both. (4) Cadence — standing monthly meeting plus an async channel for urgent reviews that cannot wait 30 days. What is the fastest your organization currently ships an AI feature? That rhythm determines the async review SLA.\"\n", "antipattern": "Designing an ethics board that meets quarterly and has a 60-day review cycle — making it structurally unable to influence AI deployments that ship on a 2-week sprint cycle.\n" }, "risk-ethics": { "description": "The board's scope covers the full ethical risk landscape — not just fairness and bias, but mission alignment, societal impact, dual-use risks, and the ethical implications of what the organization chooses not to build.\n", "example": "Human: \"What ethical risks should the board be able to review?\" AI: \"The WEF Playbook identifies five ethical risk categories that the board should own: (1) Fairness and discrimination — AI that produces disparate outcomes for protected groups. (2) Privacy and surveillance — AI that collects or infers more than necessary. (3) Mission alignment — AI that serves financial objectives at the expense of the organization's stated purpose. (4) Dual-use — AI that could be used for purposes the organization has not sanctioned. (5) Systemic risk — AI at scale that could harm markets, democracies, or public trust even if individual uses are benign. Define which categories require mandatory board review versus optional escalation.\"\n", "antipattern": "Limiting the ethics board's scope to fairness and bias metrics — the most measurable risk category — while omitting mission alignment, dual-use, and systemic risks that are harder to quantify but often more consequential.\n" }, "implementation": { "description": "The ethics board is integrated into the development workflow through a defined review gate — triggered by risk criteria, not by voluntary submission — and is supported by a lightweight intake process that product teams can actually use.\n", "example": "AI: \"For workflow integration, define two review triggers: (1) Mandatory review — any AI feature that: (a) affects a decision about an individual (hiring, lending, healthcare, benefits); (b) involves sensitive data categories; (c) is deployed at scale (>100,000 users); or (d) is in a new domain or use case not previously reviewed. (2) Voluntary review — product teams can escalate any AI feature they have questions about. Design a one-page intake form: describe the AI, its users, its decisions, and the three ethical risks you see. That form is the only pre-meeting requirement. The board reviews the form before the meeting and asks questions — not a presentation, a conversation.\"\n", "antipattern": "Requiring product teams to prepare a 20-page ethics impact assessment before requesting board review — creating a bureaucratic burden that incentivizes teams to find reasons their product does not require review.\n" }, "accountability": { "description": "The board's decisions and reasoning are documented and disclosed — to the organization, to regulators, and in some cases to the public — creating an accountability record that demonstrates responsible AI governance in practice.\n", "example": "AI closes the setup cycle: \"Board accountability mechanisms: (1) Decision log — every board decision (approve, approve-with-conditions, pause, reject) is logged with a one-paragraph rationale. The log is reviewed quarterly by the audit committee. (2) Annual ethics report — the board chair presents an annual summary to the board of directors: how many reviews, how many conditions imposed, how many pauses, and what systemic themes emerged. (3) External disclosure — the organization's annual responsible AI report includes a summary of ethics board activity. (4) Whistleblower pathway — employees can escalate concerns about AI deployments directly to the board chair, bypassing the product team.\"\n", "antipattern": "Operating an ethics board whose deliberations and decisions are entirely internal and undisclosed — making it impossible for external stakeholders, regulators, or the public to assess whether the board is functioning effectively.\n" } }, "score_hints": { "strategy": 0.2, "governance": 0.25, "risk-ethics": 0.2, "implementation": 0.25, "accountability": 0.1 }, "summary": "", "tags": [ "ethics-board", "enterprise", "wef", "responsible-ai", "governance" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Board mandate is grounded in organizational AI strategy → governance structure with real authority is designed → ethical risk scope is defined across five categories → review gate is integrated into the development workflow → accountability mechanisms make board impact visible. Loops back to governance if implementation reveals the board's cadence cannot keep pace with the deployment rhythm.\n", "sequence": [ { "step": 1, "d": "strategy", "label": "Ground the board mandate in AI strategy", "example_prompts": [ { "speaker": "human", "text": "Leadership has approved an AI ethics board. How do we frame its mandate?" }, { "speaker": "ai", "text": "Write the mandate in the charter with two sentences: (1) Purpose — 'The AI Ethics Board exists to ensure that the organization's AI deployments are consistent with its stated values of [X] and its commitments to [Y].' Fill in the actual values and commitments from the AI strategy document. (2) Success metric — 'The board's effectiveness is measured by the time from ethics flag to resolution, and by the quality of responsible AI practices embedded in the development process — not by the number of deployments reviewed or blocked.' This framing makes the board a collaborator with product teams, not a gatekeeper." }, { "speaker": "human", "text": "Mandate drafted: purpose tied to organizational values, success metric is resolution speed and practice quality." } ], "triggers_next": "Board mandate drafted with strategic grounding and success metric." }, { "step": 2, "d": "governance", "label": "Design composition, authority, escalation, and cadence", "example_prompts": [ { "speaker": "human", "text": "Who should be on the board and how often should it meet?" }, { "speaker": "ai", "text": "Composition: 5-7 members — (1) 2 external independent members with AI ethics, law, or civil society expertise; no financial stake in the organization. (2) 1 customer or community representative if the AI affects external stakeholders at scale. (3) Chief Ethics or Responsible AI Officer as chair. (4) Representatives from legal, product, and data science in a non-voting advisory capacity. Authority: the board has explicit pause authority for any mandatory-review deployment; decisions require majority vote. Escalation: deadlock goes to CEO within 48 hours. Cadence: monthly standing meeting (2 hours) plus an async Slack or email channel for urgent reviews with a 72-hour SLA. The async channel is the most important operational design decision — it is what makes the board usable at sprint speed." }, { "speaker": "human", "text": "Five-member board approved including two external members. Async channel with 72-hour SLA confirmed." } ], "triggers_next": "Governance structure approved: composition, authority, escalation, and cadence defined.", "loop_back": { "to": "governance", "condition": "Implementation reveals the 72-hour async SLA cannot be met with the current member workload — cadence requires redesign.", "reason": "A board that cannot operate at deployment speed is structurally ineffective — governance must be re-designed." } }, { "step": 3, "d": "risk-ethics", "label": "Define the board's ethical risk scope", "example_prompts": [ { "speaker": "human", "text": "What should the board be able to review — and what is out of scope?" }, { "speaker": "ai", "text": "In scope — mandatory review triggers: (1) AI decisions about individuals in regulated domains (employment, credit, healthcare, benefits, criminal justice). (2) AI involving sensitive data (health, biometric, financial, children's data). (3) AI deployed to more than 100,000 users. (4) AI in a new domain not previously reviewed. (5) AI with identified dual-use potential. Optional escalation — any AI feature a product team has questions about. Out of scope — AI infrastructure (APIs, databases) with no direct user-facing decision function; AI for internal analytics with no individual impact. Publish the in/out scope criteria so product teams can self-assess." }, { "speaker": "human", "text": "Scope criteria approved and published to all product teams." } ], "triggers_next": "Ethical risk scope defined and published." }, { "step": 4, "d": "implementation", "label": "Integrate the review gate into the development workflow", "example_prompts": [ { "speaker": "human", "text": "How do we make the ethics review part of the standard development process?" }, { "speaker": "ai", "text": "Three integration points: (1) Design gate — at the point where a product manager writes the AI feature specification, they complete the one-page ethics intake form and self-assess against the mandatory review criteria. If criteria are met, they submit to the board — this is not optional. (2) Pre-deployment gate — the deployment checklist includes a confirmation field: 'Ethics board review completed (date) or ethics criteria not triggered (rationale).' No deployment proceeds without one of the two. (3) Post-deployment monitoring — for features approved with conditions, the product team reports back to the board at 90 days with outcome data. The intake form is the key friction point — keep it to one page or adoption will fail." }, { "speaker": "human", "text": "One-page intake form finalized. Design gate and deployment checklist updated. Engineering VP signed off." } ], "triggers_next": "Ethics review gate integrated into design and deployment workflow." }, { "step": 5, "d": "accountability", "label": "Design decision logging and external disclosure", "example_prompts": [ { "speaker": "human", "text": "How do we show externally that the ethics board is working?" }, { "speaker": "ai", "text": "Four accountability mechanisms: (1) Decision log — every board decision logged with: date, feature reviewed, decision (approve/approve-with-conditions/pause/reject), one-paragraph rationale. Log reviewed quarterly by the audit committee. (2) Annual ethics report to the board of directors — chair presents: total reviews, condition rate, pause rate, systemic themes (e.g., 'fairness in hiring AI was the most common concern in Q3'). (3) External disclosure — the organization's responsible AI report includes a summary of board activity — not individual case details, but aggregate statistics and themes. (4) Employee escalation pathway — employees can submit concerns directly to the board chair email; all submissions acknowledged within 5 business days." }, { "speaker": "human", "text": "Decision log template created. Annual report to board of directors committed. Employee escalation email established." } ], "triggers_next": "Accountability mechanisms operational; board launched.", "can_restart": true } ], "transitions": [ { "from": "strategy", "to": "governance", "trigger": "Board mandate drafted with strategic grounding." }, { "from": "governance", "to": "risk-ethics", "trigger": "Governance structure approved." }, { "from": "risk-ethics", "to": "implementation", "trigger": "Ethical risk scope defined and published." }, { "from": "implementation", "to": "governance", "trigger": "Cadence cannot match deployment rhythm — redesign governance.", "is_loop_back": true }, { "from": "implementation", "to": "accountability", "trigger": "Review gate integrated into workflow." }, { "from": "accountability", "to": "strategy", "trigger": "Annual review — reassess board mandate against strategic evolution.", "is_cycle_restart": true } ] } }, { "id": "ai-fairness-audit", "framework_id": "oecd-ai-principles", "title": "AI Fairness Audit", "domain": "enterprise", "file": "enterprise-ai-fairness-audit.yaml", "dimensions": { "inclusive-growth": { "description": "The audit assesses whether the AI system distributes its benefits and burdens equitably across demographic groups — identifying which groups are systematically advantaged or disadvantaged by the system's outputs.\n", "example": "Audit lead: \"Our hiring AI has been in production for 18 months. The audit starts with distribution: are qualified candidates from all demographic groups advancing through the funnel at equivalent rates?\" AI: \"To measure equitable distribution, I need three datasets: application pool demographics, advancement rates at each stage, and baseline qualification rates by group. With these, I can compute disparity ratios and identify where in the funnel disparities concentrate.\"\n", "antipattern": "Auditing only aggregate accuracy metrics (overall precision, recall) without disaggregating results by protected group — missing systematic disparities that are invisible in aggregate statistics.\n" }, "human-centred": { "description": "The audit verifies that the system respects fundamental rights — particularly non-discrimination — and that its design choices are consistent with democratic values and human dignity.\n", "example": "AI: \"Beyond disparity metrics, the human-centred audit should check: (1) What proxy variables does the model use that correlate with protected characteristics? (2) Is there a mechanism for candidates to challenge AI-assisted decisions? (3) Are decision criteria consistent with applicable non-discrimination law in every deployment jurisdiction?\"\n", "antipattern": "Treating the fairness audit as purely statistical, without examining whether the system's design choices (features selected, objectives optimized) are themselves ethically justified.\n" }, "transparency": { "description": "The audit produces findings that are explainable to affected individuals and decision-makers — not just technical reports for data scientists. Affected candidates should be able to understand how the AI influenced their outcome.\n", "example": "Human: \"The audit found that 'years of continuous employment' is a top predictive feature. Is that explainable to affected candidates?\" AI: \"That feature has a disparate impact on candidates who took career breaks for caregiving — disproportionately women. It may also violate applicable employment law. The explanation to a candidate should not just be 'this feature was used' but 'here is how it affected your score and here is how to request a human review.' That requires an explanation interface, not just a technical finding.\"\n", "antipattern": "Publishing an audit report in technical language inaccessible to the affected individuals, HR teams, or regulators — producing compliance theater without genuine transparency.\n" }, "robustness": { "description": "The audit methodology is itself validated — checking for data quality issues, sample size sufficiency, methodology limitations, and whether findings are stable across reasonable parameter variations.\n", "example": "AI: \"Before finalizing the disparity findings, validate the audit methodology: (1) Is the sample size sufficient for statistical significance at the reported group level? (2) Are the demographic labels in the dataset accurate and self-reported? (3) Does the disparity ratio change materially if you use a different fairness metric (demographic parity vs. equalized odds)? Audit findings that are sensitive to metric choice need explicit qualification.\"\n", "antipattern": "Presenting audit findings as definitive without assessing the statistical reliability of the methodology — especially for small subgroup populations where sample sizes may be insufficient.\n" }, "accountability": { "description": "The audit produces a remediation plan with named owners, timelines, and success criteria — not just findings. Accountability extends to disclosing the audit to relevant stakeholders and regulators.\n", "example": "AI closes the audit: \"Remediation accountability matrix: (1) Feature removal — 'years of continuous employment' replaced with validated alternative. Owner: ML team. Target: 60 days. (2) Candidate appeals mechanism — human review pathway added to hiring platform. Owner: HR tech. Target: 90 days. (3) Regulatory disclosure — audit report filed with the labor regulator. Owner: legal. Target: 30 days. (4) Re-audit — scheduled 6 months after remediation. Owner: audit lead.\"\n", "antipattern": "Completing the audit and circulating the report internally without a remediation plan, owner assignments, or a commitment to re-audit after changes are made.\n" } }, "score_hints": { "inclusive-growth": 0.25, "human-centred": 0.2, "transparency": 0.2, "robustness": 0.2, "accountability": 0.15 }, "summary": "", "tags": [ "fairness-audit", "enterprise", "hiring-ai", "oecd", "compliance" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Equitable distribution analysis identifies disparity patterns by group → human-centred review checks feature choices and rights compliance → findings are translated into explanations accessible to affected parties → audit methodology is validated for robustness → remediation plan with owners and re-audit commitment closes the cycle.\n", "sequence": [ { "step": 1, "d": "inclusive-growth", "label": "Analyze benefit and burden distribution across groups", "example_prompts": [ { "speaker": "human", "text": "Run a fairness audit on our AI hiring tool. Start with distribution." }, { "speaker": "ai", "text": "To compute equitable distribution, I'll need: application pool demographics for the past 12 months, stage-by-stage advancement rates broken out by gender, age band, and ethnicity, and baseline qualification rates by group for external benchmarking. With these three datasets, I can produce disparity ratios at each funnel stage and identify where the AI's influence is concentrated. Can you provide the data or access to the analytics system?" }, { "speaker": "human", "text": "Data is available. Disparity ratios show a 1.4 ratio for women at the technical screen stage." } ], "triggers_next": "Disparity ratios computed; high-disparity stages identified." }, { "step": 2, "d": "human-centred", "label": "Review feature design and rights compliance", "example_prompts": [ { "speaker": "human", "text": "The technical screen disparity is concentrated in two features: 'GitHub activity' and 'years of continuous employment.' Is this a rights issue?" }, { "speaker": "ai", "text": "Yes — both features have documented disparate impact on women and caregivers. GitHub activity correlates with unpaid open-source contribution time — structurally unequal across gender and socioeconomic groups. 'Years of continuous employment' penalizes career breaks. In the EU and many US states, using these features without validation of their job-relatedness creates legal exposure under non-discrimination law. Recommendation: immediately flag both features for replacement and document the legal risk finding in the audit report." }, { "speaker": "human", "text": "Legal is reviewing. Flag both features as high-risk in the audit." } ], "triggers_next": "Rights and feature compliance findings documented.", "loop_back": { "to": "inclusive-growth", "condition": "Feature replacement changes the disparity pattern — distribution must be re-measured.", "reason": "Removing a feature can shift disparities to other groups; re-measurement validates the fix." } }, { "step": 3, "d": "transparency", "label": "Translate findings into explanations for affected individuals", "example_prompts": [ { "speaker": "human", "text": "How do we explain the audit findings to the 340 candidates affected in the audit period?" }, { "speaker": "ai", "text": "Three communication levels: (1) Affected candidates — a plain-language notice: 'Our AI screening tool has been audited and found to use criteria that may have disadvantaged some candidates. If you applied in the past 12 months and were rejected at the technical screen, you may request a human review.' (2) HR leadership — the disparity ratio findings with feature attribution. (3) Regulators — full technical audit report with methodology. Draft the candidate notice first — that is the most time-sensitive accountability action." }, { "speaker": "human", "text": "Agreed. Draft the candidate notice for HR review." } ], "triggers_next": "Candidate communication drafted; regulatory report scoped." }, { "step": 4, "d": "robustness", "label": "Validate audit methodology and qualify findings", "example_prompts": [ { "speaker": "human", "text": "Is our sample size sufficient? We had 340 cases but some subgroups are small." }, { "speaker": "ai", "text": "For the disparity ratio to be statistically reliable at the 95% confidence level, you need at least 30 cases per subgroup. Check: (1) Women at technical screen — if n < 30, qualify the finding as directional rather than definitive. (2) Intersectional groups (e.g., women of color) may have n < 10 — do not report disparity ratios for these subgroups; note the gap as a data limitation requiring a larger longitudinal study. This qualification protects the audit from being challenged on statistical grounds." }, { "speaker": "human", "text": "Women n=68 — sufficient. Intersectional groups n=12 — will qualify." } ], "triggers_next": "Methodology validated; findings qualified where necessary." }, { "step": 5, "d": "accountability", "label": "Issue remediation plan with owners and re-audit commitment", "example_prompts": [ { "speaker": "human", "text": "How do we close the audit with clear accountability?" }, { "speaker": "ai", "text": "Audit close accountability matrix: (1) Feature replacement — ML team removes 'GitHub activity' and 'continuous employment' and runs validation test before re-deployment. Target: 60 days. (2) Candidate appeals — HR tech adds human review pathway to rejected candidates. Target: 90 days. (3) Candidate notice — sent within 14 days of audit approval. (4) Regulatory disclosure — full report filed with relevant labor authority within 30 days. (5) Re-audit — scheduled 6 months after feature changes are deployed. All items require sign-off from CHRO before the audit is closed." }, { "speaker": "human", "text": "CHRO signed off. Audit closed with remediation plan." } ], "triggers_next": "Audit closed with remediation plan, regulatory disclosure, and re-audit date.", "can_restart": true } ], "transitions": [ { "from": "inclusive-growth", "to": "human-centred", "trigger": "Disparity ratios computed and high-disparity stages identified." }, { "from": "human-centred", "to": "inclusive-growth", "trigger": "Feature replacement changes disparity pattern — re-measure.", "is_loop_back": true }, { "from": "human-centred", "to": "transparency", "trigger": "Rights and feature compliance findings documented." }, { "from": "transparency", "to": "robustness", "trigger": "Candidate communication drafted; regulatory report scoped." }, { "from": "robustness", "to": "accountability", "trigger": "Methodology validated and findings qualified." }, { "from": "accountability", "to": "inclusive-growth", "trigger": "Re-audit cycle begins 6 months after remediation.", "is_cycle_restart": true } ] } }, { "id": "ai-incident-response", "framework_id": "nist-ai-rmf", "title": "AI Incident Response", "domain": "enterprise", "file": "enterprise-ai-incident-response.yaml", "dimensions": { "govern": { "description": "The incident response governance structure is activated: the incident commander is identified, escalation thresholds are applied, and the AI system's risk owner is notified and engaged within the defined SLA.\n", "example": "Incident commander: \"The AI-generated customer communication contained incorrect legal information sent to 2,300 customers. I'm activating our AI incident protocol. Risk owner and legal are notified. Severity is High — system is paused pending investigation.\"\n", "antipattern": "Treating an AI incident as a software bug fix without activating risk governance — allowing the response to be owned by engineering alone, without legal, compliance, or leadership involvement.\n" }, "map": { "description": "The team maps the incident: what the AI did, which customers or systems were affected, what data was involved, whether regulatory notification is triggered, and what caused the failure.\n", "example": "AI: \"Based on the incident log, I can help map four dimensions: (1) Output scope — what was generated and sent. (2) Affected population — who received it and any vulnerable groups. (3) Root cause candidates — model error, prompt injection, data pipeline issue, or deployment configuration. (4) Regulatory triggers — do breach notification or AI incident reporting obligations apply? Which do you want to map first?\"\n", "antipattern": "Jumping to root cause analysis before scoping who was affected — fixing the technical problem while customers remain harmed and notifications are delayed.\n" }, "measure": { "description": "The team quantifies the incident's impact: number of affected parties, severity of harm, legal exposure, reputational damage potential, and the likelihood of recurrence without remediation.\n", "example": "Human: \"Legal says the incorrect information could expose us to consumer protection complaints. How do we measure the legal risk?\" AI: \"Measure it along two axes: (1) Volume — 2,300 affected customers is above most jurisdictions' mandatory notification thresholds. (2) Materiality — if any customer acted on the incorrect information (e.g., missed a deadline), individual harm is material. Pull a sample of 50 customers for a harm survey before filing the incident report.\"\n", "antipattern": "Reporting an incident as \"low impact\" based on the volume alone without assessing whether individual harm occurred — underestimating legal exposure.\n" }, "manage": { "description": "The team executes the response: customer remediation, regulatory notification if required, root cause fix, system restart protocol, and a post-incident review that updates the risk register and governance policy.\n", "example": "AI closes the response: \"Here is the remediation matrix: (1) Customer remediation — correction notice sent within 24 hours, owner: customer success. (2) Regulatory notification — filed within 72 hours if notification is triggered, owner: legal. (3) Root cause fix — output validation layer added to the prompt pipeline, owner: engineering. (4) Post-incident review — scheduled for next week, output feeds back into the risk register, owner: risk lead.\"\n", "antipattern": "Closing the incident after the technical fix without conducting a post-incident review — missing the governance improvement loop and allowing the same failure to recur.\n" } }, "score_hints": { "govern": 0.3, "map": 0.25, "measure": 0.2, "manage": 0.25 }, "summary": "", "tags": [ "incident-response", "enterprise", "ai-governance", "risk-management" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Governance activates the incident protocol and escalates within SLA → the team maps affected scope, root cause candidates, and regulatory triggers → impact is measured across volume, severity, and legal dimensions → remediation is executed with owners and timelines, and a post-incident review closes the loop back into governance. Loops back to Map if new affected parties are discovered during measurement.\n", "sequence": [ { "step": 1, "d": "govern", "label": "Activate incident governance and escalate", "example_prompts": [ { "speaker": "human", "text": "Our AI recommendation engine served a batch of incorrect outputs to users this morning. We're seeing complaints. What's the first step?" }, { "speaker": "ai", "text": "First, activate your AI incident protocol: (1) Name an incident commander now — this can't be the engineer who runs the system. (2) Pause the AI system if you can't immediately determine the scope of incorrect outputs. (3) Notify the AI risk owner within your defined SLA — if you don't have one, escalate to the most senior accountable leader immediately. (4) Open an incident ticket with timestamp. Who is the named incident commander?" }, { "speaker": "human", "text": "I'm taking incident command. Risk owner is the Head of Product. System is paused. Ticket opened at 09:14." } ], "triggers_next": "Incident command activated, system paused, risk owner notified." }, { "step": 2, "d": "map", "label": "Map scope, affected parties, and root cause candidates", "example_prompts": [ { "speaker": "human", "text": "Logs show the model returned outputs outside its expected range for about 400 users between 08:00 and 09:14. Help me map the full scope." }, { "speaker": "ai", "text": "Scope map: (1) Affected users — 400 users received anomalous outputs. Check whether any are in protected categories (minors, healthcare, financial decisions). (2) Data involved — what personal data did the model process for these users? (3) Root cause candidates — a/b test misconfiguration, upstream data pipeline failure, model update without validation, or prompt injection. (4) Regulatory triggers — does your jurisdiction require notification for AI incidents involving personal data? I'd check GDPR Art. 33 and any sector-specific AI incident rules." }, { "speaker": "human", "text": "Some users are in the healthcare domain. That changes the severity." } ], "triggers_next": "Affected scope, data categories, and regulatory triggers mapped.", "loop_back": { "to": "map", "condition": "Measurement reveals additional affected users or data categories not in the initial map.", "reason": "Scope must be updated before regulatory notifications are filed." } }, { "step": 3, "d": "measure", "label": "Measure impact severity and legal exposure", "example_prompts": [ { "speaker": "human", "text": "400 users, healthcare domain, some may have received treatment recommendations. How do we measure this?" }, { "speaker": "ai", "text": "Measure along three axes: (1) Clinical harm potential — did any user receive a recommendation they could have acted on? Pull a sample of 20 outputs and have a clinician review. (2) Legal exposure — healthcare AI incidents in most EU and US jurisdictions trigger mandatory incident reporting. Check your sector regulator. (3) Reputational impact — if this becomes public, what is the narrative risk? Prepare a holding statement now, before any media inquiry. Severity: Critical pending clinical review." }, { "speaker": "human", "text": "Clinical review in progress. Legal filing timeline confirmed: 72 hours." } ], "triggers_next": "Impact severity quantified, legal exposure assessed, notification timeline set." }, { "step": 4, "d": "manage", "label": "Execute remediation and close with post-incident review", "example_prompts": [ { "speaker": "human", "text": "Clinical review found no actionable harm, but we're notifying all 400 users. Root cause was a misconfigured A/B test. How do we close?" }, { "speaker": "ai", "text": "Remediation matrix: (1) User notification — send within 24 hours, include what happened and what to do if they acted on the output. Owner: customer success. (2) Regulatory — file incident report to sector regulator within 72-hour window. Owner: legal. (3) Technical fix — disable A/B test framework for AI systems until validation gates are added. Owner: engineering, target: today. (4) Post-incident review — scheduled for 5 business days, outputs update the risk register and A/B test governance policy. Owner: you as incident commander. This cycle restarts at the next AI system launch or quarterly AI risk review." }, { "speaker": "human", "text": "Agreed. All four owners confirmed." } ], "triggers_next": "Remediation complete, regulatory filed, post-incident review scheduled.", "can_restart": true } ], "transitions": [ { "from": "govern", "to": "map", "trigger": "Incident command activated and system paused." }, { "from": "map", "to": "measure", "trigger": "Scope, affected parties, and regulatory triggers mapped." }, { "from": "measure", "to": "map", "trigger": "New affected parties or data categories discovered.", "is_loop_back": true }, { "from": "measure", "to": "manage", "trigger": "Impact severity and legal exposure assessed." }, { "from": "manage", "to": "govern", "trigger": "Post-incident review triggers governance policy update — cycle restarts.", "is_cycle_restart": true } ] } }, { "id": "ai-performance-audit", "framework_id": "iso-42001", "title": "AI Management System Performance Audit", "domain": "enterprise", "file": "enterprise-ai-performance-audit.yaml", "dimensions": { "context": { "description": "The audit verifies that the AIMS scope and organizational context remain valid — checking whether changes in the organization's AI footprint, regulatory environment, or stakeholder landscape have rendered the current scope obsolete.\n", "example": "Auditor: \"The AIMS was scoped to five AI systems 12 months ago. We now have eight. Is the scope still valid?\" AI: \"Scope validity check: (1) The three new AI systems must be assessed for inclusion — are they within the AIMS boundary as currently defined? If yes, they are a nonconformity: in-scope systems not covered by the AIMS. If no, a scope update is required to explicitly exclude them with documented rationale. (2) Have any new regulations come into force in the past 12 months that affect the AIMS scope? (3) Have any new stakeholders emerged — a new regulator, a new customer segment, a new supplier — who should be in the interested parties register? Document findings for each.\"\n", "antipattern": "Auditing the AIMS against the original scope document without checking whether the scope is still accurate — allowing new AI systems to operate outside the AIMS boundary undetected.\n" }, "leadership": { "description": "The audit verifies that top management commitment is genuine and current — checking whether the AI policy has been reviewed, whether the AI management representative has the authority and resources needed, and whether AI risk appears in executive reporting.\n", "example": "AI: \"Leadership evidence checklist for the audit: (1) AI policy review — was the AI policy reviewed in the past 12 months? Who approved the review? (2) Management representative authority — have there been cases where the AI management representative needed to make a decision and could not due to resource or authority constraints? (3) Executive reporting — pull the last four board or executive reports: does AI risk appear as a standing item? If AI risk only appears when there is an incident, governance is reactive, not systematic.\"\n", "antipattern": "Accepting a signed AI policy as evidence of leadership commitment without checking whether the policy has been reviewed, whether the management representative has real authority, and whether AI risk is integrated into executive reporting.\n" }, "planning": { "description": "The audit assesses progress against the AIMS objectives set in the previous planning cycle — verifying that risk treatments were implemented on schedule, that objectives are still measurable, and that the risk register is current.\n", "example": "Human: \"Three AIMS objectives were set last year. How do we audit progress?\" AI: \"For each objective: (1) Is the objective still measurable — is the metric and target still valid, or has it become obsolete due to system changes? (2) What is the current performance against target — provide evidence, not narrative. (3) For objectives not on track — what is the root cause? Was the target unrealistic, was the treatment action not implemented, or did circumstances change? (4) Risk register currency — pull five risk entries at random: are treatment actions implemented? Are residual risk ratings still accurate given changes in the past 12 months?\"\n", "antipattern": "Reporting AIMS objectives as 'in progress' without providing quantitative evidence of current performance against target — producing an audit finding that cannot distinguish between genuine progress and stalled implementation.\n" }, "operation": { "description": "The audit samples operational records to verify that documented AIMS processes are being followed in practice — checking model cards, change control logs, incident logs, and supplier documentation.\n", "example": "AI: \"Operational sampling for the audit — pull records for three AI systems deployed in the past 12 months and verify: (1) Model card completeness — does the model card exist, is it current (updated within 30 days of the last material change), and does it contain all required fields? (2) Change control — were there material AI system changes? Was a documented impact assessment completed before deployment? (3) Incident log — are all AI incidents logged? Sample three months and cross-reference with the service desk for unreported incidents. (4) Supplier documentation — are model cards or technical specifications on file for all AI suppliers?\"\n", "antipattern": "Auditing AIMS operational processes by interviewing process owners rather than sampling records — hearing how processes are supposed to work rather than verifying that they actually work.\n" }, "performance": { "description": "The audit produces formal findings, nonconformities, and observations — and feeds these into a management review that produces a written AIMS effectiveness conclusion and an approved corrective action plan.\n", "example": "AI closes the audit cycle: \"Audit summary for management review: Two major nonconformities — (1) Three AI systems deployed in the past 6 months have no model cards (Clause 8, Operation). Root cause: new development team was not trained on AIMS documentation requirements. Required action: training completed, retrospective model cards drafted. (2) Risk register not updated for 9 months — two risk treatments overdue (Clause 6, Planning). Required action: risk register reviewed and updated within 30 days. Two observations — scope does not cover three new AI systems; AI policy has not been reviewed in 18 months. Management review must produce a written AIMS effectiveness conclusion and approve corrective action owners and deadlines.\"\n", "antipattern": "Completing the internal audit, identifying nonconformities, and then allowing the management review to be cancelled or deferred — leaving nonconformities without corrective actions and the AIMS without a formal effectiveness determination.\n" } }, "score_hints": { "context": 0.15, "leadership": 0.2, "planning": 0.25, "operation": 0.25, "performance": 0.15 }, "summary": "", "tags": [ "iso-42001", "internal-audit", "enterprise", "performance", "management-review" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "AIMS scope validity is verified against current AI footprint → leadership commitment evidence is checked against four concrete indicators → planning objective progress is assessed with quantitative evidence → operational records are sampled for process conformity → audit findings feed the management review which produces corrective actions and an effectiveness conclusion.\n", "sequence": [ { "step": 1, "d": "context", "label": "Verify AIMS scope validity and context currency", "example_prompts": [ { "speaker": "human", "text": "We're running the annual AIMS internal audit. Start with context." }, { "speaker": "ai", "text": "Scope validity check — four questions: (1) How many AI systems are in production today versus when the scope was last updated? Any new systems must be assessed for AIMS inclusion. (2) Have any new regulations come into force affecting the AIMS scope — EU AI Act, sector-specific AI rules? (3) Are all interested parties in the register still current — any new regulators, customers, or suppliers? (4) Has the organizational context changed — mergers, acquisitions, new markets — that affects the AI risk landscape? Document findings for each; scope gaps are a likely nonconformity finding." }, { "speaker": "human", "text": "Three new AI systems not in scope. EU AI Act now applies — not reflected in the AIMS. Two interested parties added." } ], "triggers_next": "Scope validity findings documented — three new systems and regulatory gap identified." }, { "step": 2, "d": "leadership", "label": "Check leadership commitment evidence", "example_prompts": [ { "speaker": "human", "text": "How do we audit leadership commitment beyond checking the signed AI policy?" }, { "speaker": "ai", "text": "Four evidence checks: (1) AI policy review — request the review record: who reviewed it, when, who approved it? If no review in the past 12 months, that is an observation (not a major nonconformity unless the policy is materially outdated). (2) Management representative — interview them: have they had authority or resource constraints in the past 12 months that prevented AIMS decisions? If yes, document specific cases. (3) Executive reporting — review board minutes or executive reports for the past four quarters. Does AI risk appear as a standing agenda item? (4) AIMS budget — was the approved AIMS budget fully allocated? If significant budget was rescinded, that is a leadership commitment finding." }, { "speaker": "human", "text": "AI policy not reviewed in 18 months. Executive reports show AI risk only appears in incident months. Observation documented." } ], "triggers_next": "Leadership commitment evidence assessed; two observations documented." }, { "step": 3, "d": "planning", "label": "Assess objective progress and risk register currency", "example_prompts": [ { "speaker": "human", "text": "How do we audit the three AIMS objectives from last year's planning cycle?" }, { "speaker": "ai", "text": "For each objective, pull quantitative evidence: (1) 'All new AI deployments have a model card by Q3' — how many deployments occurred? How many have model cards? If three of six have cards, that is a 50% achievement rate against a 100% target — a major nonconformity. (2) 'Zero unlogged AI incidents by Q2' — cross-reference the incident log with service desk records. Any discrepancy is a nonconformity. (3) 'First internal audit completed by Q4' — we are doing it now, so this objective is met. For the risk register: pull five entries at random and check: are treatment actions implemented? Are target dates past due? Overdue treatment actions are a nonconformity finding." }, { "speaker": "human", "text": "Model card objective: 3 of 6 — major nonconformity. Risk register: two overdue treatments — major nonconformity." } ], "triggers_next": "Two major nonconformities documented from planning audit.", "loop_back": { "to": "context", "condition": "Planning audit reveals that the risk register was not updated when new AI systems were added — scope and planning are linked nonconformities.", "reason": "Linked nonconformities require both context and planning sections to be re-audited together." } }, { "step": 4, "d": "operation", "label": "Sample operational records for process conformity", "example_prompts": [ { "speaker": "human", "text": "Which operational records should we sample for the audit?" }, { "speaker": "ai", "text": "Sample three AI systems deployed in the past 12 months. For each, check: (1) Model card — exists, is current, contains required fields. (2) Change control — pull the change log: were there material changes? Was an impact assessment completed before deployment? (3) Incident log — pull the past 6 months. Cross-reference with the service desk: any incidents reported to the service desk but not in the AIMS incident log? (4) Supplier documentation — pull the AI supplier register: do all suppliers have model cards or technical specifications on file? Sampling is sufficient for the audit — you are not required to check every system." }, { "speaker": "human", "text": "Three systems sampled. Two have no model cards — already flagged. One change control record missing impact assessment — additional nonconformity." } ], "triggers_next": "Operational sampling complete — third major nonconformity identified." }, { "step": 5, "d": "performance", "label": "Conduct management review and approve corrective actions", "example_prompts": [ { "speaker": "human", "text": "We have three major nonconformities. How do we close the audit?" }, { "speaker": "ai", "text": "Management review agenda: (1) Audit findings summary — present all three major nonconformities with root cause analysis. Do not just list findings; explain why each occurred. (2) Corrective action approval — for each nonconformity, management approves: the corrective action, the owner, and the target date. Required: (a) Model cards for all six deployments within 30 days; training for new dev team. Owner: AIMS manager. (b) Risk register reviewed and all overdue treatments completed within 30 days. Owner: risk lead. (c) Change control process retrained and missing impact assessment documented retrospectively. Owner: engineering lead. (3) AIMS effectiveness conclusion — management must formally conclude: is the AIMS achieving its intended outcomes? Document the conclusion in the review minutes. (4) Next audit date — set the date for the next internal audit now." }, { "speaker": "human", "text": "Management review complete. Three corrective actions approved with owners. AIMS effectiveness conclusion: Partially Effective — improvement required." } ], "triggers_next": "Management review complete; corrective actions approved; next audit date set.", "can_restart": true } ], "transitions": [ { "from": "context", "to": "leadership", "trigger": "Scope validity findings documented." }, { "from": "leadership", "to": "planning", "trigger": "Leadership commitment evidence assessed." }, { "from": "planning", "to": "context", "trigger": "Risk register gap linked to scope — re-audit context.", "is_loop_back": true }, { "from": "planning", "to": "operation", "trigger": "Planning objective progress assessed; nonconformities documented." }, { "from": "operation", "to": "performance", "trigger": "Operational sampling complete." }, { "from": "performance", "to": "context", "trigger": "Next annual audit cycle begins.", "is_cycle_restart": true } ] } }, { "id": "ai-risk-assessment", "framework_id": "nist-ai-rmf", "title": "Enterprise AI Risk Assessment", "domain": "enterprise", "file": "enterprise-ai-risk-assessment.yaml", "dimensions": { "govern": { "description": "Before assessing any risk, the team confirms that governance structures are in place: a named AI risk owner, a defined risk appetite, and a clear mandate for who can accept residual risk.\n", "example": "Risk governance lead: \"Before we map any risks, I need us to confirm three things: who owns this AI system's risk posture, what our risk appetite is for automated decisions in this domain, and what sign-off is required before deployment.\"\n", "antipattern": "Starting a risk assessment without an owner — producing a risk register that no one is accountable for acting on.\n" }, "map": { "description": "The team systematically identifies what the AI system does, who is affected (including non-users), what can go wrong, and where risks originate — distinguishing technical, operational, and societal risks.\n", "example": "AI: \"Based on the system description, I can identify six risk categories: data quality risks affecting prediction accuracy, fairness risks for the demographic groups in scope, security risks from adversarial inputs, operational risks from model drift, legal risks from the jurisdiction's AI regulations, and reputational risks from public misperception. Which of these are within scope for this assessment?\"\n", "antipattern": "Mapping only technical risks (model accuracy, latency) and omitting societal, legal, and operational risks that are harder to quantify.\n" }, "measure": { "description": "Each mapped risk is scored for likelihood and impact using consistent criteria. The team uses evidence from testing, historical data, and stakeholder input — not gut feel — to justify scores.\n", "example": "Human: \"The AI flags fairness risk. How do we score likelihood?\" AI: \"I recommend using your testing data: run the model outputs across demographic groups and compare disparity ratios. If the disparity ratio exceeds your defined threshold, likelihood of harm is high regardless of intent.\"\n", "antipattern": "Scoring risks subjectively without evidence — producing scores that reflect the team's optimism rather than the system's actual behavior.\n" }, "manage": { "description": "The team selects a treatment for each measured risk (accept, mitigate, avoid, transfer), documents residual risk, assigns owners, and defines monitoring checkpoints for post-deployment.\n", "example": "Risk owner: \"For the fairness risk — treatment is mitigation via quarterly disparity audits. Owner is the data team lead. Residual risk is accepted at Low. If disparity ratio exceeds threshold, the system is paused pending review.\" AI: \"I'll draft the risk register entry with those fields. Do you want me to also generate the monitoring alert specification?\"\n", "antipattern": "Closing a risk entry after selecting mitigation without documenting residual risk or a monitoring trigger — leaving the risk effectively untracked after deployment.\n" } }, "score_hints": { "govern": 0.25, "map": 0.25, "measure": 0.25, "manage": 0.25 }, "summary": "", "tags": [ "risk-assessment", "enterprise", "ai-governance", "pre-deployment" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Governance readiness is confirmed before any risk work begins → risks are mapped across technical, operational, societal, and legal dimensions → each risk is scored using evidence → treatment plans with owners and monitoring triggers are documented. Loops back to Map if measurement reveals unmapped risks.\n", "sequence": [ { "step": 1, "d": "govern", "label": "Confirm governance readiness and risk ownership", "example_prompts": [ { "speaker": "human", "text": "We're about to assess a new loan-decisioning AI. Before we start mapping risks, can you help us confirm what governance needs to be in place?" }, { "speaker": "ai", "text": "Three things need to be confirmed first: (1) Who is the named risk owner with authority to accept or reject deployment? (2) What is your organization's risk appetite for automated decisions in lending — do you have a documented threshold? (3) What approval is required before deployment proceeds? Without these, any risk register we produce will be orphaned." }, { "speaker": "human", "text": "The CRO owns lending AI risk, our appetite is Low for decisions affecting credit access, and deployment requires CRO sign-off plus legal review." } ], "triggers_next": "Risk owner named, appetite defined, approval path confirmed." }, { "step": 2, "d": "map", "label": "Map risks across all affected dimensions", "example_prompts": [ { "speaker": "human", "text": "The system uses applicant financial data and a proprietary model to automate 80% of loan decisions. Map the risk landscape." }, { "speaker": "ai", "text": "I'll map six risk categories: (1) Data quality — training data may not reflect current economic conditions. (2) Fairness — automated decisions at scale amplify demographic disparities. (3) Security — model inversion attacks could expose applicant data. (4) Operational — model drift without monitoring could degrade accuracy undetected. (5) Legal — jurisdiction-specific fair lending laws may impose explainability requirements. (6) Reputational — public perception of algorithmic lending decisions. Which require deeper mapping?" }, { "speaker": "human", "text": "Fairness and legal are top priority — map those in detail." } ], "triggers_next": "Risk categories mapped with stakeholders and impact domains identified.", "loop_back": { "to": "map", "condition": "Measurement reveals a risk not captured in the initial map.", "reason": "Scope must be extended before the new risk can be measured." } }, { "step": 3, "d": "measure", "label": "Score each risk using evidence and consistent criteria", "example_prompts": [ { "speaker": "human", "text": "We ran the model on a holdout set. Demographic disparity ratio is 1.34 for one protected group. How do we score this?" }, { "speaker": "ai", "text": "A ratio of 1.34 is above the 1.25 threshold used by most fair lending regulators as a trigger for adverse impact review. Likelihood of harm: High. Impact: High, given the credit access consequences and legal exposure. This scores as a Critical risk — it requires mitigation, not acceptance." }, { "speaker": "human", "text": "What evidence do we need for the legal risk score?" }, { "speaker": "ai", "text": "For legal risk, you need a jurisdiction mapping: list every jurisdiction where the system will operate and check each against applicable AI and fair lending regulation. The evidence is the legal review memo, not the model output." } ], "triggers_next": "All priority risks scored with evidence citations." }, { "step": 4, "d": "manage", "label": "Define treatment, residual risk, and monitoring for each risk", "example_prompts": [ { "speaker": "human", "text": "For the fairness risk — what treatment options do we have?" }, { "speaker": "ai", "text": "Three options: (1) Mitigate — rebalance training data and re-evaluate; target disparity ratio below 1.15. (2) Avoid — remove the demographic-correlated features from the model. (3) Transfer — purchase fairness insurance and accept current disparity with disclosed risk. Given your Low risk appetite, option 1 or 2 is required. Which do you want in the risk register?" }, { "speaker": "human", "text": "Option 1. Owner is data science lead, target date is next sprint, monitoring is monthly disparity audit. Residual risk: Medium pending re-evaluation." } ], "triggers_next": "Risk register complete, all entries have treatment, owner, timeline, and residual risk.", "can_restart": true } ], "transitions": [ { "from": "govern", "to": "map", "trigger": "Risk owner named, appetite defined, approval path confirmed." }, { "from": "map", "to": "measure", "trigger": "Risk landscape mapped with stakeholders and impact domains." }, { "from": "measure", "to": "map", "trigger": "New risk identified during measurement — not in original map.", "is_loop_back": true }, { "from": "measure", "to": "manage", "trigger": "All priority risks scored with evidence." }, { "from": "manage", "to": "govern", "trigger": "New AI system or material change triggers a new assessment cycle.", "is_cycle_restart": true } ] } }, { "id": "ai-strategy-alignment", "framework_id": "wef-responsible-ai", "title": "AI Strategy Alignment with Organizational Purpose", "domain": "enterprise", "file": "enterprise-ai-strategy-alignment.yaml", "dimensions": { "strategy": { "description": "The leadership team articulates how AI initiatives connect to the organization's stated purpose, values, and societal commitments — and uses this connection as a filter for AI investment decisions.\n", "example": "CEO: \"We've approved six AI initiatives this year. I want to know which ones actually serve our mission as a public health organization.\" AI: \"Apply the purpose test to each initiative: (1) Does this AI initiative serve patients and communities, or does it primarily serve operational efficiency for the organization? (2) Could this AI use create a conflict of interest between our mission and our financial incentives? (3) If this initiative became public tomorrow, would it be consistent with how we want to be seen? Run all six initiatives through these three questions and rank them by mission alignment before the next board meeting.\"\n", "antipattern": "Approving AI initiatives based exclusively on ROI projections and operational efficiency gains, with no mechanism to verify whether they serve the organization's stated mission and societal purpose.\n" }, "governance": { "description": "The organization designs an oversight structure for responsible AI with real decision authority — including who can pause or veto deployments, how ethics concerns are escalated, and what the governance cadence is.\n", "example": "AI: \"For responsible AI governance, the WEF Playbook recommends three layers: (1) Operational — an AI review team embedded in the product and engineering workflow that screens every AI deployment before it goes live. (2) Strategic — an AI ethics committee at the VP/Director level with authority to pause high-stakes deployments. (3) Board — an AI governance item on the board agenda at least quarterly, with a named board member as AI accountability sponsor. Which layer is currently missing or weakest in your organization?\"\n", "antipattern": "Creating an AI ethics committee that meets quarterly and can only advise — with no authority to pause deployments and no connection to operational AI decisions being made daily in product teams.\n" }, "risk-ethics": { "description": "The organization assesses the ethical risks of its AI portfolio — not just technical risks — including who could be harmed, how, and whether the harm is proportionate to the benefit claimed.\n", "example": "Human: \"Our patient scheduling AI prioritizes patients with better payment histories. Is that an ethical risk?\" AI: \"Yes — this is a high-severity ethical risk. The harm is direct and systematic: patients with worse payment histories (often lower-income or underinsured) receive worse access to care. In a public health context, this directly conflicts with your mission and may violate health equity law. The WEF Playbook would classify this as an unacceptable ethics risk — a mission conflict, not just a fairness metric. Recommendation: pause this feature and replace the payment history signal with clinically appropriate prioritization criteria.\"\n", "antipattern": "Treating 'payment history' as a neutral data feature without assessing its societal and mission implications — allowing financial logic to override clinical and ethical judgment.\n" }, "implementation": { "description": "The organization embeds responsible AI practices into its operational workflows — making ethics reviews, documentation requirements, and fairness checks part of the standard development process, not optional extras.\n", "example": "AI: \"To embed responsible AI in your product workflow, I recommend three changes to the current development process: (1) Add an ethics checkpoint at the design phase — before any AI feature is engineered, a one-page ethics impact brief is required. (2) Require an equity review for any AI feature affecting patient access or outcomes — run by clinical and social work staff, not just engineers. (3) Add a responsible AI sign-off to the deployment checklist — a named individual confirms the ethics checkpoint and equity review were completed. These add less than one week to the average release cycle.\"\n", "antipattern": "Publishing a responsible AI policy and expecting development teams to self-apply it without any process change, tooling, or accountability mechanism — producing policies that exist on paper but not in code.\n" }, "accountability": { "description": "The organization tracks whether its AI initiatives are achieving their stated purpose, reports transparently on outcomes — including failures — and uses evidence to drive continuous improvement of the responsible AI program.\n", "example": "AI closes the cycle: \"Accountability structure for the responsible AI program: (1) Quarterly outcome report — for each AI system, track three metrics: mission alignment score (purpose test results), equity metric (disparity in outcomes across patient groups), and incident count. (2) Annual external report — published to stakeholders including community partners, describing responsible AI commitments and progress. (3) Board accountability item — AI ethics committee presents to the board annually with a forward improvement plan. (4) Whistleblower pathway — staff can report responsible AI concerns anonymously with a named executive reviewer.\"\n", "antipattern": "Reporting only AI successes externally while keeping failures and ethical concerns internal — producing a responsible AI narrative that is not grounded in transparent evidence.\n" } }, "score_hints": { "strategy": 0.25, "governance": 0.2, "risk-ethics": 0.25, "implementation": 0.2, "accountability": 0.1 }, "summary": "", "tags": [ "ai-strategy", "responsible-ai", "enterprise", "wef", "healthcare" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "AI initiatives are filtered against organizational purpose → governance structure with real authority is designed → ethical risks in the AI portfolio are assessed → responsible AI practices are embedded in development workflows → outcome tracking and external reporting closes the accountability loop. Loops back to strategy if risk-ethics assessment reveals initiatives that conflict with mission.\n", "sequence": [ { "step": 1, "d": "strategy", "label": "Filter AI initiatives against organizational purpose", "example_prompts": [ { "speaker": "human", "text": "We have a board-approved AI roadmap with 8 initiatives. How do we know which ones are aligned with our mission?" }, { "speaker": "ai", "text": "Run the purpose test on all 8 initiatives. For each, answer: (1) Who is the primary beneficiary — the organization or the people it serves? (2) Does this initiative serve our core mission or a financial objective that happens to use AI? (3) Would this initiative be defensible if reported by a journalist covering 'AI in healthcare'? Score each initiative Red (mission conflict), Yellow (unclear alignment), or Green (clear mission alignment). Share the results before the next board meeting — Red and Yellow items require a strategy discussion, not just an approval." }, { "speaker": "human", "text": "Three initiatives score Red including the payment-priority scheduler. Two are Yellow. Three are Green." } ], "triggers_next": "AI initiatives scored against mission; conflicts identified." }, { "step": 2, "d": "governance", "label": "Design responsible AI governance with real authority", "example_prompts": [ { "speaker": "human", "text": "We have an AI ethics advisory group but it has no authority to stop anything. How do we fix this?" }, { "speaker": "ai", "text": "Restructure in three steps: (1) Rename the group to AI Ethics Committee and update the charter to give it explicit pause authority for any AI deployment that scores Red on the purpose test or fails an equity review. (2) Define the escalation path — product team flags concern → AI review team → ethics committee → CEO if committee is deadlocked. (3) Give the committee a direct reporting line to the board's governance committee, not to the CTO. The CTO is an interested party in deployment decisions; the board is the right accountability principal." }, { "speaker": "human", "text": "Charter update drafted. CEO approved pause authority for the ethics committee." } ], "triggers_next": "Governance structure with real authority approved and documented." }, { "step": 3, "d": "risk-ethics", "label": "Assess ethical risks in the AI portfolio", "example_prompts": [ { "speaker": "human", "text": "The three Red initiatives — what are the specific ethical risks?" }, { "speaker": "ai", "text": "For the payment-priority scheduler: ethical risk is direct — it systematically disadvantages lower-income patients in access to care. This is a mission conflict and a potential health equity law violation. Recommend: pause immediately, replace with clinically validated priority criteria. For the AI-assisted discharge planning tool: risk is opacity — clinicians cannot see why the model recommends discharge timing, creating accountability gaps. Recommend: require explainability layer before deployment. For the predictive readmission model: risk is feedback loop — if the model is used to ration follow-up care, its errors compound. Recommend: human review required for all model outputs above a risk threshold." }, { "speaker": "human", "text": "Ethics committee has reviewed all three. Pause orders issued for payment scheduler." } ], "triggers_next": "Ethical risks assessed; pause orders issued for mission-conflicting initiatives.", "loop_back": { "to": "strategy", "condition": "Risk-ethics assessment reveals additional initiatives with mission conflicts not identified in the purpose test.", "reason": "Strategy filter must be re-run with updated criteria before ethics committee reviews remaining portfolio." } }, { "step": 4, "d": "implementation", "label": "Embed responsible AI practices in development workflow", "example_prompts": [ { "speaker": "human", "text": "How do we make sure the remaining five Green initiatives stay responsible as they're built?" }, { "speaker": "ai", "text": "Three workflow changes: (1) Ethics impact brief — one-page document required at the design phase for every AI feature. Template: what problem are we solving, who could be harmed, what is the mitigation. Owner: product manager. (2) Equity review — any AI feature affecting patient access or clinical outcomes goes through a 2-hour review with clinical informatics and social work. Owner: clinical lead. (3) Deployment checklist — responsible AI sign-off added as a required gate before any AI feature goes to production. Named individual confirms the ethics brief and equity review were completed. These changes add approximately 3-5 days to the standard release cycle." }, { "speaker": "human", "text": "Three changes approved by engineering VP. Adding to the SDLC documentation." } ], "triggers_next": "Responsible AI practices embedded in development workflow." }, { "step": 5, "d": "accountability", "label": "Establish outcome tracking and external reporting", "example_prompts": [ { "speaker": "human", "text": "How do we demonstrate accountability for our responsible AI program externally?" }, { "speaker": "ai", "text": "Accountability framework: (1) Quarterly internal report — AI ethics committee receives: mission alignment scores, equity metrics per system, incident log, open pause items. (2) Annual external report — published to community partners and on the website: responsible AI commitments made, progress against them, and one honest failure and what was learned. (3) Board agenda item — ethics committee presents annually with a forward improvement plan. (4) Community input mechanism — annual open meeting with patient advocacy groups to review the responsible AI program. The external report is the most important item — it creates genuine accountability by making commitments public." }, { "speaker": "human", "text": "Annual report committed for Q4. Community meeting scheduled. Board agenda item approved." } ], "triggers_next": "Accountability structure operational; external reporting committed.", "can_restart": true } ], "transitions": [ { "from": "strategy", "to": "governance", "trigger": "AI initiatives scored against mission; conflicts identified." }, { "from": "governance", "to": "risk-ethics", "trigger": "Governance structure with real authority approved." }, { "from": "risk-ethics", "to": "strategy", "trigger": "Additional mission-conflicting initiatives discovered — re-run purpose test.", "is_loop_back": true }, { "from": "risk-ethics", "to": "implementation", "trigger": "Ethical risks assessed and pause orders issued where needed." }, { "from": "implementation", "to": "accountability", "trigger": "Responsible AI practices embedded in workflow." }, { "from": "accountability", "to": "strategy", "trigger": "Annual review cycle — reassess AI portfolio against mission.", "is_cycle_restart": true } ] } }, { "id": "ai-supplier-assessment", "framework_id": "iso-42001", "title": "AI Supplier Assessment", "domain": "enterprise", "file": "enterprise-ai-supplier-assessment.yaml", "dimensions": { "context": { "description": "The organization maps the supplier's role within the AIMS scope — whether the supplier develops, deploys, or provides AI infrastructure — and identifies the specific regulatory and contractual context that governs the supplier relationship.\n", "example": "AIMS manager: \"We are evaluating a cloud AI platform provider. How do we define their role in our AIMS?\" AI: \"For ISO 42001, supplier classification determines what is required. Three roles to assess: (1) AI system developer — do they develop the AI model itself? If yes, they are a critical AIMS supplier and must meet your AI policy minimums. (2) AI infrastructure provider — do they provide compute, storage, or APIs without developing the model? Different obligations apply. (3) AI-enabled service provider — do they use AI internally in services they provide to you? The most common and often overlooked category. Document the supplier's role before setting assessment requirements.\"\n", "antipattern": "Applying the same supplier assessment template to all AI-related vendors regardless of their role — over-burdening infrastructure providers while under-assessing AI developers with more material risk.\n" }, "leadership": { "description": "The organization evaluates the supplier's own AI governance maturity — whether they have an AI policy, named accountability, and a governance structure that can back the commitments they make in the contract.\n", "example": "AI: \"Four leadership maturity questions for the supplier: (1) Do they have a published AI policy? Ask for it — a policy that exists only for sales conversations is not evidence of governance. (2) Is there a named executive accountable for AI risk? Not a 'responsible AI team' — a named individual with a title and reporting line. (3) Have they completed any AI management system certification (ISO 42001, NIST AI RMF alignment)? Third-party evidence is more reliable than self-attestation. (4) What is their incident notification track record — have they disclosed AI incidents to clients previously? Ask references.\"\n", "antipattern": "Accepting a supplier's AI ethics statement as evidence of governance maturity without asking for the four concrete evidence items above — assessing values rather than systems.\n" }, "planning": { "description": "The organization documents the specific AI risks the supplier introduces into the AIMS risk register and plans treatment actions — including contractual mitigations, technical controls, and monitoring requirements.\n", "example": "Human: \"The supplier's AI platform processes our customer data. What risks do they introduce to our AIMS?\" AI: \"Four supplier-introduced risks to add to the AIMS risk register: (1) Data sovereignty — where is customer data processed? If outside your jurisdiction, transfer mechanisms must be in the DPA. Risk: High. (2) Model change without notice — if the supplier updates their AI model, it could change outputs affecting your products. Require 30-day advance notice of material model changes. Risk: Medium. (3) Supplier AI incident — if the supplier has an AI incident, how quickly are you notified and what are your obligations? Require 48-hour notification SLA. Risk: High. (4) Concentration risk — are you dependent on a single AI platform provider? Risk: Medium. Document treatment for each.\"\n", "antipattern": "Adding a supplier to the AIMS without updating the risk register — treating supplier onboarding as a procurement task rather than an AIMS risk management event.\n" }, "operation": { "description": "The organization defines the operational controls that govern the supplier relationship throughout the contract lifecycle — audit rights, documentation requirements, change management, and incident handling.\n", "example": "AI: \"Operational controls for the supplier agreement: (1) AI documentation requirement — supplier must provide a model card or technical specification for each AI component within the scope of your AIMS. (2) Audit right — annual audit right with 30-day notice; supplier must make AI risk documentation available. (3) Change management — material AI model changes trigger a 30-day notice period and a change impact assessment before your organization accepts the change. (4) Incident integration — supplier AI incidents are integrated into your AIMS incident log within 24 hours of supplier notification. All four must be in the contract before signature.\"\n", "antipattern": "Signing a supplier contract with standard SaaS terms that make no provision for AI-specific documentation, audit rights, or AI incident notification — leaving the AIMS with no operational visibility into supplier AI behavior.\n" }, "performance": { "description": "The organization monitors supplier AI performance against agreed metrics throughout the contract, conducts periodic assessments, and includes supplier performance in the annual AIMS management review.\n", "example": "AI closes the assessment cycle: \"Supplier performance monitoring plan: (1) Quarterly review — track: AI incident count, model change notifications received, documentation currency (is the model card up to date?). (2) Annual assessment — re-run the supplier risk assessment; has the supplier's governance maturity improved or degraded? (3) AIMS management review input — include supplier performance in the annual management review as a standing agenda item. (4) Corrective action trigger — if the supplier fails two consecutive quarterly reviews, issue a formal corrective action request with a 60-day remediation deadline. Failure to remediate triggers contract review.\"\n", "antipattern": "Completing the initial supplier assessment at onboarding and conducting no further performance monitoring — treating supplier AI governance as a one-time due diligence event rather than an ongoing AIMS obligation.\n" } }, "score_hints": { "context": 0.15, "leadership": 0.2, "planning": 0.25, "operation": 0.25, "performance": 0.15 }, "summary": "", "tags": [ "supplier-assessment", "enterprise", "iso-42001", "third-party", "procurement" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Supplier role in the AIMS is classified → supplier governance maturity is assessed against four evidence criteria → supplier-introduced risks are added to the AIMS risk register with treatments → operational controls are embedded in the contract → ongoing performance monitoring is defined for the contract lifecycle.\n", "sequence": [ { "step": 1, "d": "context", "label": "Classify supplier role within the AIMS", "example_prompts": [ { "speaker": "human", "text": "We're onboarding a new AI platform vendor. How do we integrate them into our AIMS?" }, { "speaker": "ai", "text": "Start by classifying the supplier's role: (1) Are they developing the AI model — the algorithm itself? (2) Are they providing AI infrastructure — compute, APIs, data pipelines — without model development? (3) Are they delivering an AI-enabled service where AI is embedded in what they provide? The classification determines the assessment depth and contract requirements. A model developer carries the most AIMS risk; an infrastructure provider carries less but is often overlooked. What does this supplier do?" }, { "speaker": "human", "text": "They provide an AI-powered customer analytics platform — role 3, AI-enabled service." } ], "triggers_next": "Supplier classified as AI-enabled service provider; assessment scope defined." }, { "step": 2, "d": "leadership", "label": "Assess supplier AI governance maturity", "example_prompts": [ { "speaker": "human", "text": "What evidence should we request to assess their AI governance?" }, { "speaker": "ai", "text": "Four evidence requests: (1) Published AI policy — ask for their public or shareable AI policy document. A policy that exists only for sales is not governance. (2) Named AI accountability — who is the named executive accountable for AI risk? Request name, title, and reporting line. (3) Third-party certification or alignment — have they completed ISO 42001 certification, NIST AI RMF alignment, or an equivalent independent assessment? Self-attestation is not sufficient. (4) Incident disclosure track record — have they disclosed AI incidents to clients? Ask two reference customers. Score governance maturity as Mature, Developing, or Absent based on evidence received." }, { "speaker": "human", "text": "Supplier has a published AI policy and a named Head of AI Ethics. No third-party certification. References report one disclosed incident handled well. Score: Developing." } ], "triggers_next": "Supplier governance maturity scored as Developing; gaps documented.", "loop_back": { "to": "context", "condition": "Governance assessment reveals the supplier also develops the underlying AI model — role reclassification required.", "reason": "AI model developers require a more rigorous assessment scope than AI-enabled service providers." } }, { "step": 3, "d": "planning", "label": "Add supplier-introduced risks to the AIMS risk register", "example_prompts": [ { "speaker": "human", "text": "What AIMS risks does this supplier introduce?" }, { "speaker": "ai", "text": "Four risks for the register: (1) Data residency — customer analytics data processed outside our jurisdiction. Likelihood: High (US-based supplier). Impact: High (GDPR exposure). Treatment: Mitigate via Standard Contractual Clauses in DPA. Owner: Legal. (2) Model opacity — proprietary analytics model with no published model card. Likelihood: High. Impact: Medium (limits our ability to explain outputs to customers). Treatment: Require model card as contract condition. Owner: AIMS manager. (3) Supplier AI incident — 48-hour notification SLA not currently in standard contract terms. Likelihood: Low. Impact: High. Treatment: Contractual SLA. Owner: Legal. (4) Concentration risk — no alternative analytics provider evaluated. Risk: Medium. Treatment: Evaluate one alternative provider annually." }, { "speaker": "human", "text": "All four risks added to the AIMS risk register with owners and target dates." } ], "triggers_next": "Supplier risks registered with treatments and owners." }, { "step": 4, "d": "operation", "label": "Define operational controls and embed in the contract", "example_prompts": [ { "speaker": "human", "text": "What contract clauses do we need for AI-specific operational control?" }, { "speaker": "ai", "text": "Four contract clauses beyond standard SaaS terms: (1) Model documentation — supplier provides a model card or technical specification for the analytics AI within 30 days of contract signature and updates it within 30 days of any material model change. (2) Change notification — 30-day advance notice of material AI model changes; buyer may request a change impact assessment period before accepting. (3) Audit right — annual audit right; supplier provides AI risk documentation on request with 30-day notice. (4) AI incident notification — supplier notifies buyer within 48 hours of any AI incident affecting buyer's data or analytics outputs. All four to be included in the main agreement or an AI schedule appended to the contract." }, { "speaker": "human", "text": "All four clauses accepted by supplier. Contract signed with AI schedule attached." } ], "triggers_next": "Operational controls embedded in contract; supplier onboarded into AIMS." }, { "step": 5, "d": "performance", "label": "Define ongoing monitoring and AIMS management review input", "example_prompts": [ { "speaker": "human", "text": "How do we monitor this supplier's AI performance throughout the contract?" }, { "speaker": "ai", "text": "Quarterly supplier review cadence: (1) Metrics to track: AI incident count and resolution time, model change notifications received vs. expected, model card currency (last update date). (2) Annual re-assessment: re-run the governance maturity assessment; has the supplier moved from Developing to Mature? (3) AIMS management review: include a supplier AI performance summary as a standing agenda item; flag any corrective actions open. (4) Corrective action trigger: two consecutive quarterly reviews with performance below agreed thresholds triggers a formal corrective action request. Non-resolution within 60 days triggers contract review. Add the first quarterly review date to the AIMS calendar." }, { "speaker": "human", "text": "First quarterly review scheduled. Supplier added to AIMS management review agenda." } ], "triggers_next": "Supplier performance monitoring operational; integrated into AIMS calendar.", "can_restart": true } ], "transitions": [ { "from": "context", "to": "leadership", "trigger": "Supplier role classified and assessment scope defined." }, { "from": "leadership", "to": "context", "trigger": "Governance assessment reveals role reclassification needed.", "is_loop_back": true }, { "from": "leadership", "to": "planning", "trigger": "Supplier governance maturity scored and gaps documented." }, { "from": "planning", "to": "operation", "trigger": "Supplier risks added to AIMS risk register." }, { "from": "operation", "to": "performance", "trigger": "Operational controls embedded in contract." }, { "from": "performance", "to": "context", "trigger": "Annual re-assessment cycle — re-classify and re-assess.", "is_cycle_restart": true } ] } }, { "id": "ai-transparency-reporting", "framework_id": "oecd-ai-principles", "title": "AI Transparency Reporting", "domain": "enterprise", "file": "enterprise-ai-transparency-reporting.yaml", "dimensions": { "inclusive-growth": { "description": "The report discloses which populations benefit from the organization's AI systems, which bear disproportionate risk, and what the organization is doing to close identified equity gaps — backed by data, not assertions.\n", "example": "Reporting lead: \"Our transparency report says we are 'committed to inclusive AI.' How do we make that substantive?\" AI: \"Replace the commitment statement with three data points: (1) For each major AI system, who uses it and what demographic groups benefit? (2) Where disparity audits found gaps, what was the disparity ratio and what action was taken? (3) What is the organization's equity improvement target for next year, and how will it be measured? A transparency report that makes no measurable commitments is a public relations document, not an accountability one.\"\n", "antipattern": "Publishing general statements about 'commitment to inclusive AI' without any data on who benefits, who is disadvantaged, and what concrete actions are being taken to close identified gaps.\n" }, "human-centred": { "description": "The report identifies which human rights are most implicated by the organization's AI systems and discloses how those rights are protected — including the results of any rights impact assessments conducted.\n", "example": "AI: \"For the human-centred section, structure it as: (1) Rights at stake — list the top three human rights implicated by your AI systems (e.g., right to non-discrimination for hiring AI, right to privacy for data AI, right to explanation for credit AI). (2) Protection measures — for each right, what mechanism protects it? (3) Assessment results — were any rights impact assessments conducted? What did they find? If no assessment was conducted, say so — incomplete disclosure is still more credible than vague assurance.\"\n", "antipattern": "Referencing 'human rights' in the report without naming which rights are implicated, how they are protected, or whether any assessment of rights impacts was conducted.\n" }, "transparency": { "description": "The report itself is transparent about its scope limitations — what AI systems are covered, what is excluded and why, and what the organization does not yet know about its own AI impacts.\n", "example": "Human: \"Should we disclose that we have three AI systems we couldn't include because they are under NDA with the vendor?\" AI: \"Yes — disclosing scope limitations is more credible than implying complete coverage. State: 'This report covers eight of eleven AI systems in production. Three systems operated under third-party vendor agreements that restrict disclosure. We are working with vendors to enable disclosure in next year's report.' Readers who discover undisclosed systems will question everything in the report; readers who see honest scope limitations will trust the disclosed content more.\"\n", "antipattern": "Publishing a transparency report that does not disclose its own scope limitations — implying complete coverage when significant AI systems are excluded.\n" }, "robustness": { "description": "The report discloses the organization's approach to AI system safety and security testing — including what testing was conducted, by whom, and what the results indicated — not just that testing occurred.\n", "example": "AI: \"For robustness disclosure, three elements: (1) Testing scope — which systems were tested for safety and security, and which were not? (2) Methodology — was testing internal, third-party, or regulatory? Third-party testing is more credible. (3) Material findings — were any significant safety or security issues found? If so, what was the remediation? Disclosing a finding and its remediation demonstrates a mature program; concealing it creates legal and reputational risk if the issue is later discovered externally.\"\n", "antipattern": "Stating 'all AI systems undergo rigorous testing' without specifying what was tested, by whom, and what the results were — making the claim unverifiable and therefore meaningless.\n" }, "accountability": { "description": "The report names who is accountable for the organization's AI program, what governance structures exist, and how stakeholders can raise concerns — with a commitment to respond to feedback before the next report.\n", "example": "AI closes the reporting cycle: \"Accountability section structure: (1) Named AI leadership — the executive responsible for AI governance and their reporting line. (2) Governance bodies — AI ethics committee, board oversight item, internal audit scope. (3) Incident summary — how many AI incidents occurred, how many were resolved, and what systemic changes resulted. (4) Stakeholder engagement — how did the organization gather external input for this report? (5) Contact for feedback — a named channel for stakeholders to respond to this report, with a commitment to acknowledge receipt within 30 days.\"\n", "antipattern": "Publishing an AI transparency report with no named executive, no governance disclosure, no incident summary, and no way for stakeholders to provide feedback — making 'accountability' a heading rather than a reality.\n" } }, "score_hints": { "inclusive-growth": 0.2, "human-centred": 0.2, "transparency": 0.25, "robustness": 0.15, "accountability": 0.2 }, "summary": "", "tags": [ "transparency-reporting", "enterprise", "oecd", "responsible-ai", "disclosure" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Equity data is gathered and converted from assertions to evidence → human rights implications are named and protection measures disclosed → report scope limitations are explicitly disclosed → robustness testing results are summarized with methodology → accountability structure and feedback mechanism close the report. Loops back to inclusive-growth if rights impact assessment reveals equity gaps not captured in the initial data pull.\n", "sequence": [ { "step": 1, "d": "inclusive-growth", "label": "Convert equity commitments to data-backed disclosures", "example_prompts": [ { "speaker": "human", "text": "We want to publish our first AI transparency report. The draft says we are 'committed to equitable AI.' How do we make this substantive?" }, { "speaker": "ai", "text": "Three data requests to replace the commitment statement: (1) Pull disparity audit results for each AI system — do they exist? If not, note the gap and commit to conducting them by a named date. (2) For systems with audits, what were the disparity ratios and what actions were taken? (3) What is the measurable equity target for next year — e.g., 'reduce disparity ratio in hiring AI from 1.34 to below 1.15 by Q4'? A report with one specific target and its baseline is more credible than five pages of aspirational language." }, { "speaker": "human", "text": "Hiring AI disparity ratio: 1.34. Credit AI: no audit conducted. Equity target: hiring AI ratio below 1.15 by Q4." } ], "triggers_next": "Equity data gathered; targets set; audit gaps disclosed." }, { "step": 2, "d": "human-centred", "label": "Name rights at stake and disclose protection mechanisms", "example_prompts": [ { "speaker": "human", "text": "Which human rights should we reference in the report?" }, { "speaker": "ai", "text": "Map your AI systems to rights: (1) Hiring AI — right to non-discrimination (Article 21, EU Charter; Title VII equivalent in US); right to explanation for automated decisions (GDPR Article 22). (2) Credit AI — right to non-discrimination; right to human review of automated credit decisions. (3) Customer analytics AI — right to privacy and data protection. For each right, document: what mechanism protects it? Has a rights impact assessment been conducted? If no assessment exists, say so and commit to one — that honest disclosure is more credible than vague assurance." }, { "speaker": "human", "text": "No formal rights impact assessment has been conducted. We'll disclose this and commit to one for hiring AI by Q2." } ], "triggers_next": "Rights at stake named; protection mechanisms disclosed; assessment gaps acknowledged.", "loop_back": { "to": "inclusive-growth", "condition": "Rights impact assessment reveals equity gaps not captured in the initial disparity data.", "reason": "Equity section must be updated to reflect rights-based findings." } }, { "step": 3, "d": "transparency", "label": "Disclose report scope and limitations explicitly", "example_prompts": [ { "speaker": "human", "text": "Three of our AI systems are covered by vendor NDAs. Do we include them?" }, { "speaker": "ai", "text": "Disclose the limitation explicitly: 'This report covers eight of eleven AI systems in production. Three systems are operated under third-party vendor agreements that currently restrict public disclosure. We are engaging vendors to enable disclosure in next year's report.' This is the right approach for three reasons: (1) Stakeholders who find the undisclosed systems will question the entire report. (2) Named limitations signal a mature transparency program. (3) The vendor engagement commitment creates accountability for next year's disclosure. Add the three system categories without identifying the vendors if NDA permits." }, { "speaker": "human", "text": "Scope limitation section drafted with vendor engagement commitment." } ], "triggers_next": "Report scope and limitations explicitly disclosed." }, { "step": 4, "d": "robustness", "label": "Summarize testing methodology and material findings", "example_prompts": [ { "speaker": "human", "text": "Our security team ran penetration tests on four AI systems. Should we disclose results?" }, { "speaker": "ai", "text": "Disclose at the finding level, not the vulnerability level: 'Four AI systems underwent third-party penetration testing in Q2. Two systems had findings that were remediated within 30 days of discovery. No findings remain open.' This discloses that testing occurred, that issues were found and fixed, and that nothing is outstanding — without providing a map for attackers. If a finding is still open, say so with its severity and target remediation date. Concealing open findings in a transparency report creates legal exposure if the vulnerability is later exploited." }, { "speaker": "human", "text": "Two findings, both remediated. Summary language drafted for robustness section." } ], "triggers_next": "Testing methodology and material findings summarized without operational security risk." }, { "step": 5, "d": "accountability", "label": "Name executives, governance bodies, and feedback channel", "example_prompts": [ { "speaker": "human", "text": "How do we close the report with genuine accountability?" }, { "speaker": "ai", "text": "Accountability section: (1) Named AI executive — 'AI governance is the responsibility of [Name], Chief Technology Officer, reporting to the CEO and the Board Governance Committee.' (2) Governance bodies — AI Ethics Committee (members listed by role, not name if preferred), meets quarterly, has pause authority for high-risk deployments. (3) Incident summary — '3 AI incidents logged in the reporting period; all resolved; 1 systemic process change resulted.' (4) Stakeholder engagement — 'This report was reviewed by an external civil society organization before publication.' (5) Feedback channel — 'Submit feedback at [email/form]; we commit to acknowledging receipt within 30 days and publishing a summary of feedback received in next year's report.'" }, { "speaker": "human", "text": "Accountability section complete. Report ready for executive review before publication." } ], "triggers_next": "Report complete with named accountability, incident summary, and feedback channel.", "can_restart": true } ], "transitions": [ { "from": "inclusive-growth", "to": "human-centred", "trigger": "Equity data gathered and targets set." }, { "from": "human-centred", "to": "inclusive-growth", "trigger": "Rights assessment reveals equity gaps not in initial data.", "is_loop_back": true }, { "from": "human-centred", "to": "transparency", "trigger": "Rights implications named and protection mechanisms disclosed." }, { "from": "transparency", "to": "robustness", "trigger": "Scope limitations explicitly disclosed." }, { "from": "robustness", "to": "accountability", "trigger": "Testing methodology and findings summarized." }, { "from": "accountability", "to": "inclusive-growth", "trigger": "Annual reporting cycle — begin data collection for next report.", "is_cycle_restart": true } ] } }, { "id": "ai-vendor-governance", "framework_id": "nist-ai-rmf", "title": "Third-Party AI Vendor Governance", "domain": "enterprise", "file": "enterprise-ai-vendor-governance.yaml", "dimensions": { "govern": { "description": "The enterprise defines what governance requirements apply to third-party AI vendors — minimum documentation standards, audit rights, incident notification obligations, and the internal owner responsible for vendor AI risk throughout the contract lifecycle.\n", "example": "Procurement lead: \"Before we evaluate any vendor, we need to confirm our minimum governance requirements: What AI documentation must vendors provide? Do we have audit rights in the contract? Who internally owns this vendor relationship for AI risk? Without these baselines, every vendor assessment will be inconsistent.\"\n", "antipattern": "Evaluating vendors on functionality and price without establishing governance baselines — signing contracts that grant no audit rights and impose no AI risk notification obligations on the vendor.\n" }, "map": { "description": "The team maps risks introduced by the vendor's AI: data handling practices, model opacity, supply chain dependencies, jurisdictional exposure, and what happens to the enterprise's risk posture if the vendor is acquired, changes its model, or has an incident.\n", "example": "AI: \"For this vendor, I can map six risk areas: (1) Data residency — where is your data processed and stored? (2) Model transparency — can you inspect or audit the model? (3) Vendor concentration risk — how dependent would you be on this single supplier? (4) Supply chain — what third parties does the vendor rely on? (5) Regulatory exposure — does using this vendor trigger AI regulation obligations for you? (6) Continuity risk — what happens if the vendor exits this product? Which are in scope?\"\n", "antipattern": "Mapping only the vendor's feature set and price, and ignoring the risk that the vendor's AI practices introduce into the buyer's own risk and compliance posture.\n" }, "measure": { "description": "The team scores each vendor risk area using evidence from the vendor's documentation, security questionnaire, third-party audits, and reference checks — not marketing materials or verbal assurances.\n", "example": "Human: \"Vendor claims their model is 'fair and unbiased.' How do we score the fairness risk?\" AI: \"A claim is not evidence. Ask for: (1) A third-party bias audit report, not older than 12 months. (2) Disparity metrics across the demographic groups relevant to your use case. (3) Their process for updating the model when disparity is detected. If they cannot provide these, score fairness risk as High and unknown — which is worse than a known High.\"\n", "antipattern": "Accepting vendor self-attestation as evidence for risk scoring, especially for fairness, security, and regulatory compliance claims.\n" }, "manage": { "description": "The team converts risk assessment outcomes into contractual obligations, operational controls, and ongoing monitoring requirements — including the right to audit, incident notification windows, and exit provisions.\n", "example": "AI: \"Based on the risk scores, here are the contract provisions I recommend: (1) Data residency — explicitly named jurisdictions in the DPA. (2) Audit rights — annual audit right with 30-day notice. (3) Incident notification — 48-hour notification SLA for any AI incident affecting your data or outputs. (4) Model change notification — 30-day notice before any material model update. (5) Exit provision — data portability and 90-day transition support.\"\n", "antipattern": "Completing the vendor risk assessment and then handing off to legal with no specific contract requirements derived from the risk findings — allowing standard contract terms to override the assessed risks.\n" } }, "score_hints": { "govern": 0.2, "map": 0.3, "measure": 0.3, "manage": 0.2 }, "summary": "", "tags": [ "vendor-governance", "procurement", "enterprise", "third-party-risk" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Enterprise governance baselines are set before any vendor contact → vendor-introduced risks are mapped systematically → risks are scored using evidence, not self-attestation → risk findings are converted into contract provisions and ongoing monitoring requirements. Loops back to Map if due diligence reveals undisclosed vendor dependencies.\n", "sequence": [ { "step": 1, "d": "govern", "label": "Set enterprise AI vendor governance baselines", "example_prompts": [ { "speaker": "human", "text": "We're evaluating three AI vendors for our HR screening tool. Before we start, what governance baselines do we need?" }, { "speaker": "ai", "text": "Three baselines before any vendor contact: (1) Minimum documentation requirements — what must every vendor provide? At minimum: model card or equivalent, data handling practices, most recent security audit. (2) Contract non-negotiables — audit rights, incident notification SLA, data deletion on contract termination. (3) Internal ownership — who owns this vendor relationship for AI risk throughout the 3-year contract lifecycle? Name the person now, not after signature." }, { "speaker": "human", "text": "HR tech risk owner is the CHRO's office. Baselines agreed: model card required, 48-hour incident SLA, annual audit right." } ], "triggers_next": "Governance baselines defined and internal owner named." }, { "step": 2, "d": "map", "label": "Map risks introduced by the vendor's AI", "example_prompts": [ { "speaker": "human", "text": "Vendor A is US-based, uses a proprietary LLM, and will process EU applicant data. Map the risks." }, { "speaker": "ai", "text": "Risk map for Vendor A: (1) Data residency — EU applicant data processed by a US company triggers GDPR Chapter V (international transfers). Is a Standard Contractual Clause or adequacy decision in place? (2) Model opacity — proprietary LLM with no published model card means fairness risk is unmeasurable without a vendor disclosure. (3) Regulatory exposure — the EU AI Act classifies AI used in employment screening as high-risk. You inherit compliance obligations as the deployer. (4) Concentration risk — single vendor for a compliance-critical process. (5) Continuity — what is their exit policy?" }, { "speaker": "human", "text": "EU AI Act high-risk classification changes our obligations significantly. We need to add that to the assessment scope." } ], "triggers_next": "Vendor risk landscape fully mapped including regulatory exposure.", "loop_back": { "to": "map", "condition": "Due diligence reveals undisclosed vendor sub-processors or supply chain dependencies.", "reason": "Sub-processor risks must be mapped before scoring can be accurate." } }, { "step": 3, "d": "measure", "label": "Score each vendor risk using evidence", "example_prompts": [ { "speaker": "human", "text": "Vendor A provided a one-page 'AI ethics statement.' Is that sufficient for our fairness risk score?" }, { "speaker": "ai", "text": "No. For an HR AI classified as high-risk under the EU AI Act, you need: (1) A third-party bias audit against your jurisdiction's protected characteristics — not an internal statement. (2) Disparity metrics for gender, age, and ethnicity for the role types you'll screen. (3) Their re-training process when disparity is detected. A one-page statement scores as: evidence quality — Insufficient. Fairness risk — High and unknown. That is a disqualifying finding unless they provide substantive documentation within your due diligence window." }, { "speaker": "human", "text": "We'll issue a formal evidence request with a 10-business-day deadline." } ], "triggers_next": "All priority risks scored with evidence ratings and gaps documented." }, { "step": 4, "d": "manage", "label": "Convert risk findings into contract terms and monitoring plan", "example_prompts": [ { "speaker": "human", "text": "Risk assessment complete. Vendor A has high fairness risk and data residency gaps. What contract terms do we need?" }, { "speaker": "ai", "text": "Contract requirements derived from risk findings: (1) Data residency — Standard Contractual Clauses with named processing locations, no sub-processor changes without 30-day notice. (2) Fairness — annual third-party bias audit provided to buyer within 30 days of completion; material disparity findings trigger a 60-day remediation obligation. (3) EU AI Act compliance — vendor certifies conformity assessment status at contract signature and at each annual renewal. (4) Incident — 48-hour notification of any AI incident affecting buyer's data or outputs. (5) Exit — 90-day transition support, data deletion certificate within 30 days of termination. Monitoring: quarterly vendor review cadence with CHRO office." }, { "speaker": "human", "text": "These terms go to legal for contract drafting." } ], "triggers_next": "Contract provisions drafted, monitoring cadence defined, vendor risk register created.", "can_restart": true } ], "transitions": [ { "from": "govern", "to": "map", "trigger": "Governance baselines and internal owner confirmed." }, { "from": "map", "to": "measure", "trigger": "Vendor risk landscape fully mapped." }, { "from": "measure", "to": "map", "trigger": "Due diligence reveals undisclosed sub-processors or dependencies.", "is_loop_back": true }, { "from": "measure", "to": "manage", "trigger": "All priority risks scored with evidence." }, { "from": "manage", "to": "govern", "trigger": "Contract renewal or new vendor triggers a new assessment cycle.", "is_cycle_restart": true } ] } }, { "id": "aims-implementation", "framework_id": "iso-42001", "title": "AI Management System Implementation", "domain": "enterprise", "file": "enterprise-aims-implementation.yaml", "dimensions": { "context": { "description": "The organization defines the internal and external context for the AIMS: which AI systems are in scope, who the relevant stakeholders are, what legal and regulatory obligations apply, and where the organization's current AI practices stand relative to the standard's requirements.\n", "example": "Project lead: \"We run five AI systems in production. How do we determine which are in scope for the AIMS?\" AI: \"ISO 42001 scoping requires you to assess three factors: (1) Which AI systems are you responsible for as the developer or deployer? (2) What is the potential impact of each system — high-impact systems (those affecting employment, credit, healthcare) should be in scope regardless of size. (3) What are your legal obligations — does any jurisdiction require you to have an AI management system? Start with a gap assessment: map each of the five systems against these criteria.\"\n", "antipattern": "Scoping the AIMS to only the systems that are easiest to document, while excluding higher-risk systems that require more effort — producing a certified AIMS that does not cover the organization's material AI risks.\n" }, "leadership": { "description": "Top management demonstrates commitment to the AIMS by approving an AI policy, assigning roles and responsibilities, providing resources, and integrating the AIMS into the organization's existing management system structure.\n", "example": "AI: \"For the ISO 42001 leadership requirements, the CEO or equivalent must: (1) Approve the AI policy in writing — not delegate approval. (2) Name an AI management representative with the authority to make AIMS decisions without seeking approval for each action. (3) Allocate a budget for AIMS implementation, maintenance, and certification. (4) Integrate AI risk into the existing enterprise risk management reporting cadence. Has leadership explicitly committed to these four?\"\n", "antipattern": "Delegating AIMS implementation entirely to a technical team without top management commitment — producing an AIMS that has no authority to enforce AI policy across business units.\n" }, "planning": { "description": "The organization conducts an AI risk and opportunity assessment scoped to all in-scope AI systems, sets measurable AI objectives, and produces treatment plans for identified risks — all documented as formal inputs to the AIMS operational stage.\n", "example": "Human: \"We've scoped five systems and have leadership commitment. What does the risk assessment look like for ISO 42001?\" AI: \"ISO 42001 risk assessment has two layers: (1) AIMS-level risks — what could prevent the management system itself from working? (e.g., inadequate documentation, key-person dependency, regulatory change.) (2) AI system-level risks — what risks does each AI system pose to the organization and to affected parties? For each AI system, document: system purpose, affected parties, risk categories (fairness, safety, privacy, operational), likelihood, impact, and treatment option.\"\n", "antipattern": "Producing an AIMS risk register that describes risks in general terms without linking each risk to a specific AI system and a specific treatment action — creating a compliance document rather than a decision tool.\n" }, "operation": { "description": "The organization implements controlled processes for AI development and deployment, including documentation requirements, change management, supplier AI requirements, and incident handling — all within the AIMS governance structure.\n", "example": "AI: \"For AIMS operation, I recommend implementing four process controls in the first 90 days: (1) AI system lifecycle documentation — model card or equivalent required before any AI system is deployed to production. (2) Change control — material AI system changes require a documented impact assessment before deployment. (3) Supplier AI requirements — third-party AI vendors must meet your AI policy minimums as a contract condition. (4) Incident logging — all AI incidents are logged and reviewed monthly by the AI management representative.\"\n", "antipattern": "Implementing AIMS documentation requirements without change control — allowing AI systems to be updated post-documentation without triggering a documentation update, leaving the AIMS records diverged from reality.\n" }, "performance": { "description": "The organization monitors AIMS effectiveness through KPIs, conducts the first internal audit within the implementation timeline, holds a management review that formally assesses AIMS performance, and identifies nonconformities for corrective action.\n", "example": "AI closes the implementation cycle: \"For the first internal audit, audit three areas: (1) Clause conformity — are all required AIMS elements implemented? (2) Operational effectiveness — are the process controls working as designed? Pull three AI system records and verify they meet the documentation requirements. (3) Risk register currency — are the risk entries up to date? Have treatments been implemented on schedule? Audit findings feed the first management review, which must produce a formal AIMS effectiveness decision from top management.\"\n", "antipattern": "Scheduling the first internal audit only in the week before the external certification assessment — treating it as a rehearsal rather than a genuine performance check.\n" } }, "score_hints": { "context": 0.2, "leadership": 0.2, "planning": 0.25, "operation": 0.25, "performance": 0.1 }, "summary": "", "tags": [ "iso-42001", "aims", "enterprise", "certification", "management-system" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "AIMS scope and gap assessment completed → leadership commitment and AI policy approved → risk assessment and objectives set → operational controls implemented → first internal audit conducted and management review held. Loops back to planning if operational implementation reveals unscoped risks.\n", "sequence": [ { "step": 1, "d": "context", "label": "Define AIMS scope and conduct gap assessment", "example_prompts": [ { "speaker": "human", "text": "We want to implement ISO 42001. Where do we start?" }, { "speaker": "ai", "text": "Start with a context and gap assessment before any documentation work. Three outputs needed: (1) AIMS scope document — which AI systems, which organizational units, which jurisdictions are in scope. (2) Interested parties register — who has a stake in the organization's AI activities? Include regulators, customers, employees, and AI suppliers. (3) Gap assessment — for each ISO 42001 clause, what currently exists and what is missing? This gives you a prioritized implementation roadmap rather than a generic project plan." }, { "speaker": "human", "text": "Scope: five production AI systems, EU and US operations, financial services sector. Gap assessment: no formal AI policy, no AI risk register, no incident logging." } ], "triggers_next": "AIMS scope defined; gap assessment complete with prioritized gaps." }, { "step": 2, "d": "leadership", "label": "Secure top management commitment and AI policy approval", "example_prompts": [ { "speaker": "human", "text": "How do we get the right leadership commitment for ISO 42001?" }, { "speaker": "ai", "text": "ISO 42001 requires documented top management commitment — not just verbal support. Deliverables: (1) AI policy document approved and signed by CEO. Policy must include: organizational commitment to responsible AI, key AI values and prohibited uses, and a commitment to continual improvement of the AIMS. (2) AI management representative named with formal authority. (3) AIMS budget approved in the current fiscal cycle. (4) AI risk added to the board/executive risk reporting cadence. I can draft the AI policy for CEO review — do you want a one-page or full policy document?" }, { "speaker": "human", "text": "Full policy document please. CEO review is next week." } ], "triggers_next": "AI policy approved; AI management representative named; budget allocated." }, { "step": 3, "d": "planning", "label": "Conduct AI risk assessment and set measurable objectives", "example_prompts": [ { "speaker": "human", "text": "How do we structure the risk assessment for all five AI systems?" }, { "speaker": "ai", "text": "Use a structured risk register with six columns per system: (1) System name and purpose. (2) Affected parties — who is impacted by this system's outputs? (3) Risk categories — fairness, privacy, safety, operational, legal. (4) Likelihood and impact score (1-5 scale). (5) Treatment option — accept, mitigate, avoid, or transfer. (6) Owner and target date. For objectives: set at least three AIMS-level objectives (e.g., 100% of new AI deployments have a model card by Q3; zero unlogged AI incidents by Q2; first internal audit completed by Q4). I'll draft the risk register template." }, { "speaker": "human", "text": "Risk register drafted. Three AIMS objectives approved by AI management rep." } ], "triggers_next": "Risk register complete; measurable AIMS objectives approved.", "loop_back": { "to": "planning", "condition": "Operational implementation reveals AI systems or risk categories not captured in the initial assessment.", "reason": "Planning documents must be updated before operational records can be accurate." } }, { "step": 4, "d": "operation", "label": "Implement operational process controls", "example_prompts": [ { "speaker": "human", "text": "Which operational controls should we implement first?" }, { "speaker": "ai", "text": "Prioritize by risk: (1) Model card requirement — implement within 30 days; all five existing systems need retrospective cards within 60 days. (2) Change control — any material AI system change requires a documented impact assessment before deployment; implement in the CI/CD pipeline. (3) Incident log — create a shared log, set a monthly review meeting with the AI management rep. (4) Supplier AI requirements — add an AI policy conformance clause to all new AI vendor contracts. These four controls address the most common ISO 42001 nonconformity findings in initial certification audits." }, { "speaker": "human", "text": "All four controls implemented. Model cards complete for four of five systems." } ], "triggers_next": "Operational controls implemented and documented." }, { "step": 5, "d": "performance", "label": "Conduct first internal audit and management review", "example_prompts": [ { "speaker": "human", "text": "We're approaching the first internal audit. What should it cover?" }, { "speaker": "ai", "text": "First internal audit scope: (1) Clause conformity check — walk through all ISO 42001 clauses and verify documented evidence exists for each. (2) Operational effectiveness sample — pull three AI system records (model card, change control log, incident log) and verify they meet the documented requirements. (3) Objective progress — are the three AIMS objectives on track? (4) Risk register currency — are treatments being implemented on schedule? Audit report goes to top management for the first formal management review. The review must produce a written AIMS effectiveness conclusion — not just minutes." }, { "speaker": "human", "text": "Internal audit complete. Two minor nonconformities found. Management review scheduled." } ], "triggers_next": "Internal audit complete; management review held; corrective actions assigned.", "can_restart": true } ], "transitions": [ { "from": "context", "to": "leadership", "trigger": "AIMS scope defined and gap assessment completed." }, { "from": "leadership", "to": "planning", "trigger": "AI policy approved and AI management representative named." }, { "from": "planning", "to": "operation", "trigger": "Risk register complete and AIMS objectives approved." }, { "from": "operation", "to": "planning", "trigger": "New AI systems or risk categories discovered during implementation.", "is_loop_back": true }, { "from": "operation", "to": "performance", "trigger": "Operational controls implemented and documented." }, { "from": "performance", "to": "context", "trigger": "Annual AIMS review cycle — reassess context and scope.", "is_cycle_restart": true } ] } }, { "id": "eu-conformity-assessment", "framework_id": "eu-ai-act", "title": "EU AI Act Conformity Assessment", "domain": "enterprise", "file": "enterprise-eu-conformity-assessment.yaml", "dimensions": { "risk-classification": { "description": "The conformity assessment begins by confirming that the risk classification is accurate and current — verifying the Annex III basis, the intended purpose as actually deployed, and whether any post-classification changes trigger a new assessment.\n", "example": "Compliance officer: \"We classified the system as high-risk six months ago. Do we need to re-confirm before the conformity assessment?\" AI: \"Yes — the conformity assessment must be based on the current deployed configuration, not the original classification. Three re-confirmation checks: (1) Has the system's intended purpose changed since classification? A widened scope may add Annex III categories. (2) Has the system been materially updated — new training data, new model version, new deployment geography? Material changes may require a new conformity assessment. (3) Has the regulatory environment changed? New harmonized standards or Commission guidance may affect which conformity pathway applies. Document each check with a 'confirmed' or 'change identified' status.\"\n", "antipattern": "Running the conformity assessment against the original classification document without re-confirming that the system has not changed materially in the intervening months — producing a conformity assessment that does not match the deployed system.\n" }, "transparency": { "description": "The conformity assessment audits the technical documentation package — technical file, instructions for use, logging specification, and user notification — for completeness, accuracy, and currency against the currently deployed system.\n", "example": "AI: \"Technical file audit checklist for the conformity assessment: (1) Completeness — does the file contain all required sections under Article 11? Check against the annex listing. (2) Currency — is every section current with the deployed system version? Compare the file's version timestamps against the deployment changelog. (3) Performance metrics accuracy — do the metrics in the file match the most recent production evaluation results? Pull the current production metrics and compare. (4) Instructions for use — are they in plain language accessible to the deployer's operational staff? Have deployers reviewed them? (5) User notification — is the notification mechanism live in production? Test it.\"\n", "antipattern": "Accepting the technical file at face value without auditing it against the deployed system — certifying documentation that describes a system that no longer exists in its original form.\n" }, "human-oversight": { "description": "The conformity assessment verifies that the human oversight mechanism meets Article 14's effectiveness standard — checking design, training, override capability, and production override rate evidence.\n", "example": "Human: \"Our conformity assessment auditor asked for evidence that human oversight is 'effective' under Article 14. What do we provide?\" AI: \"Four evidence items for Article 14 effectiveness: (1) Override capability — demonstrate the override function in a screen recording of the production system; show that an operator can pause or override the AI output without technical barriers. (2) Training records — provide completion records for all current operators showing they completed the oversight training program, including the module on the system's known failure modes. (3) Production override data — pull the past 90 days of override events: count, rate, and a sample of 5 documented override decisions with their documented reason. (4) Operator survey — a brief survey asking operators: do they feel they understand the system's limitations well enough to know when to override? Score of less than 70% confident is a red flag.\"\n", "antipattern": "Providing only the written oversight procedure as Article 14 evidence — demonstrating how oversight is supposed to work rather than evidence that it actually works in production.\n" }, "robustness": { "description": "The conformity assessment verifies that the robustness evidence meets the technical standards applicable to the system — checking whether harmonized standards were applied, what the current production performance metrics show, and whether cybersecurity is current.\n", "example": "AI: \"Robustness conformity check: (1) Harmonized standards — which harmonized European standard or common specification was applied? If no harmonized standard exists for the specific domain, document the alternative technical solution and its equivalence justification. (2) Performance currency — pull current production metrics, not just pre-deployment test results. High-risk systems must demonstrate continued accuracy in production, not just at launch. (3) Cybersecurity currency — is the penetration test result still valid (less than 12 months)? If not, commission a new test before the conformity assessment is closed. (4) Fairness metrics — are subgroup performance metrics still within the acceptable range in production? Model drift can widen disparity gaps post-deployment.\"\n", "antipattern": "Submitting pre-deployment robustness evidence for a conformity assessment of a system that has been in production for months — missing the possibility that model drift or production conditions have degraded performance below conformity thresholds.\n" }, "governance": { "description": "The conformity assessment produces the formal outputs required for lawful market deployment: the completed assessment record, the Declaration of Conformity, EU database registration confirmation, and the operational post-market monitoring system.\n", "example": "AI closes the conformity cycle: \"Conformity assessment closure: (1) Assessment record — document the assessment process: who conducted it, what was reviewed, what findings were identified and how resolved, and the final conformity conclusion. Retain for 10 years. (2) Declaration of Conformity — signed by the provider's authorized representative; includes system identification, conformity assessment basis, and applied standards. (3) EU database entry — verify the registration is current and complete; update if system details have changed since initial registration. (4) Post-market monitoring activation — confirm the monitoring system is live, the first review is scheduled, and the incident reporting escalation path has been tested end-to-end. Deployment is lawful when all four are complete.\"\n", "antipattern": "Signing the Declaration of Conformity before all assessment findings are resolved — treating the declaration as the last step in a checklist rather than the formal attestation that all requirements are met.\n" } }, "score_hints": { "risk-classification": 0.15, "transparency": 0.25, "human-oversight": 0.25, "robustness": 0.2, "governance": 0.15 }, "summary": "", "tags": [ "eu-ai-act", "conformity-assessment", "enterprise", "compliance", "high-risk" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Classification currency is re-confirmed before assessment begins → technical documentation is audited for completeness and currency → human oversight effectiveness is verified with production evidence → robustness evidence is checked for currency and standard alignment → assessment record, Declaration of Conformity, and database registration complete the governance closure.\n", "sequence": [ { "step": 1, "d": "risk-classification", "label": "Re-confirm classification currency before assessment", "example_prompts": [ { "speaker": "human", "text": "We're starting the conformity assessment for our hiring AI. Where do we begin?" }, { "speaker": "ai", "text": "Before any assessment work: re-confirm the classification is still accurate. Three checks: (1) System changes — pull the change log since the original classification. Any material change (new training data, new model version, new deployment geography) requires a classification review before the assessment proceeds. (2) Scope changes — has the system been used for purposes beyond the originally classified use? If yes, additional Annex III entries may apply. (3) Regulatory updates — have any Commission delegated acts or guidance documents been issued since the original classification that affect the Annex III interpretation for employment AI? Document each check with a status." }, { "speaker": "human", "text": "Classification confirmed current. One model update in the past 6 months — assessed as non-material. No scope changes. EU AI Office issued guidance on employment AI — reviewed and classification unaffected." } ], "triggers_next": "Classification currency confirmed; non-material change documented." }, { "step": 2, "d": "transparency", "label": "Audit technical documentation for completeness and currency", "example_prompts": [ { "speaker": "human", "text": "We have a technical file from the initial deployment. What do we audit?" }, { "speaker": "ai", "text": "Technical file audit — four checks: (1) Section completeness — walk through Article 11 Annex IV: does each required section exist? Flag missing sections as major findings. (2) Version currency — for each section, compare the document version date to the deployment changelog. Any section not updated since the last material change is a currency finding. (3) Performance metrics — pull current production evaluation results and compare to the metrics in the technical file. If production metrics have degraded more than 5% from the file's figures, update required. (4) User notification — test the notification mechanism in production: do applicants receive notification that AI is used in screening? Provide a test log as evidence." }, { "speaker": "human", "text": "Section completeness: all sections present. Currency issue: performance metrics section last updated 8 months ago. Notification: live and tested." } ], "triggers_next": "Technical file audit complete — performance metrics section requires update." }, { "step": 3, "d": "human-oversight", "label": "Verify oversight effectiveness with production evidence", "example_prompts": [ { "speaker": "human", "text": "The auditor wants Article 14 effectiveness evidence. What do we produce?" }, { "speaker": "ai", "text": "Four evidence items: (1) Override function demonstration — screen recording of an operator using the override in the production system (with test data). Duration: under 3 minutes. Shows: how the override is accessed, what information the operator sees, and what happens after override. (2) Training completion records — list of all current operators with training completion date and assessment score. Flag any operator with completion more than 18 months ago — refresher training may be required. (3) Override rate data — past 90 days: total AI recommendations, total overrides, override rate. Provide a table broken down by operator and week. (4) Operator survey results — what percentage of operators report confidence in knowing when to override? If below 70%, this is an Article 14 finding." }, { "speaker": "human", "text": "Override rate: 11%. Operator confidence: 82%. Training records current for all 12 operators." } ], "triggers_next": "Human oversight effectiveness evidenced — all four items compiled.", "loop_back": { "to": "risk-classification", "condition": "Oversight evidence reveals the system is being used in additional deployment contexts not covered by the current classification.", "reason": "New deployment contexts require classification re-review before the assessment can be completed." } }, { "step": 4, "d": "robustness", "label": "Verify robustness evidence currency and standard alignment", "example_prompts": [ { "speaker": "human", "text": "Our pre-deployment bias audit is 14 months old. Is it still valid for the conformity assessment?" }, { "speaker": "ai", "text": "A 14-month-old bias audit has two issues: (1) Currency — 12 months is the practical freshness threshold for employment AI bias audits; 14 months is borderline. Check if there have been model updates or population shifts in the past 14 months that could have changed the disparity profile. (2) Standard alignment — does the audit methodology align with any harmonized standard or Commission guidance issued in the past 14 months? If new guidance specifies a different disparity metric, the old audit may not satisfy it. Recommendation: commission a refresh audit scoped to the current production model version; it will be faster than the original since the methodology is established. The 14-month gap is a manageable finding, not a blocker, if you can show it was reviewed and no material change is expected." }, { "speaker": "human", "text": "Refresh bias audit commissioned. Cybersecurity penetration test: 9 months old — still valid." } ], "triggers_next": "Robustness evidence plan in place; refresh audit underway." }, { "step": 5, "d": "governance", "label": "Complete assessment record and conformity declaration", "example_prompts": [ { "speaker": "human", "text": "All findings are resolved. How do we close the conformity assessment?" }, { "speaker": "ai", "text": "Four closure actions: (1) Assessment record — document: assessment scope, methodology, all findings identified, evidence reviewed for each finding, resolution status. The record must be signed by the assessment lead and retained for 10 years. (2) Open findings — confirm all findings from steps 2-4 are resolved: technical file performance metrics updated, refresh bias audit complete and results acceptable, operator training refresh scheduled. No Declaration of Conformity until all major findings are closed. (3) Declaration of Conformity — signed by the provider's authorized representative. Contains: system name and version, Annex III basis, conformity assessment route, applied standards, assessment date, and authorized representative name and address. (4) EU database update — if any system details changed since initial registration (version, deployment scope), update the database entry. Confirm registration is current." }, { "speaker": "human", "text": "All findings closed. Declaration signed. EU database updated. Post-market monitoring active." } ], "triggers_next": "Conformity assessment complete; deployment lawful.", "can_restart": true } ], "transitions": [ { "from": "risk-classification", "to": "transparency", "trigger": "Classification currency confirmed." }, { "from": "transparency", "to": "human-oversight", "trigger": "Technical documentation audit complete." }, { "from": "human-oversight", "to": "risk-classification", "trigger": "New deployment contexts discovered — classification re-review required.", "is_loop_back": true }, { "from": "human-oversight", "to": "robustness", "trigger": "Oversight effectiveness evidenced." }, { "from": "robustness", "to": "governance", "trigger": "Robustness evidence plan in place." }, { "from": "governance", "to": "risk-classification", "trigger": "Material system change triggers new conformity assessment cycle.", "is_cycle_restart": true } ] } }, { "id": "responsible-ai-deployment", "framework_id": "wef-responsible-ai", "title": "Responsible AI Deployment", "domain": "enterprise", "file": "enterprise-responsible-ai-deployment.yaml", "dimensions": { "strategy": { "description": "Before engineering begins, the deployment is evaluated against the organization's AI strategy — confirming it serves the mission, is consistent with stated values, and would pass the organization's own purpose test.\n", "example": "Product manager: \"We want to add an AI feature that recommends premium subscription upgrades to users based on their engagement patterns. Does this pass the purpose test?\" AI: \"Apply the purpose test: (1) Who is the primary beneficiary — the user getting a relevant recommendation, or the organization increasing revenue? If the recommendation is optimized for conversion rather than user value, the primary beneficiary is the organization. (2) Is this consistent with your stated AI values? Pull your AI policy and check. (3) If this feature were reported in a consumer protection context tomorrow, would it be defensible? A recommendation engine that targets high-engagement users for upselling — particularly if those users are in vulnerable demographics — may not be. Flag for ethics review.\"\n", "antipattern": "Beginning engineering work on an AI feature before evaluating whether it serves the organization's stated purpose — discovering mission alignment issues when the feature is already built and deployment pressure is high.\n" }, "governance": { "description": "The deployment passes through the organization's ethics review gate — with a completed intake form, a board decision, and any conditions documented in the deployment plan before a single line of production code is written.\n", "example": "AI: \"Governance checklist for this deployment: (1) Ethics intake form completed — does the feature trigger mandatory review criteria? If it targets behavior patterns linked to engagement (potentially addictive behavior), it may trigger the 'individual impact in a sensitive context' criterion. (2) Ethics board review — if triggered, submit the intake form before engineering sprint planning. (3) Conditions documented — if the board approves with conditions (e.g., exclude users below a usage frequency threshold), those conditions are written into the product spec as non-negotiable requirements, not post-launch enhancements.\"\n", "antipattern": "Submitting to ethics review after the feature is built — when conditions imposed by the board require architectural changes that are expensive to implement, creating pressure to water down or ignore the conditions.\n" }, "risk-ethics": { "description": "The product team conducts a focused ethical risk assessment before the ethics board review — identifying the three most significant ethical risks and proposed mitigations, so the board can focus on evaluation rather than discovery.\n", "example": "Human: \"The ethics intake form asks for our three biggest ethical risks. What are they for a subscription upsell AI?\" AI: \"Three material ethical risks: (1) Targeting vulnerability — if high engagement correlates with addictive behavior patterns, targeting these users for upselling raises a harm question. Mitigation: exclude users flagged by the safety or wellness team. (2) Dark patterns — if the recommendation is displayed in a way that makes it hard to dismiss, it may cross into manipulative design. Mitigation: design review with UX ethics checklist. (3) Data use beyond original consent — were users told their engagement data would be used for upsell targeting? Mitigation: check consent terms; add explicit disclosure if not covered.\"\n", "antipattern": "Listing only compliance risks (GDPR, data minimization) in the ethics assessment while omitting behavioral and mission alignment risks — producing a legally safe product that is ethically questionable.\n" }, "implementation": { "description": "Ethics board conditions are implemented as engineering requirements — not as optional enhancements — and the deployment includes responsible AI operational controls: fairness checks, bias testing, and a documented override pathway for the ethics conditions.\n", "example": "AI: \"Ethics conditions to engineering requirements: (1) Exclusion list — 'Exclude users in the safety flag category from recommendation targeting' becomes: a safety_flag boolean check in the recommendation service, tested in CI, and verified in the deployment QA checklist. (2) Disclosure — 'Add explicit disclosure that engagement data is used for recommendations' becomes: a UI string approved by legal and product, required on the recommendation card before launch. (3) Override monitoring — set up a dashboard tracking exclusion list coverage and disclosure click-through rate. Any deviation from expected metrics triggers a responsible AI incident.\"\n", "antipattern": "Documenting ethics board conditions in a decision log but not converting them into engineering tickets with acceptance criteria — allowing conditions to be 'completed' without verification that they were actually implemented.\n" }, "accountability": { "description": "Ninety days post-launch, the product team reports back to the ethics board with outcome data — verifying that conditions were met, that no unexpected ethical harms emerged, and that the feature is performing consistently with the responsible AI commitments made before deployment.\n", "example": "AI closes the cycle: \"90-day accountability report structure: (1) Condition verification — for each ethics board condition, provide evidence of implementation: exclusion list coverage rate, disclosure display rate. (2) Outcome metrics — what happened? Conversion rate, exclusion rate, and any complaints or escalations related to the feature. (3) Unexpected harms — were any ethical issues identified post-launch that were not anticipated in the risk assessment? If yes, what action was taken? (4) Forward plan — is the feature performing within the ethical parameters approved? Any changes planned that would require a new ethics review? The 90-day report is the accountability mechanism that closes the loop — without it, deployment is a one-way gate.\"\n", "antipattern": "Treating the ethics board approval as permanent and never reporting back — allowing a feature to evolve post-launch in ways that move it outside the ethical parameters it was approved under, with no governance visibility.\n" } }, "score_hints": { "strategy": 0.2, "governance": 0.25, "risk-ethics": 0.2, "implementation": 0.25, "accountability": 0.1 }, "summary": "", "tags": [ "responsible-ai", "deployment", "enterprise", "wef", "product" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Deployment passes purpose test before engineering begins → ethics intake form and board review completed before sprint planning → product team conducts focused ethical risk assessment as board input → ethics conditions are converted to engineering requirements → 90-day post-launch accountability report closes the loop. Loops back to governance if risk assessment reveals risks requiring board guidance before conditions can be specified.\n", "sequence": [ { "step": 1, "d": "strategy", "label": "Apply purpose test before engineering begins", "example_prompts": [ { "speaker": "human", "text": "We're planning an AI feature for the next sprint. What's the responsible AI process?" }, { "speaker": "ai", "text": "Before any sprint planning: apply the purpose test to the feature. Three questions: (1) Does this feature primarily serve the user or primarily serve the organization's financial metrics? If the answer is unclear or mixed, that is a flag. (2) Is this feature consistent with the organization's AI policy commitments — specifically the values and prohibited use cases listed? (3) If a journalist covered this feature in the context of 'AI companies manipulating users,' would we be comfortable with how it is described? If the answer to any of these is 'no' or 'uncertain,' the feature requires ethics board review before sprint planning. Document the purpose test result in the feature spec." }, { "speaker": "human", "text": "Purpose test result: primary beneficiary is mixed — some user value, some upsell optimization. Flagged for ethics review before sprint." } ], "triggers_next": "Purpose test completed; feature flagged for ethics review." }, { "step": 2, "d": "governance", "label": "Complete ethics intake and obtain board decision", "example_prompts": [ { "speaker": "human", "text": "We need to submit to the ethics board. What does the intake form need?" }, { "speaker": "ai", "text": "One-page intake form: (1) Feature description — what does the AI do, what data does it use, who are the users? (2) Mandatory review trigger — which criterion triggered review? (3) Three ethical risks — the product team's own assessment of the top three risks. (4) Proposed mitigations — what has the product team already designed to address each risk? (5) Timeline — when is the feature planned for launch? The board needs 72 hours minimum for async review; 5 business days for a full session. Submit now — before sprint planning, not after the sprint is 80% complete." }, { "speaker": "human", "text": "Intake form submitted. Board async review requested. 72-hour window started." } ], "triggers_next": "Ethics intake submitted; board review in progress.", "loop_back": { "to": "risk-ethics", "condition": "Board requests additional risk analysis before issuing a decision.", "reason": "Board guidance on specific risk dimensions must inform the risk assessment before conditions can be set." } }, { "step": 3, "d": "risk-ethics", "label": "Conduct focused ethical risk assessment as board input", "example_prompts": [ { "speaker": "human", "text": "The board wants a deeper risk analysis on the targeting and data consent risks. What do we provide?" }, { "speaker": "ai", "text": "For targeting risk: (1) Pull engagement distribution data — what percentage of targeted users are in the top 10% of engagement? Is that distribution correlated with any demographic variables? (2) Define 'high engagement' operationally — is it time spent, frequency, or a behavioral pattern? If time spent, is there a threshold above which targeting becomes potentially exploitative? (3) For data consent: pull the current consent terms — what did users consent to when they signed up? Provide the exact text to the board. If engagement data for targeting is not covered, identify when the next consent refresh is scheduled. The board needs evidence, not narrative." }, { "speaker": "human", "text": "Engagement data: top 10% skews younger, 18-24 demographic. Consent terms: engagement data for targeting not explicitly covered. Both findings submitted to board." } ], "triggers_next": "Risk analysis with evidence submitted to board." }, { "step": 4, "d": "implementation", "label": "Convert ethics conditions to engineering requirements", "example_prompts": [ { "speaker": "human", "text": "The board approved with three conditions. How do we make sure they are implemented?" }, { "speaker": "ai", "text": "Convert each condition to an engineering ticket with an acceptance criterion: (1) Condition: 'Exclude users under 21 from targeting.' Ticket: Add age_gate check (age < 21 → exclude from recommendation cohort). Acceptance: unit test passes; QA verifies exclusion in staging with test accounts. (2) Condition: 'Update consent terms before launch.' Ticket: Legal drafts consent update; product adds consent re-affirmation flow for existing users. Acceptance: legal sign-off and consent re-affirmation completion rate >80% before feature activates. (3) Condition: 'Add responsible AI monitoring dashboard.' Ticket: Dashboard showing exclusion coverage rate and consent completion rate. Acceptance: dashboard live in production with alert thresholds set. No deployment gate closes until all three acceptance criteria are verified." }, { "speaker": "human", "text": "Three engineering tickets created with acceptance criteria. Added to sprint as blocking requirements." } ], "triggers_next": "Ethics conditions converted to blocking engineering requirements." }, { "step": 5, "d": "accountability", "label": "Submit 90-day post-launch accountability report", "example_prompts": [ { "speaker": "human", "text": "It's been 90 days since launch. What does the ethics board report need?" }, { "speaker": "ai", "text": "90-day report: (1) Condition verification — exclusion rate: X% of users excluded via age gate (expected >5% for 18-24 skewed user base). Consent re-affirmation rate: 87% (above 80% threshold). Monitoring dashboard: live with zero alert triggers. (2) Outcome metrics — conversion rate among targeted users: +12%. No complaints or escalations related to the feature in support tickets or social media. (3) Unexpected issues — the exclusion logic had a bug for 3 days post-launch; 340 users under 21 were incorrectly included. Bug fixed within 72 hours; incident logged. (4) Forward plan — no planned changes that would require new ethics review. Feature performing within approved parameters. This report is submitted to the board chair and logged in the decision record." }, { "speaker": "human", "text": "Report submitted. Board acknowledges and closes the review cycle." } ], "triggers_next": "90-day report submitted; ethics review cycle closed.", "can_restart": true } ], "transitions": [ { "from": "strategy", "to": "governance", "trigger": "Purpose test flags feature for ethics review." }, { "from": "governance", "to": "risk-ethics", "trigger": "Board requests additional risk analysis.", "is_loop_back": true }, { "from": "governance", "to": "implementation", "trigger": "Board approves with conditions." }, { "from": "risk-ethics", "to": "governance", "trigger": "Risk analysis with evidence submitted to board." }, { "from": "implementation", "to": "accountability", "trigger": "All ethics conditions implemented and verified." }, { "from": "accountability", "to": "strategy", "trigger": "Feature changes or new AI deployment trigger new cycle.", "is_cycle_restart": true } ] } }, { "id": "ai-cultural-heritage-preservation", "framework_id": "unesco-ai-ethics", "title": "AI for Cultural Heritage Preservation", "domain": "general", "file": "general-ai-cultural-heritage-preservation.yaml", "dimensions": { "human-dignity": { "description": "The institution ensures that AI-assisted heritage digitization and description respects the cultural dignity of source communities — including their right to determine how their heritage is represented, who has access to it, and whether certain sacred or sensitive materials should be excluded from AI processing.\n", "example": "Project lead: \"We are digitizing 40,000 ethnographic photographs using AI tagging. What dignity issues should we address?\" AI: \"Four dignity considerations before deploying AI on ethnographic materials: (1) Source community consent — have the communities whose heritage is depicted been consulted about AI processing of these images? Consent for original archiving does not extend to AI analysis. (2) Sacred or restricted materials — some communities restrict who may view certain ceremonial objects or images. AI tagging and search could make restricted materials publicly discoverable. (3) Representation — AI object recognition systems are known to mislabel and stereotype non-Western cultural objects. Human expert review by community members is required. (4) Repatriation alignment — if communities have outstanding repatriation claims, AI accessibility projects must not undermine those claims by creating commercial derivatives.\"\n", "antipattern": "Using AI to automate description and public access for ethnographic collections without consulting source communities — treating cultural objects as data assets rather than living heritage with community rights.\n" }, "environment": { "description": "The project chooses AI approaches that minimize computational waste — preferring efficient, task-specific models over large general-purpose ones for digitization and cataloging tasks that do not require general intelligence.\n", "example": "AI: \"For cultural heritage digitization, three efficient AI choices: (1) For optical character recognition of manuscripts — use a domain-specific OCR model trained on historical scripts rather than a large language model; the task is well-defined and the efficiency difference is significant. (2) For image tagging — a fine-tuned vision model on your specific collection domain uses a fraction of the compute of a general-purpose multimodal model. (3) For metadata generation — use AI to draft, with mandatory human expert review, rather than full automation; this reduces both compute and error costs.\"\n", "antipattern": "Deploying large general-purpose AI models for well-defined cataloging tasks (OCR, classification, tagging) where specialized efficient models would produce equivalent or better results at a fraction of the environmental cost.\n" }, "privacy": { "description": "The project protects the privacy of living individuals who may appear in heritage materials — particularly photographs — and respects community data sovereignty over materials that belong culturally to specific groups.\n", "example": "Human: \"Our collection includes photographs of living community members from the 1960s–1990s. Can we use AI facial recognition for cataloging?\" AI: \"No — facial recognition on living individuals without consent is a serious privacy violation under GDPR and most data protection laws, regardless of the cultural heritage context. For the photography collection: (1) Do not use facial recognition for any image that could contain living individuals. (2) For deceased individuals, check jurisdiction-specific rules — some protect images of recently deceased persons. (3) For community data sovereignty — consult with the communities whether they consider community-wide images to be personal community data requiring collective consent, not just individual consent.\"\n", "antipattern": "Using AI facial recognition on heritage photography collections on the assumption that historical context removes privacy obligations — missing both legal requirements and the deeper community sovereignty dimension.\n" }, "transparency": { "description": "The institution is transparent with the public, researchers, and source communities about what AI was used, what it produced, how it was validated, and what the known error rates and limitations are for AI-generated metadata.\n", "example": "AI: \"For the public-facing collection, add an AI disclosure banner: 'Descriptive metadata for this collection was generated with AI assistance and reviewed by human curators. AI-generated descriptions may contain errors; report corrections using the feedback link below.' For researchers, provide a methodology document: which AI tools were used, what the validation process was, and what the estimated error rate is for different material types. For source communities, provide a separate report in accessible language explaining what AI did and did not do to their heritage.\"\n", "antipattern": "Presenting AI-generated heritage metadata as authoritative curatorial description without disclosing its AI origin, known error rates, or the validation process — misleading researchers and the public about the metadata's reliability.\n" }, "accountability": { "description": "The project establishes a community advisory board with real authority over how AI-processed heritage materials are described, accessed, and used — including the right to request removal or restriction of specific materials.\n", "example": "AI closes the cycle: \"Community accountability governance for the heritage AI project: (1) Community advisory board — one representative per source community with materials in scope; meets quarterly; has authority to request removal, restriction, or reclassification of any item. (2) Correction pathway — public-facing feedback tool for reporting AI metadata errors; institution commits to review within 30 days. (3) Annual community report — published in accessible language describing what AI produced, what was corrected, and what will change in the next year. (4) Commercial use prohibition — AI-processed heritage materials may not be licensed for commercial use without separate community consent.\"\n", "antipattern": "Creating a heritage AI project with an academic advisory board of heritage scholars but no representation from the source communities whose cultural materials are being processed — producing governance that serves institutional interests over community rights.\n" } }, "score_hints": { "human-dignity": 0.35, "environment": 0.1, "privacy": 0.2, "transparency": 0.2, "accountability": 0.15 }, "summary": "", "tags": [ "cultural-heritage", "general", "digitization", "community-rights", "unesco" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Source community consultation determines which materials may be AI-processed and under what conditions → efficient AI tools are selected to minimize environmental footprint → privacy protections are designed for living individuals and community data sovereignty → public transparency disclosure is prepared → community advisory board with real authority is established before launch.\n", "sequence": [ { "step": 1, "d": "human-dignity", "label": "Consult source communities on consent and access restrictions", "example_prompts": [ { "speaker": "human", "text": "We want to use AI to catalog 40,000 ethnographic photographs. Where do we start?" }, { "speaker": "ai", "text": "Before any AI processing: identify the source communities for each collection segment and initiate consultation. The consultation must address four questions: (1) Do community members consent to AI processing of these materials — including object recognition, automated description, and public search indexing? (2) Are any materials sacred, restricted, or ceremonially sensitive and should be excluded from AI processing? (3) Who from the community has authority to give consent — an individual elder, a cultural council, a formal governance body? (4) What are the community's conditions for participation — do they want co-authorship of descriptions, veto over public access, or a separate community-controlled access layer? This consultation cannot be replaced by a website notice or opt-out form." }, { "speaker": "human", "text": "Three communities identified. Two agreed to participate with restrictions. One requested all their materials be excluded from AI processing until a formal agreement is signed." } ], "triggers_next": "Community consent and access restrictions documented per collection segment." }, { "step": 2, "d": "environment", "label": "Select efficient AI tools proportionate to the task", "example_prompts": [ { "speaker": "human", "text": "Our vendor recommends using GPT-4V for image description across all 40,000 photographs. Is that the right choice?" }, { "speaker": "ai", "text": "That is likely over-engineered and environmentally wasteful for this task. For heritage photograph description, compare three options: (1) A fine-tuned domain-specific vision model trained on similar cultural collections — higher accuracy for your specific material types, significantly lower compute per image. (2) GPT-4V — high general capability but expensive and energy-intensive at 40,000 images; better suited for complex or ambiguous edge cases. (3) Hybrid — use the efficient model for 90% of straightforward images, route ambiguous or complex cases to the larger model. The hybrid approach is both the most accurate and the most environmentally responsible. Estimate compute cost for all three before deciding." }, { "speaker": "human", "text": "Hybrid approach approved. Efficient model handles standard catalog; GPT-4V handles complex or ambiguous cases." } ], "triggers_next": "AI tooling selected with environmental efficiency rationale documented." }, { "step": 3, "d": "privacy", "label": "Design privacy protections for individuals and community data", "example_prompts": [ { "speaker": "human", "text": "Many photographs include identifiable people, some of whom may still be living. How do we handle this?" }, { "speaker": "ai", "text": "Three-tier privacy approach: (1) Living individuals — do not use facial recognition. For photographs estimated to include living individuals (roughly 1960s onward), manually review before AI processing. If AI is used for description, configure the model to describe the scene without identifying individuals. (2) Recently deceased — check applicable law; some jurisdictions protect image rights for 70 years post-death. (3) Community data sovereignty — for materials depicting community ceremonies or practices, the entire community's collective consent is required for AI processing and public access, not just the consent of individuals pictured. Document the privacy approach per collection segment and make it auditable." }, { "speaker": "human", "text": "Facial recognition disabled. 1960s onward photographs flagged for manual review before AI processing." } ], "triggers_next": "Privacy controls implemented per collection segment with documented rationale." }, { "step": 4, "d": "transparency", "label": "Prepare AI disclosure for public, researchers, and communities", "example_prompts": [ { "speaker": "human", "text": "How do we disclose the AI's role in our catalog to different audiences?" }, { "speaker": "ai", "text": "Three disclosure levels: (1) Public-facing — banner on every AI-assisted record: 'Description generated with AI assistance and reviewed by a human curator. Estimated error rate: 8% for object classification, 12% for cultural context. Report corrections below.' (2) Researcher methodology document — AI tools used, training data sources, validation methodology, error rates by material type, and human review process. Posted in the collection's methodology section. (3) Community report — plain-language summary for each source community: what AI did to their heritage materials, what restrictions are enforced, and how to request corrections or restrictions. Delivered in the community's primary language if possible." }, { "speaker": "human", "text": "All three disclosure documents drafted. Community reports translated into two languages." } ], "triggers_next": "Transparency documents prepared for all three audiences.", "loop_back": { "to": "human-dignity", "condition": "Community review of AI-generated descriptions reveals systematic misrepresentation of cultural objects.", "reason": "Systematic misrepresentation is a dignity issue requiring community re-consultation before public access." } }, { "step": 5, "d": "accountability", "label": "Establish community advisory board with real authority", "example_prompts": [ { "speaker": "human", "text": "How do we build genuine community accountability into the project governance?" }, { "speaker": "ai", "text": "Community advisory board structure: (1) Composition — one representative per source community, appointed by the community (not by the institution). Two academic heritage experts. One digital rights specialist. Chair rotates annually. (2) Authority — the board has binding authority to: request removal or access restriction of any item; reject AI-generated descriptions for culturally sensitive materials; approve or reject any secondary use of the digitized collection. Recommendations must be implemented within 60 days. (3) Quarterly reporting — institution provides the board with: AI error reports, correction log, access statistics, any commercial use requests. (4) Public correction channel — anyone can report AI metadata errors; institution commits to 30-day review and public correction log." }, { "speaker": "human", "text": "Community advisory board established with binding authority charter. First meeting scheduled." } ], "triggers_next": "Community advisory board operational with binding authority.", "can_restart": true } ], "transitions": [ { "from": "human-dignity", "to": "environment", "trigger": "Community consent documented and access restrictions defined." }, { "from": "environment", "to": "privacy", "trigger": "AI tooling selected with environmental rationale." }, { "from": "privacy", "to": "transparency", "trigger": "Privacy controls implemented per collection segment." }, { "from": "transparency", "to": "human-dignity", "trigger": "AI descriptions show systematic cultural misrepresentation — re-consult communities.", "is_loop_back": true }, { "from": "transparency", "to": "accountability", "trigger": "Transparency documents prepared for all audiences." }, { "from": "accountability", "to": "human-dignity", "trigger": "Annual review cycle — community re-consultation on scope changes.", "is_cycle_restart": true } ] } }, { "id": "email-writing", "framework_id": "4d-framework", "title": "Professional Email Writing with AI", "domain": "general", "file": "general-email-writing.yaml", "dimensions": { "delegation": { "description": "Decide whether AI should produce the full draft or only assist with structure, tone, or phrasing. High-stakes emails (termination notices, executive communications, sensitive negotiations) should remain human-led with AI as an editor at most. Routine emails (meeting requests, status updates, acknowledgment replies) are strong candidates for full AI drafting.", "example": "A manager uses AI to draft a meeting invitation and a project status update, then writes a performance feedback email herself because it requires nuanced personal knowledge of the employee's growth journey.", "antipattern": "Delegating every email including sensitive HR communications, client dispute responses, or apology letters entirely to AI without assessing the relationship stakes or the potential for misrepresentation." }, "description": { "description": "Provide AI with the full context it needs to draft an effective email — recipient relationship, communication purpose, desired tone, relevant background, and any constraints on length or formality. The quality of the draft is directly proportional to the richness of the context you provide.", "example": "Prompt: 'Draft a follow-up email to Sarah Chen, our enterprise client at Meridian Corp. We met Tuesday to discuss their Q3 data migration delay. Tone: professional but warm — we have a 3-year relationship. Acknowledge the delay empathetically, confirm next steps (kick-off call Friday 2pm), and close with confidence. Keep it under 200 words.'", "antipattern": "Prompting with only: 'Write an email to my client about the project delay.' This gives AI no information about tone, relationship history, specific facts, or the desired outcome, resulting in a generic template that fails to represent the actual situation." }, "discernment": { "description": "After receiving the AI draft, carefully evaluate whether the tone matches the real relationship, whether all factual claims are accurate, whether the intent is captured correctly, and whether the email could be misinterpreted. Read it as the recipient would, not as the author.", "example": "A marketing director reviews an AI-drafted client email and notices the phrase 'as we discussed' refers to a meeting that hasn't happened yet — a factual error the AI introduced. She corrects the timeline before sending.", "antipattern": "Copying the AI draft directly into the email client and hitting send without reading it through the recipient's eyes, missing tone mismatches (e.g., too formal for a casual colleague) or factual inaccuracies introduced by the model." }, "diligence": { "description": "Take responsibility for the email you send regardless of how it was drafted. In professional contexts, consider whether AI-assisted drafting should be disclosed. Verify all facts, names, dates, and commitments in the email before sending. Your name on the email means you own the content.", "example": "A consultant discloses in her firm's engagement letter that AI tools assist with drafting client communications, and she maintains a personal checklist — verify dates, names, attachments, and factual claims — that she runs on every AI-assisted email before sending.", "antipattern": "Sending an AI-drafted email containing an incorrect meeting date, a misspelled client name, or a commitment you didn't actually make, because you assumed the AI had accurate information and skipped personal review." } }, "score_hints": { "delegation": 0.2, "description": 0.35, "discernment": 0.25, "diligence": 0.2 }, "summary": "Decide whether AI should produce the full draft or only assist with structure, tone, or phrasing. High-stakes emails (termination notices, executive communications, sensitive negotiations) should rema", "tags": [ "email", "professional-communication", "drafting", "workplace" ], "contributor": "Rick Dakan & Joseph Feller / Anthropic", "reference": "https://aifluencyframework.org", "version": "1.0.0", "collaboration": { "pattern": "linear", "description": "Human delegates email drafting, provides recipient context and goal, evaluates AI draft for tone and accuracy, then sends — single-pass for routine communication.", "sequence": [ { "step": 1, "d": "delegation", "label": "Define AI's drafting role", "example_prompts": [ { "speaker": "human", "text": "Draft a follow-up email to a prospect after a demo call. You write the body — I'll adjust the opening and sign-off." }, { "speaker": "ai", "text": "Should I include next steps or leave that for you to add?" }, { "speaker": "human", "text": "Propose next steps — I'll confirm or modify them." } ], "triggers_next": "AI's drafting scope and human adjustment responsibility agreed." }, { "step": 2, "d": "description", "label": "Provide recipient and goal context", "example_prompts": [ { "speaker": "human", "text": "Recipient is the VP of Engineering at a mid-size SaaS company. They seemed interested in the security features. Goal: schedule a technical deep-dive." }, { "speaker": "ai", "text": "Should I reference the specific feature they asked about?" }, { "speaker": "human", "text": "Yes — mention the SSO integration they asked about." } ], "triggers_next": "AI has recipient profile, goal, and specific talking point." }, { "step": 3, "d": "discernment", "label": "Evaluate draft for tone and accuracy", "example_prompts": [ { "speaker": "human", "text": "The opening is too casual — this is a VP, not a peer. Adjust tone." }, { "speaker": "ai", "text": "Revised to a more formal but still warm register. Does this work?" }, { "speaker": "human", "text": "Yes. Also change 'our best feature' to 'the SSO integration' — more specific." } ], "triggers_next": "Draft validated for tone, accuracy, and specificity." }, { "step": 4, "d": "diligence", "label": "Final review and send", "example_prompts": [ { "speaker": "human", "text": "Re-reading in full — looks good. Sending." }, { "speaker": "human", "text": "Logging in CRM with AI-draft tag for tracking." } ], "triggers_next": "Email sent. Next communication requires a fresh cycle." } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Drafting scope agreed." }, { "from": "description", "to": "discernment", "trigger": "AI delivers draft." }, { "from": "discernment", "to": "diligence", "trigger": "Draft validated." }, { "from": "diligence", "to": "delegation", "trigger": "Next email — fresh cycle.", "is_cycle_restart": true } ] } }, { "id": "idea-to-action-with-ai-personas", "framework_id": "4d-framework", "title": "From Idea to Action: AI as a Complementary Expert Panel", "domain": "general", "file": "general-idea-to-action-with-ai-personas.yaml", "dimensions": { "delegation": { "description": "The human owns the idea and all decisions about direction and viability. AI is granted autonomy to roleplay expert personas and surface blind spots, but never to decide whether the idea is good or should proceed. Persona selection is negotiated explicitly at the start of each session.\n", "example": "Amara says: \"I have an idea for a community food hub. I don't have a business background. Can you act as a business model strategist and ask me the ten questions an investor would ask — but explain each one in plain language before asking it?\" AI responds: \"Understood. I'll act as a business strategist who explains jargon before using it. You decide which questions matter for your context. Ready when you are.\"\n", "antipattern": "Letting AI declare the idea \"viable\" or \"not viable\" without the human having verified the assumptions the AI used to reach that judgment.\n" }, "description": { "description": "The human describes the idea in their own words — not in technical or business language — and explicitly names what they know, what they don't know, and which expertise gaps they feel most exposed by. The AI uses this to assemble the right persona(s) for the session.\n", "example": "\"I want to create a space where local farmers sell directly to urban families. I know the neighborhood. I don't know how food regulations work, how to price things, or whether anyone has tried this and failed. I feel most lost on the legal and financial side.\" AI: \"I'll play three roles for you: a food-sector regulatory guide (plain language, no legal advice), a pricing strategist, and a 'what-went-wrong' researcher who will surface similar initiatives that struggled and why.\"\n", "antipattern": "AI adopting a single generic \"expert\" persona without asking which expertise gaps the human actually feels, leading to answers that are confident but miss the real blind spots.\n" }, "discernment": { "description": "The human explicitly challenges AI outputs before accepting them. For each key claim the AI makes — market size, regulatory summary, pricing model — the human asks: \"How confident are you? What would change this answer? Can you show me a counter-argument?\" AI is prompted to flag its own uncertainty rather than maintain a persona of false authority.\n", "example": "AI (as pricing strategist): \"A 15–20% margin on fresh produce is typical for direct-to-consumer models.\" Human: \"Are you sure about that? Where would that figure break down?\" AI: \"Good push. That figure holds for established platforms with volume. A new, low-volume hub could see margins squeezed to 5–8% in the first year. I'd recommend verifying this with a local food-sector operator before using it in any plan.\"\n", "antipattern": "Human accepting AI's persona-delivered facts as expert knowledge without asking for confidence levels or sources — the persona voice creates an illusion of authority that plain-text answers do not.\n" }, "diligence": { "description": "Before any idea output (pitch, plan, financial model, regulatory checklist) is used in the real world, the human must route at least one AI-generated claim per domain through a real-world check: a practitioner conversation, a public database, a regulatory body. The AI closes each session by naming the specific claims that need external validation and by whom.\n", "example": "AI closes the session: \"Three claims in today's session need verification before you act on them: (1) the 20% margin figure — validate with a farmer's market operator; (2) the food safety certification requirement — confirm with your local health authority; (3) the 'community hub grant' I mentioned — check availability with your municipal economic development office. These are the three things I cannot verify for you.\"\n", "antipattern": "Human treating the AI session output as a completed plan, moving to execution without validating the domain-specific claims that the AI surfaced under persona authority.\n" } }, "score_hints": { "delegation": 0.2, "description": 0.3, "discernment": 0.3, "diligence": 0.2 }, "summary": "The human owns the idea and all decisions about direction and viability. AI is granted autonomy to roleplay expert personas and surface blind spots, but never to decide whether the idea is good or sho", "tags": [ "ideation", "entrepreneurship", "persona", "non-technical", "innovation", "strategy", "complementary-expertise" ], "contributor": "Dr. Faïçal CONGO", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Human shares raw idea and named gaps → AI assembles personas → AI probes and surfaces blind spots → Human challenges outputs → AI closes with a specific validation checklist → Human validates before acting. Loops back to Description if the human's framing shifts during the session.\n", "sequence": [ { "step": 1, "d": "delegation", "label": "Negotiate persona scope", "example_prompts": [ { "speaker": "human", "text": "\"I have an idea but I'm out of my depth on the business and technical sides. Can you play the roles I'm missing and ask me the hard questions without overwhelming me with jargon?\"\n" }, { "speaker": "ai", "text": "\"Yes. Tell me your idea in plain words, then tell me what you know well and what feels most unclear. I'll assemble the right roles and explain what each one will do before starting.\"\n" } ], "triggers_next": "Persona roles and autonomy limits agreed" }, { "step": 2, "d": "description", "label": "Human frames idea and gaps", "example_prompts": [ { "speaker": "human", "text": "\"I want to build X. I know Y. I don't know Z. The part that scares me most is [financial / legal / technical / market].\"\n" }, { "speaker": "ai", "text": "\"Understood. I'll play [role A], [role B], and [role C]. [Role A] will handle [domain]. I'll flag when I'm uncertain and ask you before making assumptions.\"\n" } ], "triggers_next": "AI has enough context to begin structured probing", "loop_back": { "to": "delegation", "condition": "Idea scope shifts significantly during probing", "reason": "Persona mix may need to change if the core idea changes" } }, { "step": 3, "d": "discernment", "label": "Human challenges AI persona outputs", "example_prompts": [ { "speaker": "human", "text": "Are you confident about that? What would make that wrong?" }, { "speaker": "ai", "text": "\"My confidence here is [low/medium/high] because [reason]. This would break down if [condition]. I'd recommend verifying [specific claim] with [specific source type] before using it.\"\n" } ], "triggers_next": "Human accepts output with named uncertainties acknowledged" }, { "step": 4, "d": "diligence", "label": "AI delivers validation checklist", "example_prompts": [ { "speaker": "ai", "text": "\"Before you act on anything from this session, validate these three claims: [claim 1] — check with [source]; [claim 2] — confirm via [source]; [claim 3] — speak to [practitioner type]. These are the things I cannot verify for you.\"\n" }, { "speaker": "human", "text": "Understood. I'll take [claim 1] to [person/source] this week." } ], "triggers_next": "Human has a concrete validation action for each AI-sourced claim", "can_restart": true } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Persona scope agreed and autonomy limits set" }, { "from": "description", "to": "discernment", "trigger": "AI has enough framing to begin probing" }, { "from": "discernment", "to": "diligence", "trigger": "Human has challenged outputs and acknowledged uncertainties" }, { "from": "description", "to": "delegation", "trigger": "Idea scope shifted — persona mix needs renegotiation", "is_loop_back": true }, { "from": "diligence", "to": "delegation", "trigger": "New idea dimension emerges after validation", "is_cycle_restart": true } ] } }, { "id": "iterative-refinement-loop", "framework_id": "4d-framework", "title": "Description-Discernment Iterative Refinement Loop", "domain": "general", "file": "general-iterative-refinement-loop.yaml", "dimensions": { "delegation": { "description": "Treat AI as a co-creator in an ongoing dialogue, not a one-shot command executor. The first AI output is a draft that begins a conversation, not an end product. Structure your workflow so that each AI output triggers a human evaluation, which generates a refined prompt, which produces a better output — repeating until the result meets your standard. This iterative posture is the fundamental AI collaboration pattern across all domains.", "example": "A product manager uses AI to draft a feature brief, evaluates it, identifies three gaps (missing user persona context, weak success metrics, no edge case consideration), feeds those gaps back into a refined prompt, gets a second draft, and repeats twice more until the brief meets her standard — treating each cycle as a productive step, not a failure.", "antipattern": "Running a single AI prompt, receiving an output that is clearly incomplete or off-target, and then either submitting that output as-is or abandoning the AI approach entirely — failing to use the iterative loop that is the actual mechanism through which AI collaboration produces quality results." }, "description": { "description": "In iterative refinement, each round of prompting is an act of description — but later rounds are more powerful because they are informed by what you learned evaluating the previous output. Describe not just what you want but what was wrong with the last version and why. Specific corrective feedback is the engine of the loop.", "example": "Round 1: 'Draft a product requirements doc for a mobile notification system.' Round 2 (after evaluation): 'The previous draft lacked user permission flow details and assumed push always on. Revise to add: (1) permission request UX at onboarding, (2) notification preference center spec, (3) opt-out flows per notification type. Keep the same structure.'", "antipattern": "After receiving a poor first output, re-prompting with an equally vague request ('Make it better' or 'Try again') rather than articulating specifically what was insufficient and why — failing to use what you learned from evaluating the first output to produce a meaningfully improved next prompt." }, "discernment": { "description": "After each AI output, conduct a structured evaluation before generating the next prompt. Assess accuracy against facts you know, relevance to your actual goal, completeness against your requirements, audience fit, and quality of reasoning. The discernment step is not a final judgment — it is the input to the next description. Make your evaluation explicit so you can articulate it in your refined prompt.", "example": "A writer receives an AI-drafted article section and explicitly scores it against four criteria: factual accuracy (3/5 — two claims need verification), tone (4/5 — mostly right, one paragraph too formal), completeness (2/5 — missing the key counterargument), audience fit (4/5 — appropriate vocabulary). This structured evaluation drives her next prompt precisely.", "antipattern": "Skimming AI output and forming a vague sense that 'it's not quite right' without identifying specifically what is wrong — then producing a corrective prompt that is equally vague, resulting in a marginally different output that still misses the target in the same ways." }, "diligence": { "description": "Do not ship the first AI output, or even the second, without it having survived genuine evaluative scrutiny. Document your iteration path — the prompts used, the key decisions at each evaluation, and why you accepted the final output — especially for consequential work. Iteration transparency is accountability: it shows the work was human-directed, not just human-forwarded.", "example": "A communications team maintains a prompt log for all AI-assisted client reports, recording each prompt version and the reason for the refinement. When a client questions a report's methodology, the team can demonstrate the three-round refinement process and the human judgment applied at each evaluation step.", "antipattern": "Accepting and submitting the first AI output that seems 'good enough' without completing even one full evaluate-refine cycle — then, when the output contains errors or misses the mark, having no record of the process and no basis for explaining why the AI's first guess was treated as a final answer." } }, "score_hints": { "delegation": 0.2, "description": 0.35, "discernment": 0.3, "diligence": 0.15 }, "summary": "Treat AI as a co-creator in an ongoing dialogue, not a one-shot command executor. The first AI output is a draft that begins a conversation, not an end product. Structure your workflow so that each AI", "tags": [ "iteration", "prompting", "workflow", "refinement" ], "contributor": "Rick Dakan & Joseph Feller / Anthropic", "reference": "https://aifluencyframework.org", "version": "1.0.0", "collaboration": { "pattern": "iterative", "description": "Human and AI iterate through multiple refinement passes — each pass establishes scope, provides richer context from prior output, evaluates quality, and commits the improvement before the next round.", "sequence": [ { "step": 1, "d": "delegation", "label": "Define refinement goal for this pass", "example_prompts": [ { "speaker": "human", "text": "This draft is too verbose. In this pass, focus on cutting word count by 30% without losing key ideas." }, { "speaker": "ai", "text": "Should I prioritize cutting filler phrases or condensing full paragraphs?" }, { "speaker": "human", "text": "Both — flag any paragraph I should consider cutting entirely." } ], "triggers_next": "Refinement goal and cut strategy agreed for this pass." }, { "step": 2, "d": "description", "label": "Provide current artifact and refinement constraints", "example_prompts": [ { "speaker": "human", "text": "Here is the current draft. The core argument in section 2 must not be weakened — everything else is fair game." }, { "speaker": "ai", "text": "Is the technical terminology in section 3 intended for a specialist audience?" }, { "speaker": "human", "text": "Yes — keep the technical terms, simplify the surrounding prose." } ], "triggers_next": "AI has current artifact, non-negotiables, and simplification targets." }, { "step": 3, "d": "discernment", "label": "Evaluate refinement quality", "example_prompts": [ { "speaker": "human", "text": "The cut version of paragraph 4 loses the nuance — restore the second sentence." }, { "speaker": "ai", "text": "Restored. Overall word count is now down 28% — one more light pass would reach 30%." }, { "speaker": "human", "text": "Let's do a final light pass in the next iteration." } ], "triggers_next": "Refinement quality validated for this pass." }, { "step": 4, "d": "diligence", "label": "Commit refined version", "example_prompts": [ { "speaker": "human", "text": "Saving this version as v3. The prior version is archived." }, { "speaker": "human", "text": "Noting what was changed and why in the revision log." } ], "triggers_next": "Version committed. Next iteration targets remaining improvements.", "can_restart": true } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Refinement goal for this pass agreed." }, { "from": "description", "to": "discernment", "trigger": "AI delivers refined version." }, { "from": "discernment", "to": "diligence", "trigger": "Quality validated for this pass." }, { "from": "diligence", "to": "delegation", "trigger": "Next refinement pass — new goal.", "is_cycle_restart": true } ] } }, { "id": "problem-to-solution-with-ai-guidance", "framework_id": "4d-framework", "title": "From Problem to Solution: AI as a Structured Problem-Solving Partner", "domain": "general", "file": "general-problem-to-solution-with-ai-guidance.yaml", "dimensions": { "delegation": { "description": "The human owns the problem definition and the final decision on which solution path to pursue. AI is granted autonomy to ask structured diagnostic questions, propose solution frameworks, and surface resource and financial considerations — but never to declare a solution \"correct\" or a budget \"sufficient\" without the human having verified the underlying assumptions. The human explicitly sets the constraint envelope (budget ceiling, timeline, available people) before AI begins structuring anything.\n", "example": "Human: \"I run a small community health clinic. Our patient records are still on paper. I know this is a problem but I don't know if the solution is software, people, or both — and I have no idea what it costs or how long it takes. Can you help me structure this without assuming I have a tech team?\" AI: \"Understood. I'll help you structure the problem and map what a solution would require — people, money, time, and procurement. I won't assume any technical capacity on your side. You tell me what's real; I'll tell you what questions to ask next. First: what is the problem costing you right now, even roughly?\"\n", "antipattern": "AI jumping directly to solution recommendations before fully understanding the human's actual constraints — proposing a cloud-based EHR system to a clinic with no IT budget and unreliable internet, because that is the \"standard\" answer.\n" }, "description": { "description": "The human describes the problem from lived experience — not in technical or managerial language — and explicitly names what they have tried, what failed, and what constraints are non-negotiable. AI uses this to map four axes before proposing anything: (1) financial envelope and funding sources, (2) procurement path (buy, build, hire, partner), (3) human resources available or needed, (4) realistic timeline given the constraint set. Each axis is surfaced as a question to the human, not as an AI assumption.\n", "example": "AI: \"Before I suggest anything, I need to map four things with you. First, finances: do you have a rough budget in mind, or do we need to figure out what this could cost before you can say? Second, procurement: are you open to buying an off-the-shelf tool, hiring someone, or doing this yourself with guidance? Third, people: who in your clinic could own this — even part-time? Fourth, time: is there a deadline driving this, or is it open?\" Human: \"Budget: I genuinely don't know. Procurement: I'd rather buy than build. People: me and one administrator. Time: before the rainy season when patient volume doubles — four months.\" AI: \"Good. Four months, two people, buy-not-build. That constraint set rules out most custom solutions immediately. Let me map what exists in that envelope.\"\n", "antipattern": "AI presenting a fully-formed solution plan — with costs, vendors, and timelines — before the human has confirmed the constraint set, forcing the human into a reactive \"yes/no\" rather than a collaborative build.\n" }, "discernment": { "description": "For every resource estimate, cost figure, vendor recommendation, or timeline the AI surfaces, the human explicitly asks: \"Is this real for my context, or is this a global average?\" AI is required to flag when a figure comes from a general knowledge base versus local market reality, and to name the specific assumption that could make the estimate wrong. The human is coached to distinguish between AI-structured thinking (high reliability) and AI-generated numbers (medium-to-low reliability without local validation).\n", "example": "AI: \"A basic electronic health record system for a small clinic typically costs between $200 and $500 per month on a subscription model, with a one-time setup of $500 to $2,000.\" Human: \"Is that true for Morocco?\" AI: \"Honest answer: that figure is from North American and European market data. In Morocco, locally-hosted solutions or regional vendors may be significantly cheaper — or have different pricing models entirely. The number I gave you is useful as a ceiling estimate, not a budget figure. Before using it, you need one conversation with a local health IT vendor or your regional Ministry of Health digital health desk. That single call will tell you more than I can.\"\n", "antipattern": "Human treating AI cost and timeline estimates as a budget, presenting them to funders or management without local validation — AI's global averages can be off by a factor of three or more in specific markets.\n" }, "diligence": { "description": "Before the human acts on any element of the AI-structured plan — commits budget, signs a procurement contract, hires a person, or sets a deadline with stakeholders — they must validate the four axes through real-world checks. AI closes each session with a named accountability matrix: one validation action per axis, one named person or source responsible, and a realistic date. The plan is not a plan until the matrix is filled by the human, not the AI.\n", "example": "AI closes the session: \"Here is your validation matrix before this becomes a real plan: (1) Financial — get one local vendor quote to ground the cost estimate: target this week, owner: you. (2) Procurement — call your regional Ministry of Health digital health desk to ask if there is a subsidized or recommended solution for clinics your size: target within 10 days, owner: you. (3) Human resources — confirm with your administrator that they can own the data migration task: target before you sign anything, owner: you. (4) Timeline — validate the four-month window against the vendor's typical onboarding duration: ask in the vendor call. None of these take more than two hours total. Until they are done, treat everything we built today as a structured hypothesis, not a plan.\"\n", "antipattern": "Human sharing the AI-generated plan with stakeholders, funders, or management before completing the validation matrix — the plan has the appearance of rigor but the substance of a first draft.\n" } }, "score_hints": { "delegation": 0.2, "description": 0.35, "discernment": 0.25, "diligence": 0.2 }, "summary": "The human owns the problem definition and the final decision on which solution path to pursue. AI is granted autonomy to ask structured diagnostic questions, propose solution frameworks, and surface r", "tags": [ "problem-solving", "planning", "non-technical", "resources", "finance", "procurement", "timeline", "complementary-expertise" ], "contributor": "Dr. Faïçal CONGO", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Human names the problem from lived experience → AI maps constraint axes (financial, procurement, resources, timeline) through structured questions → AI surfaces solution options within the constraint set → Human challenges all estimates for local/contextual fit → AI closes with a named validation matrix. Loops back to Description if new constraints surface during discernment.\n", "sequence": [ { "step": 1, "d": "delegation", "label": "Name the problem and set the constraint envelope", "example_prompts": [ { "speaker": "human", "text": "\"I have a problem I need to fix. I think AI can help but I don't know how. The problem is [X]. I have roughly [budget / no idea on budget]. I need it solved by [date / as soon as possible]. I have [these people / just myself].\"\n" }, { "speaker": "ai", "text": "\"Understood. Before I suggest anything, I'll map what a solution requires across four axes: finances, procurement, people, and time. You confirm what's real; I structure from there. You stay in charge of what's acceptable. Let's start with the constraint that feels most fixed to you.\"\n" } ], "triggers_next": "Problem named and at least one constraint confirmed as non-negotiable" }, { "step": 2, "d": "description", "label": "Map the four axes through structured dialogue", "example_prompts": [ { "speaker": "ai", "text": "\"Financial axis: do you have a figure in mind, or do we need to estimate what this category of solution costs before you can set a ceiling? Procurement axis: buy, build, hire, or partner — which feels most realistic given your context? Resource axis: who would own implementation — name a person, not a role? Timeline axis: is there a hard deadline, or a soft one? What happens if you miss it?\"\n" }, { "speaker": "human", "text": "\"Budget: [figure or 'I don't know']. Procurement: [preference]. People: [name or 'just me']. Timeline: [date and consequence].\"\n" } ], "triggers_next": "All four axes mapped — AI has enough to propose options within the constraint set", "loop_back": { "to": "delegation", "condition": "A new constraint surfaces that changes the problem definition", "reason": "Problem scope must be renegotiated before solution mapping continues" } }, { "step": 3, "d": "discernment", "label": "Human challenges every estimate for local and contextual fit", "example_prompts": [ { "speaker": "human", "text": "\"Is that cost figure real for my context — my country, my sector, my scale? What assumption would make it wrong?\"\n" }, { "speaker": "ai", "text": "\"That figure comes from [source type / general knowledge]. It would be wrong if [specific condition — local market, sector pricing, scale factor]. Before using it, verify with [specific source type]. My structured thinking is reliable; my numbers need local grounding.\"\n" } ], "triggers_next": "Human understands which outputs are structural (reliable) vs numerical (needs validation)" }, { "step": 4, "d": "diligence", "label": "AI delivers named validation matrix — one action per axis", "example_prompts": [ { "speaker": "ai", "text": "\"Your validation matrix: (1) Financial — [specific action], owner: you, target: [date]. (2) Procurement — [specific action], owner: [name], target: [date]. (3) Resources — [specific action], owner: [name], target: [date]. (4) Timeline — [specific action], confirm in [call/meeting]. Until this matrix is complete, treat today's output as a structured hypothesis, not a plan.\"\n" }, { "speaker": "human", "text": "\"I'll take action (1) to [person/source] by [date]. Action (2) I'll delegate to [name].\"\n" } ], "triggers_next": "Human has a named owner and date for each validation action", "can_restart": true } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Problem named and at least one hard constraint confirmed" }, { "from": "description", "to": "discernment", "trigger": "All four axes mapped within the constraint set" }, { "from": "discernment", "to": "diligence", "trigger": "Human understands reliability boundaries of AI outputs" }, { "from": "description", "to": "delegation", "trigger": "New constraint surfaces that changes the problem scope", "is_loop_back": true }, { "from": "diligence", "to": "delegation", "trigger": "Validation reveals the problem was mis-scoped — restart needed", "is_cycle_restart": true } ] } }, { "id": "healthcare-ai-ethics-review", "framework_id": "unesco-ai-ethics", "title": "Healthcare AI Ethics Review", "domain": "healthcare", "file": "healthcare-ai-ethics-review.yaml", "dimensions": { "human-dignity": { "description": "The review assesses whether the AI system treats all patients with equal dignity — examining whether the system produces disparate outcomes for vulnerable populations, whether consent is meaningful, and whether the system's use is consistent with patient autonomy.\n", "example": "Ethics committee chair: \"The proposed AI triage system ranks patients by 'predicted survival probability.' What dignity issues does that raise?\" AI: \"Three dignity concerns: (1) Algorithmic rationing — if the score is used to deprioritize patients, it must be validated on populations matching your hospital's demographic mix, not just the training dataset. Historical survival data often encodes systemic inequities. (2) Consent — do patients know their triage priority may be influenced by an AI score? Informed consent in AI-assisted triage is an emerging but real obligation. (3) Autonomy — is there a pathway for a patient or family member to request human-only triage? If not, the system overrides patient autonomy by default.\"\n", "antipattern": "Approving a clinical AI system based on aggregate accuracy metrics without assessing whether the system produces disparate outcomes for elderly, disabled, or minority patients — groups frequently under-represented in training datasets.\n" }, "environment": { "description": "The review considers the environmental footprint of the clinical AI system — energy consumption for training and inference — and whether the hospital has chosen the most resource-efficient option that meets clinical requirements.\n", "example": "AI: \"For a clinical AI system running continuous inference on patient data, estimate the annual compute cost: (1) How many inferences per day? (2) What is the model size — a distilled clinical model uses significantly less energy than a general-purpose large model. (3) Is the compute on-premise or cloud-based — and is the cloud provider on a renewable energy commitment? For a hospital with sustainability commitments, the choice between a 7B and 70B parameter model for the same clinical task is an environmental decision, not just a performance one.\"\n", "antipattern": "Selecting the largest available AI model for a clinical task because it scores marginally higher on benchmarks, without assessing whether a smaller, more efficient model meets the clinical threshold — ignoring the environmental cost difference.\n" }, "privacy": { "description": "The review verifies that the AI system handles patient data according to the strictest applicable privacy standards — covering data minimization, retention, cross-border transfer restrictions, and secondary use prohibitions on clinical data.\n", "example": "Human: \"The vendor's AI trains on patient data from multiple hospitals. Do our patients' data stay within our system?\" AI: \"Critical questions for the vendor: (1) Is patient data used to retrain or improve the model after deployment? If yes, is patient consent for this use in place? (2) Is patient data processed outside your jurisdiction — triggering cross-border transfer obligations? (3) Is the model's inference output (e.g., a risk score) itself personal data requiring protection? In most EU jurisdictions, an AI-generated health score linked to a patient is personal data under GDPR. (4) What is the data deletion protocol when the contract ends? Get all four answers in writing before contracting.\"\n", "antipattern": "Accepting a vendor's statement that 'patient data is secure' without obtaining written answers to data residency, secondary use, and deletion protocol questions — leaving the hospital with contractual exposure if a privacy incident occurs.\n" }, "transparency": { "description": "The review ensures that the AI system's outputs are explainable to the clinicians using it and, where appropriate, to the patients it affects — with particular attention to whether clinicians can identify when to distrust the system's recommendations.\n", "example": "AI: \"Clinician transparency for a triage AI requires three things: (1) The clinician must see the key factors driving the score for each patient — not just a number. (2) The clinician must be trained on the system's known failure modes: which patient profiles produce unreliable scores? (3) There must be a documented 'when to override' protocol — specific clinical signals that should trigger human-only judgment regardless of the AI score. Without all three, clinicians cannot exercise meaningful oversight — they can only accept or reject a number.\"\n", "antipattern": "Deploying a clinical AI that produces a risk score without any feature attribution — giving clinicians a number they cannot interpret or challenge, and no guidance on when the number is likely to be wrong.\n" }, "accountability": { "description": "The review establishes who is accountable for the system's clinical outcomes, how incidents are escalated, whether patients have a recourse pathway, and what governance oversight applies after deployment.\n", "example": "AI closes the review: \"Accountability structure for the triage AI: (1) Clinical accountability — the attending physician retains final triage authority; AI score is advisory, not determinative. Document this in the clinical protocol. (2) Governance — AI systems in direct patient care must be reviewed by the ethics committee annually. Add this system to the annual review roster. (3) Patient recourse — patients and families may request human-only triage; this must be documented in the patient rights notice. (4) Incident reporting — any triage outcome where the AI score is later assessed as materially wrong must be logged and reviewed in monthly mortality and morbidity rounds.\"\n", "antipattern": "Deploying a clinical AI with accountability assigned to the vendor — 'the vendor is responsible for the model's outputs.' Clinical accountability cannot be contracted out; the treating institution and clinician remain legally and ethically responsible.\n" } }, "score_hints": { "human-dignity": 0.3, "environment": 0.1, "privacy": 0.25, "transparency": 0.2, "accountability": 0.15 }, "summary": "", "tags": [ "healthcare", "clinical-ai", "ethics-review", "patient-safety", "unesco" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Dignity audit examines disparate outcomes and consent implications → environmental footprint is assessed against clinical efficiency thresholds → privacy due diligence covers data residency, secondary use, and deletion → clinician transparency requirements are specified → clinical accountability and patient recourse are defined before deployment approval is granted.\n", "sequence": [ { "step": 1, "d": "human-dignity", "label": "Assess disparate outcomes, consent, and patient autonomy", "example_prompts": [ { "speaker": "human", "text": "The ethics committee is reviewing a proposed AI triage system. Start with dignity." }, { "speaker": "ai", "text": "Three dignity questions for the committee: (1) Disparate outcomes — has the system been validated on a patient population matching your hospital's demographic mix? Specifically, what are the performance metrics for elderly patients, patients with disabilities, and minority ethnic groups? (2) Consent — are patients informed that an AI score may influence their triage priority? If not, that is a consent gap. (3) Autonomy — is there a protocol for patients or families to request human-only triage? If the system provides no opt-out, it overrides patient autonomy by default. The committee should not approve deployment until all three are addressed." }, { "speaker": "human", "text": "Validation data shows lower accuracy for patients over 80. Consent notice is absent. No opt-out protocol exists." } ], "triggers_next": "Dignity gaps identified: three items require remediation before approval." }, { "step": 2, "d": "environment", "label": "Assess computational footprint against clinical necessity", "example_prompts": [ { "speaker": "human", "text": "The vendor is offering two model versions — a large high-accuracy model and a distilled model with 2% lower accuracy. Which do we choose?" }, { "speaker": "ai", "text": "This is an ethical decision, not just a performance one: (1) Is the 2% accuracy difference clinically significant for triage? If the distilled model's error rate remains within the clinically acceptable range, the larger model's marginal accuracy gain does not justify the environmental cost. (2) Estimate the energy difference at your inference volume — for continuous inference on 300 patients per day, a 10x model size difference can translate to thousands of kWh per year. (3) Does the vendor's compute run on renewable energy? Request their data center energy disclosure. Unless the larger model is clinically necessary, the distilled model is the responsible choice." }, { "speaker": "human", "text": "Clinical team confirms distilled model meets the accuracy threshold. Distilled model selected." } ], "triggers_next": "Environmental assessment complete; model selection documented with rationale." }, { "step": 3, "d": "privacy", "label": "Conduct privacy due diligence on patient data handling", "example_prompts": [ { "speaker": "human", "text": "The vendor processes patient data in the US and we are an EU hospital. What do we need?" }, { "speaker": "ai", "text": "Four written confirmations required from the vendor before contracting: (1) Data residency — patient data must not leave the EU without a valid transfer mechanism (Standard Contractual Clauses or adequacy decision). Get the specific legal basis in writing. (2) Secondary use prohibition — patient data must not be used to train or improve the model without patient consent. Require a contractual prohibition on secondary use. (3) Data deletion — at contract termination, patient data is deleted within 30 days with a deletion certificate. (4) Breach notification — vendor must notify the hospital within 24 hours of any data incident involving patient records. Without all four in the DPA, do not sign." }, { "speaker": "human", "text": "Vendor confirmed EU-based processing and secondary use prohibition. DPA under legal review." } ], "triggers_next": "Privacy due diligence complete; DPA under legal review with four required clauses." }, { "step": 4, "d": "transparency", "label": "Define clinician explainability and override protocol", "example_prompts": [ { "speaker": "human", "text": "What transparency requirements should we impose on the vendor for clinical use?" }, { "speaker": "ai", "text": "Three transparency requirements for the clinical deployment: (1) Feature attribution — the system must display the top three factors driving each patient's triage score, in clinical language accessible to the triage nurse. (2) Failure mode training — before go-live, all triage staff must complete a 90-minute training on the system's known failure modes: which patient profiles (elderly, high comorbidity, atypical presentation) produce unreliable scores. (3) Override protocol — a documented clinical decision rule specifying which situations require the triage nurse to apply human-only judgment regardless of the AI score. This protocol must be approved by the chief of emergency medicine." }, { "speaker": "human", "text": "Vendor confirms feature attribution is available. Training program designed. Override protocol drafted for clinical review." } ], "triggers_next": "Clinician transparency requirements specified and vendor-confirmed.", "loop_back": { "to": "human-dignity", "condition": "Override protocol design reveals that the system cannot produce reliable scores for patients over 80, requiring a dignity re-assessment.", "reason": "A system with known unreliable outputs for a demographic group requires a new dignity assessment before approval." } }, { "step": 5, "d": "accountability", "label": "Define clinical accountability and patient recourse", "example_prompts": [ { "speaker": "human", "text": "Who is accountable when the AI triage score contributes to an adverse patient outcome?" }, { "speaker": "ai", "text": "Accountability structure: (1) Clinical — the attending physician retains final triage authority. The AI score is documented as advisory in the clinical protocol; the physician's override is the authoritative clinical decision. This must be stated in writing in the clinical governance documents. (2) Ethics committee oversight — this system is added to the annual ethics review roster; the first review is 6 months post-deployment. (3) Patient rights — add to the patient rights notice: 'Our triage process may use AI decision support. You may request information about how AI is used or request human-only triage.' (4) M&M integration — any triage outcome where the AI score was later assessed as materially wrong is presented at the monthly mortality and morbidity round." }, { "speaker": "human", "text": "Clinical protocol updated. Patient rights notice amended. M&M integration confirmed." } ], "triggers_next": "Accountability structure defined; deployment approved by ethics committee.", "can_restart": true } ], "transitions": [ { "from": "human-dignity", "to": "environment", "trigger": "Dignity gaps identified and remediation requirements documented." }, { "from": "environment", "to": "privacy", "trigger": "Environmental assessment complete and model selection documented." }, { "from": "privacy", "to": "transparency", "trigger": "Privacy due diligence complete; DPA under legal review." }, { "from": "transparency", "to": "human-dignity", "trigger": "Override protocol reveals reliability gap for specific population — re-assess dignity.", "is_loop_back": true }, { "from": "transparency", "to": "accountability", "trigger": "Clinician transparency requirements specified." }, { "from": "accountability", "to": "human-dignity", "trigger": "Annual ethics review cycle — begin next assessment.", "is_cycle_restart": true } ] } }, { "id": "clinical-documentation", "framework_id": "4d-framework", "title": "AI-Assisted Clinical Documentation", "domain": "healthcare", "file": "healthcare-clinical-documentation.yaml", "dimensions": { "delegation": { "description": "AI can assist clinicians with drafting clinical notes from voice transcription, generating patient education material drafts, summarizing prior visit records, and producing structured documentation templates. All clinical judgment is non-delegable — diagnosis, treatment decisions, medication orders, and assessment of patient status require a licensed clinician's direct judgment and cannot be transferred to AI under any circumstances.", "example": "An internist uses an AI ambient documentation tool to generate a draft SOAP note from a recorded patient encounter. She reviews the full draft before it enters the EHR, corrects the AI's mischaracterization of the patient's symptom onset timeline, and signs only after verifying that the assessment and plan reflect her actual clinical reasoning.", "antipattern": "Allowing an AI documentation tool to finalize clinical notes without clinician review, or using AI-generated differential diagnoses as the actual clinical assessment without independent clinical evaluation — abdicating the professional judgment that defines clinical practice." }, "description": { "description": "Provide AI with precise clinical context: the documentation type required (SOAP note, discharge summary, referral letter, patient education handout), the patient's relevant clinical background, the format required by your institution or EHR, and any clinical standards the document must meet. Vague inputs produce vague outputs that require more revision than starting from scratch.", "example": "Prompt: 'Draft a patient education handout for a 65-year-old patient with newly diagnosed Type 2 diabetes who speaks English as a second language. Reading level: 6th grade. Cover: what Type 2 diabetes is in plain language, the importance of blood sugar monitoring, dietary basics (Mediterranean diet pattern), and when to call the care team. Avoid medical jargon. Format: bullet points with short headers.'", "antipattern": "Prompting: 'Write patient instructions for diabetes.' This produces generic clinical text at an inappropriate reading level with medical terminology, requiring complete rewriting — no faster than drafting from scratch, and risking use of a generic template that doesn't match the specific patient's situation." }, "discernment": { "description": "Scrutinize every AI-generated clinical document for medical accuracy before it enters the record or reaches a patient. Check for hallucinated medication names, incorrect dosages, fabricated lab values, inappropriate diagnostic language, or clinical claims that don't match the actual encounter. Patient safety depends on the clinician catching AI errors before they propagate into care decisions.", "example": "A hospitalist reviews an AI-generated discharge summary and catches that the AI has listed a drug at twice the prescribed dose and omitted a critical allergy from the medication list. She corrects both errors before the summary is sent to the receiving primary care physician — preventing a potential adverse drug event.", "antipattern": "Co-signing AI-generated discharge summaries, referral letters, or medication reconciliation documents without reading them in full — allowing a hallucinated dosage, an omitted allergy, or an incorrect diagnosis code to enter the medical record and influence downstream care decisions." }, "diligence": { "description": "The clinician who signs a clinical document is fully accountable for its contents regardless of how it was drafted. Disclose AI use in documentation per your institution's policy and applicable regulatory requirements. Uphold patient safety as the absolute priority — when in doubt, rewrite rather than rely on AI output. Maintain the clinical judgment and interpersonal presence that AI documentation tools must never replace.", "example": "A health system requires all clinicians using AI documentation tools to complete a verified review checklist (patient identity, diagnoses, medications, allergies, follow-up instructions) before signing any AI-assisted note, and discloses the use of AI documentation assistance in its patient-facing privacy notice.", "antipattern": "Signing AI-generated clinical notes at volume without individual review because the ambient tool 'usually gets it right' — creating systematic documentation errors that accumulate in the medical record, affect quality metrics, and in serious cases contribute to patient harm through propagated incorrect information." } }, "score_hints": { "delegation": 0.2, "description": 0.2, "discernment": 0.3, "diligence": 0.3 }, "summary": "AI can assist clinicians with drafting clinical notes from voice transcription, generating patient education material drafts, summarizing prior visit records, and producing structured documentation te", "tags": [ "healthcare", "clinical-documentation", "patient-safety", "EHR" ], "contributor": "Rick Dakan & Joseph Feller / Anthropic", "reference": "https://aifluencyframework.org", "version": "1.0.0", "collaboration": { "pattern": "linear", "description": "Clinician delegates note drafting, provides encounter details, reviews AI draft for clinical accuracy, then signs — strictly linear with no shortcuts due to patient safety requirements.", "sequence": [ { "step": 1, "d": "delegation", "label": "Define AI's documentation role", "example_prompts": [ { "speaker": "human", "text": "Draft the SOAP note for this encounter. You structure the note — I'll verify all clinical content." }, { "speaker": "ai", "text": "Should I include medication reconciliation in the plan section or keep that separate?" }, { "speaker": "human", "text": "Include it in the plan — I'll verify it against the pharmacy record." } ], "triggers_next": "AI's documentation scope and human verification commitment agreed." }, { "step": 2, "d": "description", "label": "Provide encounter details and patient context", "example_prompts": [ { "speaker": "human", "text": "Chief complaint: chest pain, 2-day duration. Vitals and exam findings attached. History of hypertension." }, { "speaker": "ai", "text": "Should I flag any discrepancies I notice between the stated history and the exam findings?" }, { "speaker": "human", "text": "Yes — flag anything that seems inconsistent for my review." } ], "triggers_next": "AI has full encounter context and flag-on-inconsistency rule." }, { "step": 3, "d": "discernment", "label": "Review AI draft for clinical accuracy", "example_prompts": [ { "speaker": "human", "text": "The assessment lists 'rule out MI' — change to 'elevated troponin, workup in progress'." }, { "speaker": "ai", "text": "Corrected. The plan section uses 'may consider' — do you want more definitive language?" }, { "speaker": "human", "text": "Yes — change to 'initiate' for the aspirin order, pending cardiology consult." } ], "triggers_next": "Every clinical claim verified by the clinician — no AI-only assertions remain." }, { "step": 4, "d": "diligence", "label": "Sign and lock the note", "example_prompts": [ { "speaker": "human", "text": "Note reviewed in full. Signing and locking in the EHR." }, { "speaker": "human", "text": "AI-assisted draft flagged in the note metadata per compliance policy." } ], "triggers_next": "Note locked. Next encounter requires a fresh cycle." } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Documentation scope and verification commitment agreed." }, { "from": "description", "to": "discernment", "trigger": "AI delivers draft note." }, { "from": "discernment", "to": "diligence", "trigger": "Every clinical claim verified." }, { "from": "diligence", "to": "delegation", "trigger": "Next encounter — fresh cycle.", "is_cycle_restart": true } ] } }, { "id": "legal-ai-research-drafting", "framework_id": "4d-framework", "title": "AI-Assisted Legal Research and Document Drafting", "domain": "legal", "file": "legal-ai-research-drafting.yaml", "dimensions": { "delegation": { "description": "AI can assist with initial legal research sweeps, summarizing case law, generating first-draft document structures, and flagging potentially relevant statutes. All legal judgment remains with the licensed attorney — case strategy, legal conclusions, advice to clients, and all court filings are non-delegable professional responsibilities. AI is a research and drafting accelerant, never a substitute for attorney analysis.", "example": "An attorney preparing a breach of contract motion asks AI to identify relevant California appellate cases on implied covenant of good faith and generate a draft argument outline. She uses this as a research starting point, independently verifies every citation via Westlaw, and rewrites the argument section from scratch using the verified cases.", "antipattern": "Filing AI-generated legal briefs with unverified citations, or allowing AI to make legal strategy recommendations that the attorney adopts without independent analysis — the equivalent of filing research you haven't read, which creates professional responsibility violations and potential sanctions." }, "description": { "description": "Provide AI with precise legal context: jurisdiction, court or regulatory body, matter type, applicable legal standard, client's factual situation, and the desired document format and purpose. Legal AI output quality depends heavily on the specificity of jurisdictional and doctrinal framing. Generic legal prompts produce generic legal text that may be wrong for your jurisdiction.", "example": "Prompt: 'Summarize the current standard for personal jurisdiction over foreign defendants in federal courts in the Ninth Circuit, focusing on cases decided after 2019 that address the specific vs. general jurisdiction distinction post-Bristol-Myers Squibb. Our client is a California-based plaintiff suing a German manufacturer. Identify the strongest and weakest points in our jurisdictional argument.'", "antipattern": "Prompting: 'Explain personal jurisdiction.' This produces a textbook overview applicable to no particular jurisdiction or procedural posture — unusable for actual legal work without the jurisdictional specificity, relevant time frame, and case-specific framing that makes the output actionable." }, "discernment": { "description": "Every AI-generated legal citation must be independently verified in a primary legal database before use. AI models hallucinate case citations with high confidence — inventing plausible-sounding but nonexistent cases, misquoting holdings, or attributing dicta as holdings. Verify that each case exists, says what AI claims, is still good law, and applies in your jurisdiction.", "example": "An attorney receives an AI-generated brief draft citing eight cases. She runs each citation in Westlaw before reviewing the draft's argument. Two citations are for real cases that don't say what the AI claimed. One citation is for a case that was overruled. She treats the AI draft as a structural scaffold only and rebuilds the argument on verified authority.", "antipattern": "Submitting a brief with AI-generated citations after only spot-checking one or two, then receiving a sanctions motion when opposing counsel discovers that three cited cases either don't exist or don't stand for the propositions cited — a career-threatening outcome that has already occurred to real attorneys." }, "diligence": { "description": "The licensed attorney remains fully and personally responsible for every document filed and every piece of advice given, regardless of how it was drafted. Disclose AI assistance in accordance with applicable bar rules and court standing orders (several federal courts now require this). Maintain professional standards of competence, including understanding AI's limitations in legal contexts.", "example": "An attorney follows her state bar's guidance on AI use in legal practice by disclosing in engagement letters that AI tools assist with research and drafting, maintaining a verification protocol for all AI-generated citations, and staying current with her court's local rules on AI disclosure in filings.", "antipattern": "Treating AI legal research as equivalent to Westlaw research without verification, failing to disclose AI assistance in jurisdictions where disclosure is required, or allowing junior associates to file AI-drafted documents without supervising attorney review — creating professional responsibility exposure and potential harm to clients." } }, "score_hints": { "delegation": 0.2, "description": 0.2, "discernment": 0.3, "diligence": 0.3 }, "summary": "AI can assist with initial legal research sweeps, summarizing case law, generating first-draft document structures, and flagging potentially relevant statutes. All legal judgment remains with the lice", "tags": [ "legal", "research", "document-drafting", "professional-responsibility" ], "contributor": "Rick Dakan & Joseph Feller / Anthropic", "reference": "https://aifluencyframework.org", "version": "1.0.0", "collaboration": { "pattern": "linear", "description": "Attorney delegates legal research, provides matter context and jurisdiction, verifies AI findings against authoritative sources, then uses the work product — strictly linear due to professional liability.", "sequence": [ { "step": 1, "d": "delegation", "label": "Define AI's research role and limits", "example_prompts": [ { "speaker": "human", "text": "Research current case law on non-compete enforceability in California. Surface the key cases — I'll do final legal analysis." }, { "speaker": "ai", "text": "Should I include federal circuit decisions or only California state courts?" }, { "speaker": "human", "text": "Both — but flag circuit splits if they exist." } ], "triggers_next": "Research scope, jurisdiction, and attorney analysis responsibility agreed." }, { "step": 2, "d": "description", "label": "Provide matter context and legal question", "example_prompts": [ { "speaker": "human", "text": "Client is a software company seeking to enforce a 2-year non-compete against a departed engineer. Employment ended 6 months ago." }, { "speaker": "ai", "text": "Should I focus on enforceability standards or also include remedy options?" }, { "speaker": "human", "text": "Enforceability first — remedies are a separate memo." } ], "triggers_next": "AI has matter facts and specific legal question." }, { "step": 3, "d": "discernment", "label": "Verify AI research against authoritative sources", "example_prompts": [ { "speaker": "human", "text": "Citation 3 — I need to verify that holding directly. Pull the full opinion." }, { "speaker": "ai", "text": "Here is the full text of Edwards v. Arthur Andersen. The holding is on page 12." }, { "speaker": "human", "text": "Confirmed. Citation 4 has been superseded — remove it and note why." } ], "triggers_next": "Every citation verified against primary sources. No unverified AI assertions remain." }, { "step": 4, "d": "diligence", "label": "Review, sign off, and document", "example_prompts": [ { "speaker": "human", "text": "Partner reviews research memo before it goes to client." }, { "speaker": "human", "text": "Noting AI-assisted research in the matter file per firm policy." } ], "triggers_next": "Memo approved and filed. Next matter question requires a fresh cycle." } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Research scope and liability boundaries agreed." }, { "from": "description", "to": "discernment", "trigger": "AI delivers research findings." }, { "from": "discernment", "to": "diligence", "trigger": "Every citation independently verified." }, { "from": "diligence", "to": "delegation", "trigger": "Next legal question — fresh cycle.", "is_cycle_restart": true } ] } }, { "id": "eu-ai-risk-classification", "framework_id": "eu-ai-act", "title": "EU AI Act Risk Classification", "domain": "legal", "file": "legal-eu-ai-risk-classification.yaml", "dimensions": { "risk-classification": { "description": "The team systematically determines whether the AI system falls into the prohibited, high-risk, limited-risk, or minimal-risk category by applying the Act's annexes and the system's actual intended purpose and deployment context — not its marketing description.\n", "example": "Legal counsel: \"Our AI system suggests interview questions to hiring managers. Marketing calls it a 'decision support tool.' Is it high-risk?\" AI: \"Yes — under Annex III of the EU AI Act, AI systems used in employment and recruitment decisions are classified as high-risk regardless of how they are marketed. 'Decision support' does not reduce the classification if the system materially influences the outcome. The relevant question is: does a human hiring manager typically follow the system's suggestions? If yes, the system is used in a manner that determines or influences the recruitment decision — high-risk classification applies.\"\n", "antipattern": "Accepting a vendor's classification of their own system as 'minimal-risk' without independently applying the Act's annexes to the actual use case and deployment context.\n" }, "transparency": { "description": "The team identifies the full set of transparency and documentation obligations applicable to the classified risk tier — technical file, instructions for use, logging, and user notification — and creates a compliance documentation plan.\n", "example": "AI: \"For a high-risk hiring AI, the transparency obligations are: (1) Technical file (Article 11) — detailed system documentation including design specifications, training data description, performance metrics, and risk management records. Must be maintained for 10 years post-market. (2) Instructions for use (Article 13) — plain-language guidance for deployers including the system's purpose, performance limitations, and oversight requirements. (3) Logging (Article 12) — the system must automatically log its inputs and outputs to the extent technically feasible. (4) Notification — affected candidates must be informed that AI is used in the recruitment process. Which of these does your current system documentation cover?\"\n", "antipattern": "Treating technical file preparation as a one-time pre-certification task rather than a continuous documentation obligation — allowing the file to diverge from the deployed system within months of certification.\n" }, "human-oversight": { "description": "The team designs human oversight mechanisms that comply with Article 14 — ensuring deployers can meaningfully monitor, intervene in, and override the AI system's outputs under real operational conditions.\n", "example": "Human: \"We have a human review step before a hiring decision is made. Is that sufficient for Article 14?\" AI: \"It depends on the quality of the review, not its existence. Article 14 requires that human oversight is 'effective' — the reviewer must understand the system's outputs and limitations, have the ability and authority to override the system, and not be under time pressure that makes real review impossible. If your hiring managers are reviewing AI recommendations for 30 seconds before approving, that is nominal oversight, not effective oversight. I recommend documenting: the time allocated for review, the training provided to reviewers on the system's limitations, and the rate at which reviewers actually override the AI — as evidence of effective oversight.\"\n", "antipattern": "Satisfying Article 14 with a checkbox in the interface that confirms 'human reviewed this decision' without any mechanism to verify that the review was substantive or effective.\n" }, "robustness": { "description": "The team validates that the AI system meets technical standards for accuracy, cybersecurity, and resilience — and documents testing evidence that supports the conformity assessment.\n", "example": "AI: \"For robustness documentation of a high-risk hiring AI, you need: (1) Accuracy metrics — overall and disaggregated by protected group. 'Accuracy' for a hiring AI should include candidate quality outcomes, not just model prediction metrics. (2) Bias testing — third-party disparity audit across gender, age, and ethnicity for the roles in scope. (3) Cybersecurity — evidence that candidate data is protected against unauthorized access; penetration test results. (4) Resilience — how does the system behave when input data is missing, corrupted, or anomalous? All four evidence types are needed for the technical file.\"\n", "antipattern": "Documenting only aggregate model accuracy without disaggregated performance metrics by demographic group — leaving a material compliance gap in the technical file for a high-risk system.\n" }, "governance": { "description": "The team plans the full conformity pathway — notified body involvement if required, EU AI database registration, post-market monitoring system, and incident reporting obligations — before the system is deployed to market.\n", "example": "AI closes the cycle: \"Governance compliance plan for the high-risk hiring AI: (1) Conformity assessment — high-risk AI in employment requires either a third-party notified body assessment or a manufacturer's own conformity assessment depending on whether harmonized standards are applied. Confirm which pathway with legal. (2) EU AI database registration — required before deployment under Article 71. Register at the Commission's AI Office portal. (3) Post-market monitoring — implement quarterly performance reviews including bias audits and incident log review. Name a post-market monitoring officer. (4) Incident reporting — serious incidents must be reported to the national market surveillance authority within the timeframe specified in Article 73. Name the reporting responsible. Target: all four items complete before first deployment.\"\n", "antipattern": "Treating post-market monitoring as a future compliance task to be designed after the system launches — leaving a gap between deployment and active monitoring that creates legal exposure under Article 72.\n" } }, "score_hints": { "risk-classification": 0.25, "transparency": 0.2, "human-oversight": 0.25, "robustness": 0.15, "governance": 0.15 }, "summary": "", "tags": [ "eu-ai-act", "risk-classification", "legal", "compliance", "hiring-ai" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Risk tier is determined using the Act's annexes applied to actual use → full transparency and documentation obligations are mapped → human oversight mechanism is designed for real operational conditions → technical validation evidence is compiled → conformity assessment and post-market monitoring plan are completed before deployment.\n", "sequence": [ { "step": 1, "d": "risk-classification", "label": "Classify the AI system using Act annexes and actual use context", "example_prompts": [ { "speaker": "human", "text": "We're deploying an AI that screens job applications and ranks candidates. What's our EU AI Act classification?" }, { "speaker": "ai", "text": "Applying Annex III: AI systems used in employment and recruitment — specifically for 'screening or filtering applications, evaluating candidates in the course of interviews or tests, or making decisions about promotion or termination' — are classified as high-risk. Your system ranks candidates, which directly influences shortlisting decisions. Classification: High-Risk. This triggers the full compliance requirements under Articles 8-15. Note: if the vendor classifies this as 'minimal risk,' they are misclassifying it — you as the deployer are legally responsible for correct classification and compliance." }, { "speaker": "human", "text": "High-risk classification confirmed. We'll update the project documentation and notify the vendor." } ], "triggers_next": "Risk tier confirmed as High-Risk with Article and Annex citations documented." }, { "step": 2, "d": "transparency", "label": "Map documentation and disclosure obligations", "example_prompts": [ { "speaker": "human", "text": "What documentation do we need for a high-risk hiring AI?" }, { "speaker": "ai", "text": "Four documentation streams: (1) Technical file — design specifications, training data description, performance metrics, risk management records, and post-market monitoring plan. Must be maintained for 10 years from market placement. (2) Instructions for use — plain-language deployer guide: system purpose, performance limits, oversight requirements, and prohibited uses. (3) Automatic logging — log inputs and outputs to the extent technically feasible; retain logs per your data retention policy minimum. (4) Candidate notification — inform applicants in the job posting or application process that AI is used in candidate screening. Which of these is not yet in place?" }, { "speaker": "human", "text": "Candidate notification is missing from our job postings. Technical file is incomplete — no performance metrics for protected groups." } ], "triggers_next": "Documentation gaps identified and prioritized for remediation." }, { "step": 3, "d": "human-oversight", "label": "Design effective human oversight for Article 14", "example_prompts": [ { "speaker": "human", "text": "Our HR managers review AI rankings before shortlisting. Is that Article 14 compliant?" }, { "speaker": "ai", "text": "Three things to check: (1) Understanding — do HR managers understand what the system ranks on and what its known limitations are? If not, training is required before oversight is meaningful. (2) Authority — do they have explicit authority to override the ranking, and is there a documented process for doing so? (3) Time — how long do managers spend reviewing each ranking? If it is under 2 minutes for a ranking of 20 candidates, the review is likely nominal. Recommendation: document the oversight process, train reviewers on system limitations, log override rates, and set a minimum review time guideline. Override rate below 5% is a red flag — it suggests reviewers are rubber-stamping the AI." }, { "speaker": "human", "text": "Reviewer training scheduled. Override rate will be logged from launch." } ], "triggers_next": "Human oversight mechanism designed, documented, and training scheduled.", "loop_back": { "to": "risk-classification", "condition": "Oversight design reveals the system is being used beyond the classified use case.", "reason": "Extended use cases may trigger additional Annex III categories — classification must be reviewed." } }, { "step": 4, "d": "robustness", "label": "Compile technical validation evidence for the technical file", "example_prompts": [ { "speaker": "human", "text": "What technical evidence do we need for the conformity assessment?" }, { "speaker": "ai", "text": "Four evidence packages: (1) Performance metrics — overall and disaggregated by gender, age, ethnicity for each role type. Include both precision/recall and business outcome metrics (quality of hire). (2) Bias audit — third-party disparity analysis; I recommend contracting this independently of the vendor. (3) Cybersecurity — penetration test report not older than 12 months; data encryption documentation. (4) Resilience testing — what happens when the model receives incomplete CVs, names in non-Western scripts, or unusual formatting? Document the degradation boundary. Which of these four does the vendor currently provide, and which requires your own testing?" }, { "speaker": "human", "text": "Vendor provides packages 1 and 3. We need to commission a third-party bias audit and run our own resilience tests." } ], "triggers_next": "Technical validation evidence compiled or commissioned; gaps documented." }, { "step": 5, "d": "governance", "label": "Complete conformity assessment and post-market monitoring plan", "example_prompts": [ { "speaker": "human", "text": "What is our path to lawful market deployment?" }, { "speaker": "ai", "text": "Deployment governance checklist: (1) Conformity assessment — for hiring AI, you can use the internal conformity assessment route if your technical file is complete and you apply harmonized standards. If no harmonized standard exists for your specific use case, a notified body assessment is safer. Confirm with legal. (2) EU AI database registration — required under Article 71 before first use; register via the Commission's AI Act portal. (3) Post-market monitoring plan — quarterly bias audits, monthly incident log review, annual technical file update. Name a post-market monitoring responsible person now, before deployment. (4) Incident reporting — serious incidents (significant impact on health, safety, or fundamental rights) reported to the national market surveillance authority within the Article 73 timeframe. Legal must confirm the reporting pathway for your jurisdiction." }, { "speaker": "human", "text": "Conformity assessment in progress. Database registration submitted. Post-market monitoring officer named." } ], "triggers_next": "Conformity assessment complete; database registered; post-market monitoring operational.", "can_restart": true } ], "transitions": [ { "from": "risk-classification", "to": "transparency", "trigger": "Risk tier confirmed with Annex citations." }, { "from": "transparency", "to": "human-oversight", "trigger": "Documentation obligations mapped and gaps identified." }, { "from": "human-oversight", "to": "risk-classification", "trigger": "Oversight design reveals use beyond classified scope.", "is_loop_back": true }, { "from": "human-oversight", "to": "robustness", "trigger": "Human oversight mechanism designed and documented." }, { "from": "robustness", "to": "governance", "trigger": "Technical validation evidence compiled or commissioned." }, { "from": "governance", "to": "risk-classification", "trigger": "System update or new use case triggers re-classification review.", "is_cycle_restart": true } ] } }, { "id": "eu-high-risk-documentation", "framework_id": "eu-ai-act", "title": "EU AI Act High-Risk System Documentation", "domain": "legal", "file": "legal-eu-high-risk-documentation.yaml", "dimensions": { "risk-classification": { "description": "The team confirms the high-risk classification in writing, citing the specific Annex III entry, the intended purpose, the deployment context, and any use-case changes that could affect the classification — creating the foundational document for the entire compliance package.\n", "example": "Legal counsel: \"We need a written classification rationale for the technical file. What does it need to contain?\" AI: \"The classification rationale document should contain: (1) System identification — name, version, and intended purpose in the deployer's own words. (2) Annex III mapping — the specific Annex III entry that applies, with a one-paragraph explanation of why the system's actual use matches that entry. (3) Deployment context — who deploys it, in which jurisdictions, in what operational setting. (4) Scope boundaries — what uses are out of scope and how the system prevents out-of-scope use. (5) Review trigger — what changes to the system or its deployment context would require a new classification review. This document is a living record, not a one-time declaration.\"\n", "antipattern": "Writing the classification rationale as a summary of the marketing description rather than an analysis of the actual use against Annex III — producing a document that fails regulatory scrutiny.\n" }, "transparency": { "description": "The team produces the complete transparency documentation package: the technical file under Article 11, instructions for use under Article 13, the logging specification under Article 12, and the candidate/user notification mechanism.\n", "example": "AI: \"Technical file (Article 11) must contain: (1) General description — system purpose, intended use, and technical specifications. (2) Design and development process — how the system was built, including training data description, data governance, and testing methodology. (3) Performance metrics — accuracy, precision, recall, and fairness metrics disaggregated by relevant subgroups. (4) Risk management — the risk management system applied during development. (5) Changes — documentation of all versions and material changes. (6) Post-market monitoring plan — how the system will be monitored after deployment. The file must be maintained for 10 years. Assign a document owner now.\"\n", "antipattern": "Preparing the technical file as a one-time document for the conformity assessment without assigning an owner responsible for keeping it current — allowing the file to diverge from the deployed system within months.\n" }, "human-oversight": { "description": "The team documents the human oversight mechanism in a format that satisfies Article 14 — including the oversight design, the reviewer training program, the override capability, and evidence that oversight is effective rather than nominal.\n", "example": "Human: \"How do we document human oversight in a way that satisfies Article 14 for a regulator?\" AI: \"Article 14 documentation package: (1) Oversight design document — describes the oversight mechanism: who reviews, at what stage, with what information, and with what authority to override. (2) Reviewer training program — syllabus, duration, completion tracking, and assessment results. Regulators will ask whether reviewers understand the system's limitations. (3) Override capability specification — technical documentation showing that the override function exists, is accessible, and has been tested. (4) Effectiveness evidence — override rate data (what percentage of AI outputs are overridden?) and a sample of documented override decisions. A 0% override rate is a red flag — it suggests nominal rather than effective oversight.\"\n", "antipattern": "Documenting human oversight as a process description ('the reviewer checks the output before the decision is made') without providing evidence that the oversight mechanism is technically implemented, that reviewers are trained, and that overrides actually occur.\n" }, "robustness": { "description": "The team compiles the technical validation evidence for the technical file — accuracy testing, bias audits, cybersecurity assessment, and resilience testing — in a format that supports the conformity assessment.\n", "example": "AI: \"Robustness evidence package for the technical file: (1) Performance testing report — aggregate and disaggregated accuracy metrics. For high-risk systems with individual impact, disaggregation by protected group is required — overall accuracy without subgroup analysis is insufficient. (2) Bias audit report — third-party preferred; document methodology, metrics used, and findings. If a disparity was found, document the remediation and re-test results. (3) Cybersecurity assessment — penetration test report not older than 12 months; data encryption documentation. (4) Resilience testing — what happens at the system's performance boundaries? Document the degradation profile: what inputs produce unreliable outputs and how does the system signal this to the user?\"\n", "antipattern": "Submitting a conformity assessment with only aggregate performance metrics and no subgroup analysis — producing a documentation package that fails regulatory review for fairness-sensitive applications.\n" }, "governance": { "description": "The team produces the Declaration of Conformity, registers the system in the EU AI database, and documents the post-market monitoring system — completing the governance documentation required before first deployment.\n", "example": "AI closes the documentation cycle: \"Final governance documentation: (1) Declaration of Conformity — signed by the provider (not the deployer) under Article 47; contains: system identification, conformity assessment route taken, applied standards, and the provider's name and address. (2) EU AI database registration — register via the Commission's AI Act portal before deployment; retain the registration number. (3) Post-market monitoring plan — document: who monitors, what metrics, at what frequency, what triggers a review or incident report, and what the escalation path is for serious incidents under Article 73. (4) Technical file index — a table of contents listing every document in the technical file with its version and last-updated date. This index is what a notified body auditor will review first.\"\n", "antipattern": "Treating the Declaration of Conformity as the end of the compliance process — missing the EU AI database registration and post-market monitoring obligations that are legally required before and after market deployment.\n" } }, "score_hints": { "risk-classification": 0.15, "transparency": 0.3, "human-oversight": 0.25, "robustness": 0.2, "governance": 0.1 }, "summary": "", "tags": [ "eu-ai-act", "documentation", "legal", "high-risk", "technical-file" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Classification rationale is confirmed in writing → technical file and transparency documentation package is built out → human oversight mechanism is documented with effectiveness evidence → robustness evidence is compiled with subgroup analysis → Declaration of Conformity and database registration complete the governance package.\n", "sequence": [ { "step": 1, "d": "risk-classification", "label": "Confirm and document classification rationale", "example_prompts": [ { "speaker": "human", "text": "We've classified our AI as high-risk. What's the first documentation step?" }, { "speaker": "ai", "text": "Write the classification rationale document before any other documentation work. Five sections: (1) System identification — name, version, purpose. (2) Annex III mapping — cite the specific entry and explain why your system's actual use matches it. Quote the Annex text directly. (3) Deployment context — jurisdictions, operator type, user type, and operational setting. (4) Scope boundaries — what uses are explicitly out of scope and what technical controls enforce that boundary? (5) Review trigger — what changes to the system or its use would require a new classification review? Have legal counsel approve this document before the technical file is assembled — it is the foundation for everything that follows." }, { "speaker": "human", "text": "Classification rationale drafted, citing Annex III paragraph 4 (employment screening). Legal approved." } ], "triggers_next": "Classification rationale documented and legally approved." }, { "step": 2, "d": "transparency", "label": "Build the technical file and transparency documentation", "example_prompts": [ { "speaker": "human", "text": "What does the technical file need to contain and who owns each section?" }, { "speaker": "ai", "text": "Technical file sections with owners: (1) General description — Product owner; due: 2 weeks. (2) Design and development — ML engineering; includes: training data description, data governance, model architecture, training methodology. Due: 3 weeks. (3) Performance metrics — Data science; includes: aggregate and disaggregated accuracy, fairness metrics. Due: 3 weeks. (4) Risk management — Risk/legal; the risk management process applied during development. Due: 2 weeks. (5) Changes log — Technical writer; tracks all versions. Ongoing. (6) Post-market monitoring plan — Risk/compliance; Due: 4 weeks. Instructions for use (Article 13) — Technical writer; plain-language deployer guide. Due: 3 weeks. Assign owners and due dates now; the technical file cannot be assembled retroactively." }, { "speaker": "human", "text": "All section owners assigned. Three-week documentation sprint started." } ], "triggers_next": "Technical file section ownership assigned; documentation sprint started." }, { "step": 3, "d": "human-oversight", "label": "Document oversight mechanism with effectiveness evidence", "example_prompts": [ { "speaker": "human", "text": "How do we document human oversight in a way that will satisfy a notified body auditor?" }, { "speaker": "ai", "text": "Four-document oversight package: (1) Oversight design specification — describes the oversight mechanism in technical detail: who has access to the override function, at what point in the process, with what information visible to the reviewer. Include a process flow diagram. (2) Training program documentation — course outline, delivery method, duration, and assessment. Include completion records for all current reviewers. (3) Override capability test evidence — screenshot or screen recording showing the override function in the production UI; test log showing override testing in QA. (4) Override rate data — pull the past 3 months of production data: what percentage of AI outputs were overridden? If 0%, investigate — this suggests the override function is not being used, which is an oversight effectiveness finding." }, { "speaker": "human", "text": "Override rate: 8% — reviewers are actively overriding. All four documents compiled." } ], "triggers_next": "Human oversight documentation package complete with effectiveness evidence.", "loop_back": { "to": "risk-classification", "condition": "Oversight documentation reveals the system is used in ways beyond the classification rationale scope.", "reason": "Extended use scope requires classification rationale update before the technical file is finalized." } }, { "step": 4, "d": "robustness", "label": "Compile technical validation evidence", "example_prompts": [ { "speaker": "human", "text": "What robustness evidence do we need for the technical file?" }, { "speaker": "ai", "text": "Four evidence packages: (1) Performance testing report — format: table with accuracy, precision, recall by: overall population, and each protected characteristic (gender, age band, ethnicity) for the employment screening use case. Any subgroup with accuracy more than 5 percentage points below overall must be flagged and explained. (2) Third-party bias audit — commissioned independently of the development team; include methodology, disparity metrics, findings, and any remediation and re-test results. (3) Cybersecurity — penetration test report (not older than 12 months) and data encryption documentation for applicant data at rest and in transit. (4) Resilience — document the system's behavior at edge cases: incomplete CVs, non-standard formats, languages outside the training set. Include the system's warning or degradation signal for out-of-distribution inputs." }, { "speaker": "human", "text": "All four packages compiled. Third-party bias audit complete — one finding remediated and re-tested." } ], "triggers_next": "Robustness evidence package complete with subgroup analysis." }, { "step": 5, "d": "governance", "label": "Produce Declaration of Conformity and register in EU database", "example_prompts": [ { "speaker": "human", "text": "What are the final governance steps before we can deploy?" }, { "speaker": "ai", "text": "Three pre-deployment governance actions: (1) Declaration of Conformity — drafted by legal, signed by the provider's authorized representative. Must contain: system identification, conformity assessment route (internal assessment or notified body), list of applied harmonized standards or common specifications, and provider details. One copy retained for 10 years. (2) EU AI database registration — register at the Commission's AI Act portal. Required before first deployment. Retain the registration number and screenshot confirmation. (3) Post-market monitoring — confirm the monitoring plan is operational: monitoring owner named, first monthly review scheduled, incident reporting escalation path documented and tested. Once all three are complete, deployment is legally authorized. Document the deployment authorization date." }, { "speaker": "human", "text": "Declaration signed. EU database registration confirmed. Monitoring plan operational. Deployment authorized." } ], "triggers_next": "Full compliance documentation package complete; deployment legally authorized.", "can_restart": true } ], "transitions": [ { "from": "risk-classification", "to": "transparency", "trigger": "Classification rationale legally approved." }, { "from": "transparency", "to": "human-oversight", "trigger": "Technical file sections assigned and documentation sprint started." }, { "from": "human-oversight", "to": "risk-classification", "trigger": "Oversight documentation reveals use beyond classification scope.", "is_loop_back": true }, { "from": "human-oversight", "to": "robustness", "trigger": "Oversight documentation package complete." }, { "from": "robustness", "to": "governance", "trigger": "Robustness evidence package complete." }, { "from": "governance", "to": "risk-classification", "trigger": "Material system change triggers classification review and documentation update.", "is_cycle_restart": true } ] } }, { "id": "national-ai-policy-design", "framework_id": "oecd-ai-principles", "title": "National AI Policy Design", "domain": "policy", "file": "policy-national-ai-policy-design.yaml", "dimensions": { "inclusive-growth": { "description": "The policy is designed to distribute AI benefits across the full population — not just technologically advanced sectors — with explicit provisions for communities at risk of being left behind by AI-driven economic change.\n", "example": "Policy analyst: \"Our national AI strategy focuses on economic competitiveness. The OECD Principles require we also address distributional impact. Can you help identify which population groups are most at risk of exclusion from AI benefits in our context?\" AI: \"Based on the OECD AI Policy Observatory data, the three groups most consistently at risk are: workers in routine-task occupations (displacement risk), rural communities with limited digital infrastructure, and populations with low AI literacy. I recommend the policy include specific measures for each — not just a general 'digital inclusion' clause.\"\n", "antipattern": "Writing an AI policy that focuses entirely on innovation promotion and competitiveness without any provisions for equitable distribution of benefits or mitigation of AI-related economic displacement.\n" }, "human-centred": { "description": "The policy enshrines human rights protections and democratic values as constraints on AI use — not optional considerations. It identifies which rights are most at risk from AI and prescribes protections.\n", "example": "AI: \"For human-centred value provisions, I recommend mapping three rights categories: (1) Procedural rights — the right to explanation and challenge for consequential automated decisions. (2) Substantive rights — non-discrimination protections applied to AI outputs. (3) Collective rights — protection of democratic processes from AI manipulation (deepfakes, synthetic influence). Which are already covered in your existing legal framework and which require new policy provisions?\"\n", "antipattern": "Treating human rights compliance as a legal reference in the policy preamble rather than a design constraint that shapes what AI applications the policy permits, restricts, or prohibits.\n" }, "transparency": { "description": "The policy requires disclosure standards for AI systems deployed in public services and high-impact private sector applications — including when citizens are subject to AI decisions and what recourse they have.\n", "example": "Human: \"Should the policy require explainability for all AI systems or only specific categories?\" AI: \"The OECD framework supports a risk-proportionate approach: require full explainability for consequential decisions (benefits, justice, employment, credit) and AI-interaction disclosure for customer-facing systems. A blanket requirement for all AI would be unenforceable and technically impossible for all model types. I recommend three tiers: decision explainability, interaction disclosure, and general transparency reporting.\"\n", "antipattern": "Setting a transparency requirement so broad it is unenforceable, or so narrow it only covers government AI while leaving high-impact private sector AI unaddressed.\n" }, "robustness": { "description": "The policy establishes minimum technical and operational standards for AI safety and security in critical sectors, and assigns responsibility for defining and updating these standards over time.\n", "example": "AI: \"For robustness provisions, the policy should address three levels: (1) Sectoral standards — what safety requirements apply to AI in healthcare, transport, critical infrastructure? (2) Incident reporting — mandatory reporting of significant AI failures to a national authority. (3) Standards body — which existing body (standards institute, sector regulator) is mandated to define and update technical AI safety standards? Without a named body, the provision has no enforcement mechanism.\"\n", "antipattern": "Listing 'AI safety' as a policy objective without specifying who sets technical standards, what those standards are, and what happens when they are violated.\n" }, "accountability": { "description": "The policy assigns clear accountability for AI outcomes to deployers, developers, and public authorities — and establishes redress mechanisms for individuals harmed by AI decisions.\n", "example": "AI: \"Accountability provisions should distinguish three roles: (1) Developers — liable for fundamental safety properties of models they release. (2) Deployers — liable for how those models are applied to specific use cases. (3) Public authorities — accountable for AI in public services with an appeals pathway for citizens. Without this role distinction, enforcement is impossible — every actor will point to another when harm occurs.\"\n", "antipattern": "Writing accountability provisions that name no specific roles, reference only 'AI actors' generally, and provide no redress mechanism for individuals harmed by AI decisions.\n" } }, "score_hints": { "inclusive-growth": 0.2, "human-centred": 0.2, "transparency": 0.2, "robustness": 0.2, "accountability": 0.2 }, "summary": "", "tags": [ "policy", "government", "national-ai-strategy", "oecd" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Inclusive growth analysis identifies who benefits and who is at risk → human rights mapping determines which rights require new policy protections → transparency provisions are scoped to risk proportionality → robustness standards are assigned to named bodies → accountability roles are distinguished and redress mechanisms defined. Loops back to human-centred if transparency provisions conflict with existing rights frameworks.\n", "sequence": [ { "step": 1, "d": "inclusive-growth", "label": "Map AI benefit distribution and inclusion risks", "example_prompts": [ { "speaker": "human", "text": "We're drafting a national AI policy. Start with inclusive growth — who benefits and who doesn't in our current context?" }, { "speaker": "ai", "text": "To map distribution risks for your context, I need: (1) Your country's current AI adoption profile — which sectors are leading? (2) Labor market data — which occupations are most exposed to AI displacement? (3) Infrastructure gaps — which regions lack digital access? Once I have these, I can identify the three to five population groups that need explicit policy provisions, and draft inclusion-specific measures beyond a general 'digital access' clause." }, { "speaker": "human", "text": "Leading sectors: finance and logistics. Displacement exposure: truck drivers and data-entry clerks. Infrastructure gaps: rural northern regions." } ], "triggers_next": "At-risk groups identified with sector and regional specificity." }, { "step": 2, "d": "human-centred", "label": "Map rights at risk and design protective provisions", "example_prompts": [ { "speaker": "human", "text": "Which human rights are most at risk from AI in our context?" }, { "speaker": "ai", "text": "For your context (finance and logistics AI leaders, displacement risks, rural gaps): (1) Right to work — AI displacement in logistics without retraining provisions violates substantive economic rights. (2) Right to non-discrimination — AI in financial services without fairness requirements risks entrenching lending discrimination. (3) Right to an effective remedy — if AI makes a credit or benefits decision, citizens need an appeal pathway. Which of these is already covered in existing law and which requires new policy provisions?" }, { "speaker": "human", "text": "Right to remedy is a gap — no current AI-specific appeals mechanism exists." } ], "triggers_next": "Rights gaps identified; new policy provisions scoped.", "loop_back": { "to": "human-centred", "condition": "Transparency provisions in step 3 conflict with existing data protection rights.", "reason": "Rights conflicts must be resolved before transparency requirements are finalized." } }, { "step": 3, "d": "transparency", "label": "Define proportionate transparency requirements by risk tier", "example_prompts": [ { "speaker": "human", "text": "How should our transparency requirements be structured?" }, { "speaker": "ai", "text": "Risk-proportionate three-tier model: Tier 1 (High-risk consequential decisions — credit, benefits, justice): full explainability required, citizen notification mandatory. Tier 2 (Customer-facing AI interaction): disclosure that AI is being used, opt-out right for sensitive services. Tier 3 (Back-office AI): general transparency reporting to a designated authority annually. This avoids both unenforceable blanket requirements and the opposite — no requirements at all." }, { "speaker": "human", "text": "We'll adopt the three-tier model with the designated authority being our existing data protection regulator." } ], "triggers_next": "Transparency tiers defined with enforcement body named." }, { "step": 4, "d": "robustness", "label": "Assign standards bodies and define sector safety requirements", "example_prompts": [ { "speaker": "human", "text": "Who should set AI safety standards in our country?" }, { "speaker": "ai", "text": "Three options: (1) Mandate an existing standards body (e.g., national metrology institute) to adopt international standards (ISO 42001, NIST AI RMF) with a national supplement. (2) Create a new AI technical committee under your standards body with industry and civil society representation. (3) Delegate to sector regulators — transport safety for autonomous vehicles, health authority for medical AI. Option 3 is fastest but risks inconsistency across sectors. I recommend option 1 with sector supplements." }, { "speaker": "human", "text": "We'll mandate the national standards institute with a 12-month timeline to produce the first national AI safety standard." } ], "triggers_next": "Standards body named, timeline set, sector requirements scoped." }, { "step": 5, "d": "accountability", "label": "Assign accountability roles and define citizen redress", "example_prompts": [ { "speaker": "human", "text": "How do we structure accountability in the policy without it being unenforceable?" }, { "speaker": "ai", "text": "Three-role accountability structure: (1) AI developers — register high-risk AI systems with the national authority, provide technical documentation. (2) AI deployers — responsible for use-case compliance, must have a named AI risk officer for high-risk deployments. (3) Public authorities — use of AI in public services requires an impact assessment and a citizen appeals mechanism with a 30-day resolution SLA. Enforcement: existing sector regulators are the primary enforcers, with a cross-sector AI oversight body as the national coordinator. This maps directly to the OECD accountability principle without requiring a new regulatory body from scratch." }, { "speaker": "human", "text": "Agreed. We'll designate the data protection authority as the cross-sector AI coordinator." } ], "triggers_next": "Accountability roles, enforcement bodies, and redress mechanisms defined.", "can_restart": true } ], "transitions": [ { "from": "inclusive-growth", "to": "human-centred", "trigger": "At-risk groups and inclusion gaps identified." }, { "from": "human-centred", "to": "transparency", "trigger": "Rights gaps mapped and new policy provisions scoped." }, { "from": "transparency", "to": "human-centred", "trigger": "Transparency provisions conflict with existing rights framework.", "is_loop_back": true }, { "from": "transparency", "to": "robustness", "trigger": "Transparency tiers defined with enforcement body." }, { "from": "robustness", "to": "accountability", "trigger": "Standards body named and sector safety requirements scoped." }, { "from": "accountability", "to": "inclusive-growth", "trigger": "Policy review cycle — restart at next annual assessment.", "is_cycle_restart": true } ] } }, { "id": "research-data-analysis", "framework_id": "4d-framework", "title": "Research Paper Data Analysis with AI", "domain": "research", "file": "research-data-analysis.yaml", "dimensions": { "delegation": { "description": "Divide analytical work deliberately between human scholarly judgment and AI computation. AI handles pattern recognition in large datasets, running descriptive statistics, flagging outliers, generating visualization suggestions, and summarizing distributions. The researcher formulates hypotheses, interprets findings in disciplinary context, makes causal claims, and draws conclusions — these require domain expertise that AI cannot reliably supply.", "example": "A social scientist delegates to AI the task of computing correlation matrices across 47 variables in a survey dataset and generating a ranked list of significant correlations. She then applies her theoretical knowledge to determine which correlations are substantively meaningful versus statistically coincidental.", "antipattern": "Asking AI to not only run analysis but to formulate the research hypotheses, interpret what findings mean for the field, and draw conclusions — treating the model as a substitute for the researcher's own disciplinary expertise and scholarly judgment." }, "description": { "description": "Give AI precise methodological context — your research question, the dataset structure, units of measurement, required statistical methods, software environment, and any domain-specific constraints. Ambiguous instructions produce analysis that may be technically correct but methodologically wrong for your research design.", "example": "Prompt: 'Analyze this CSV of longitudinal student performance data (n=312, 4 time points). Variables: test_score (0-100), SES_quartile (1-4), intervention_group (binary), school_id (cluster variable). Run a mixed-effects linear regression predicting test_score from intervention_group, controlling for SES_quartile, with school_id as a random effect. Report coefficients, standard errors, and interpret the intervention effect size.'", "antipattern": "Prompting: 'Analyze my research data and tell me what's significant.' Without specifying the research question, the correct statistical model, variable types, or analytical constraints, AI may apply an inappropriate method (e.g., OLS on clustered data) that produces misleading results." }, "discernment": { "description": "Rigorously verify AI-produced analysis before incorporating it into research. Check that statistical methods are appropriate for your data structure, that calculations are correct, that effect sizes are interpreted accurately, and that the AI has not made assumptions that violate your study design. AI can produce plausible-looking but methodologically flawed analysis.", "example": "A researcher notices that AI-generated regression output reports a significant p-value but has failed to account for the clustered sampling structure, inflating the precision of estimates. She reruns the analysis herself with correct standard errors and finds the effect is no longer significant at her threshold.", "antipattern": "Inserting AI-generated statistical tables and interpretive text directly into a manuscript without independently verifying the calculations, checking model assumptions, or confirming that the chosen method is appropriate for the study design — risking publication of flawed findings." }, "diligence": { "description": "Be transparent about AI's role in your analytical workflow per your institution's and journal's policies. Ensure all claims in the final paper reflect your own validated analysis. Maintain full methodological accountability — if AI analysis is used, you must understand it well enough to defend every number in peer review.", "example": "A research team documents in their methods section that AI-assisted tools were used for initial descriptive analysis and outlier detection, while all inferential statistics were conducted and verified by the authors using R. They retain full analytical scripts for reproducibility review.", "antipattern": "Publishing a paper that includes AI-generated statistical analysis without independent verification, failing to disclose AI assistance in violation of journal policy, or being unable to explain or reproduce the reported numbers during peer review." } }, "score_hints": { "delegation": 0.2, "description": 0.25, "discernment": 0.35, "diligence": 0.2 }, "summary": "Divide analytical work deliberately between human scholarly judgment and AI computation. AI handles pattern recognition in large datasets, running descriptive statistics, flagging outliers, generating", "tags": [ "research", "data-analysis", "statistics", "academic" ], "contributor": "Rick Dakan & Joseph Feller / Anthropic", "reference": "https://aifluencyframework.org", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Researcher delegates analysis scope, provides dataset and hypotheses, evaluates AI findings for statistical validity, then reports — looping back to description if data quality issues emerge.", "sequence": [ { "step": 1, "d": "delegation", "label": "Agree on analysis scope and AI autonomy", "example_prompts": [ { "speaker": "human", "text": "Analyze this survey dataset for correlations between feature usage and retention. Can you decide which statistical tests to run?" }, { "speaker": "ai", "text": "I can select appropriate tests given the distribution. Should I flag non-significant results or only report significant ones?" }, { "speaker": "human", "text": "Flag all results — I want the full picture, not just the highlights." } ], "triggers_next": "Analysis scope and reporting rule agreed." }, { "step": 2, "d": "description", "label": "Provide dataset and hypotheses", "example_prompts": [ { "speaker": "human", "text": "Here's the dataset. Hypothesis: users who use feature X in the first week have higher 90-day retention." }, { "speaker": "ai", "text": "The dataset has 12% missing values in the retention column — how should I handle them?" }, { "speaker": "human", "text": "Exclude records with missing retention data and note the exclusion count." } ], "triggers_next": "AI has clean dataset, hypotheses, and data handling rules." }, { "step": 3, "d": "discernment", "label": "Evaluate analysis findings", "example_prompts": [ { "speaker": "human", "text": "The correlation coefficient looks high — is this sample size large enough for that claim?" }, { "speaker": "ai", "text": "N=340 gives 80% power for this effect size. The result is statistically robust." }, { "speaker": "human", "text": "Good. Flag finding 3 as exploratory — the sample for that subgroup is only N=28." } ], "triggers_next": "Findings validated for statistical robustness and appropriate caveats added.", "loop_back": { "to": "description", "condition": "Data quality issues (e.g., sampling bias, large missing data) undermine the analysis.", "reason": "Dataset needs cleaning or re-scoping before analysis is meaningful." } }, { "step": 4, "d": "diligence", "label": "Review, document, and report", "example_prompts": [ { "speaker": "human", "text": "Senior analyst peer-reviews the methodology section before publication." }, { "speaker": "human", "text": "Documenting which tests were AI-selected and which were human-specified in the methods section." } ], "triggers_next": "Report approved and methodology documented. Cycle restarts for next analysis.", "can_restart": true } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Analysis scope and reporting rules agreed." }, { "from": "description", "to": "discernment", "trigger": "AI delivers analysis results." }, { "from": "discernment", "to": "diligence", "trigger": "Findings validated." }, { "from": "discernment", "to": "description", "trigger": "Data quality issues require dataset revision.", "is_loop_back": true }, { "from": "diligence", "to": "delegation", "trigger": "Next research question — restart.", "is_cycle_restart": true } ] } }, { "id": "literature-review", "framework_id": "4d-framework", "title": "AI-Supported Academic Literature Review", "domain": "research", "file": "research-literature-review.yaml", "dimensions": { "delegation": { "description": "AI can accelerate the literature review process by synthesizing themes across papers you have already identified, generating structured summaries of provided texts, suggesting search terms for database queries, and proposing a gap analysis framework. Researchers retain responsibility for: executing the systematic search in academic databases, verifying that all cited sources exist and are accurately represented, forming scholarly interpretations, and drawing conclusions about the field's state.", "example": "A PhD student compiles 60 papers from her PubMed and Scopus searches on microbiome-mental health connections. She feeds the abstracts to AI in batches, asking it to identify recurring themes, contradictions between studies, and underexplored angles. She then uses this thematic map as a scaffold for her own reading and synthesis, reading every paper herself before citing it.", "antipattern": "Asking AI to conduct the literature review from scratch — generating the reading list, summarizing papers AI has not actually read, and producing a synthesis the researcher then submits — creating a review full of hallucinated citations and misrepresented findings that the researcher cannot defend." }, "description": { "description": "Specify your literature review's scope with precision: the exact research question, the academic field and subfield, the time range, inclusion and exclusion criteria, the required depth of analysis, and the review type (narrative, systematic, scoping). Imprecise framing leads to AI output that spans the wrong literature or treats your question at the wrong level of specificity.", "example": "Prompt: 'I have provided 45 abstracts from papers on cognitive behavioral therapy outcomes for adolescent depression, published 2015-2024, RCTs only. Identify: (1) the most common outcome measures used across studies, (2) the patient subgroups most frequently underrepresented, (3) the three most-cited methodological limitations across papers, and (4) any emerging treatment modifications mentioned in multiple papers. Do not add any studies I haven't provided.'", "antipattern": "Prompting: 'Write a literature review on therapy and depression.' Without scope constraints, AI generates a sweeping narrative that mixes study types, time periods, populations, and therapy modalities — producing a superficial overview that satisfies no specific research question and cannot withstand peer review scrutiny." }, "discernment": { "description": "Verify every citation in an AI-assisted literature review independently in an academic database before including it in your work. AI confidently generates plausible-sounding but fabricated citations — author names, journal titles, and publication years that look real but aren't. Additionally, verify that real papers are accurately characterized: check that AI summaries correctly represent each paper's methodology, findings, and limitations.", "example": "A researcher asks AI to synthesize themes from a set of provided papers and flag potentially relevant additional sources. She treats every additional source AI suggests as unverified until she has confirmed it in Google Scholar. Of eight AI-suggested additional references, two do not exist and one exists but reaches the opposite conclusion from what AI claimed.", "antipattern": "Submitting a literature review with AI-generated citations that were never individually verified in an academic database — discovering during peer review that three cited articles are fabrications, resulting in rejection and reputational damage that follows the researcher's professional record." }, "diligence": { "description": "The researcher is fully responsible for every claim and citation in the final review. Disclose AI assistance per your target journal's author guidelines and your institution's research integrity policy (requirements vary significantly across disciplines and publishers). Validate all sources independently regardless of AI confidence. Understand that your scholarly reputation is built on the accuracy and integrity of your literature representation.", "example": "A research team submits a systematic review that includes in the methods section a transparent account of how AI tools were used for thematic synthesis of author-identified papers, notes that all citations were independently verified in Cochrane Library and PubMed, and confirms compliance with the journal's AI transparency policy — meeting both disclosure and integrity standards.", "antipattern": "Relying on AI to identify and summarize literature without reading the papers yourself, submitting a review that misrepresents study findings because you trusted AI's characterizations over the original texts, or failing to disclose AI assistance to a journal that requires transparency — compromising academic integrity and potentially contributing false knowledge to the scholarly record." } }, "score_hints": { "delegation": 0.2, "description": 0.3, "discernment": 0.3, "diligence": 0.2 }, "summary": "AI can accelerate the literature review process by synthesizing themes across papers you have already identified, generating structured summaries of provided texts, suggesting search terms for databas", "tags": [ "literature-review", "academic-research", "citation-verification", "research-integrity" ], "contributor": "Rick Dakan & Joseph Feller / Anthropic", "reference": "https://aifluencyframework.org", "version": "1.0.0", "collaboration": { "pattern": "iterative", "description": "Researcher and AI iterate through literature in passes — each pass scopes the search, provides query context, evaluates source quality, and commits the accepted sources before the next domain.", "sequence": [ { "step": 1, "d": "delegation", "label": "Define search scope and AI autonomy", "example_prompts": [ { "speaker": "human", "text": "Search for papers on transformer attention mechanisms published 2020–2024. Can you decide which databases to query?" }, { "speaker": "ai", "text": "I'd suggest Semantic Scholar, arXiv, and ACL Anthology. Should I include pre-prints or only peer-reviewed?" }, { "speaker": "human", "text": "Include pre-prints but flag them separately." } ], "triggers_next": "Search scope, databases, and pre-print policy agreed." }, { "step": 2, "d": "description", "label": "Provide query terms and exclusion criteria", "example_prompts": [ { "speaker": "human", "text": "Focus on efficiency improvements to attention. Exclude papers that are purely theoretical with no empirical results." }, { "speaker": "ai", "text": "Should I prioritize highly-cited papers or recent ones?" }, { "speaker": "human", "text": "Recent first — this is a fast-moving area." } ], "triggers_next": "AI has query terms, relevance criteria, and recency bias." }, { "step": 3, "d": "discernment", "label": "Evaluate source quality and relevance", "example_prompts": [ { "speaker": "human", "text": "Paper 7 seems tangentially related — is the methodology actually relevant to our work?" }, { "speaker": "ai", "text": "The dataset they use is different but the attention variant they propose directly addresses your efficiency problem. I'd include it." }, { "speaker": "human", "text": "Agreed — include it with a note on the dataset difference." } ], "triggers_next": "Source list validated for relevance and quality." }, { "step": 4, "d": "diligence", "label": "Curate and document the source list", "example_prompts": [ { "speaker": "human", "text": "PI reviews the final list before it goes into the literature section." }, { "speaker": "human", "text": "Adding search query log and exclusion decisions to the methodology appendix." } ], "triggers_next": "Sources committed. Begin next thematic area.", "can_restart": true } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Search scope and databases agreed." }, { "from": "description", "to": "discernment", "trigger": "AI returns candidate sources." }, { "from": "discernment", "to": "diligence", "trigger": "Sources validated." }, { "from": "diligence", "to": "delegation", "trigger": "Next thematic area — new search pass.", "is_cycle_restart": true } ] } }, { "id": "content-development", "framework_id": "4d-framework", "title": "Story and Content Development with AI", "domain": "writing", "file": "writing-content-development.yaml", "dimensions": { "delegation": { "description": "Identify which creative elements benefit from AI exploration versus which must remain human-driven. AI excels at generating plot alternatives, brainstorming secondary character names, proposing scene structures, and expanding on prompts. Core voice, thematic meaning, emotional truth, and the author's unique perspective must stay with the human creator.", "example": "A novelist asks AI to generate five possible turning points for chapter 7, then selects and transforms the one that best fits her protagonist's established arc. The AI explores; the human decides and develops.", "antipattern": "Handing the AI a character description and asking it to write entire chapters wholesale, then lightly editing and publishing the result — abdicating the creative authorship that gives the work its distinctive voice and purpose." }, "description": { "description": "Give AI rich, specific creative context — the story world's rules, character backstories, established themes, the emotional arc you are building toward, your narrative voice, and any stylistic constraints. Vague prompts produce generic content; detailed creative briefs produce useful raw material.", "example": "Prompt: 'This is a near-future climate noir story set in drowned New Orleans, 2067. Protagonist Maya Tran is a cynical water-rights detective, dry wit, Creole heritage, distrusts authority. I need three scene openings for chapter 4 where she visits the Floating Market. Tone: melancholy but alive with sensory detail. Echo Toni Morrison's eye for place.'", "antipattern": "Prompting: 'Write a scene for my sci-fi story where the hero goes to a market.' This yields generic content with no connection to the established world, character voice, or thematic purpose — unusable without complete rewriting." }, "discernment": { "description": "Evaluate AI-generated content against your creative vision, not just surface quality. Good AI output that doesn't fit your voice or thematic intent is still the wrong output. Actively reject suggestions that feel generic, that undercut character consistency, or that introduce tropes that conflict with what you are building.", "example": "An author receives three AI-generated chapter openings. Two are competently written but feel tonally flat for her noir voice. The third has an interesting image she adapts, changing the phrasing to match her protagonist's sardonic register. She uses roughly 15% of the AI material, transformed.", "antipattern": "Accepting AI-generated dialogue or scene descriptions because they are grammatically sound and feel 'good enough,' without checking whether they match the character's established voice, advance the story's thematic arc, or reflect the emotional truth the author intended." }, "diligence": { "description": "Be transparent about AI's role in your creative work according to the norms of your publication context. Preserve your human creative intent as the primary force shaping the work. Avoid over-relying on AI to the point where your own creative voice atrophies. Keep records of your creative process for attribution purposes.", "example": "A short story writer notes in her submission cover letter that AI tools were used for brainstorming and structural exploration, per the journal's disclosure policy. The published story reflects her voice, her decisions, and her thematic vision throughout.", "antipattern": "Submitting AI-generated content to publications that prohibit AI-assisted work without disclosure, or losing track of which creative decisions were yours versus the AI's — failing to maintain the human authorship that gives the work its integrity and legal standing." } }, "score_hints": { "delegation": 0.3, "description": 0.35, "discernment": 0.2, "diligence": 0.15 }, "summary": "Identify which creative elements benefit from AI exploration versus which must remain human-driven. AI excels at generating plot alternatives, brainstorming secondary character names, proposing scene ", "tags": [ "creative-writing", "storytelling", "content-development", "authorship" ], "contributor": "Rick Dakan & Joseph Feller / Anthropic", "reference": "https://aifluencyframework.org", "version": "1.0.0", "collaboration": { "pattern": "iterative", "description": "Writer and AI iterate through content passes — each round refines scope, provides richer context, evaluates quality, and commits the accepted draft before the next iteration.", "sequence": [ { "step": 1, "d": "delegation", "label": "Define AI writing role for this pass", "example_prompts": [ { "speaker": "human", "text": "Draft the introduction section. You decide the hook — I'll revise tone and factual claims." }, { "speaker": "ai", "text": "Should I aim for a provocative hook or an informative one given the audience?" }, { "speaker": "human", "text": "Informative — this is a technical audience, not a general one." } ], "triggers_next": "AI's role and creative latitude for this pass agreed." }, { "step": 2, "d": "description", "label": "Provide audience, tone, and source material", "example_prompts": [ { "speaker": "human", "text": "The audience is senior engineers. Tone: direct, no fluff. Here are the three source papers to draw from." }, { "speaker": "ai", "text": "Should I cite sources inline or use footnotes?" }, { "speaker": "human", "text": "Inline citations, short form — author + year." } ], "triggers_next": "AI has audience, tone, and sources." }, { "step": 3, "d": "discernment", "label": "Evaluate draft quality", "example_prompts": [ { "speaker": "human", "text": "The second paragraph overstates the claim — the paper says 'suggests', not 'proves'." }, { "speaker": "ai", "text": "Corrected to 'suggests evidence for'. Should I flag other hedging opportunities?" }, { "speaker": "human", "text": "Yes — flag anything that sounds more certain than the sources warrant." } ], "triggers_next": "Draft quality and factual accuracy validated." }, { "step": 4, "d": "diligence", "label": "Finalize and publish", "example_prompts": [ { "speaker": "human", "text": "Editor sign-off received. Marking AI-drafted sections in the revision history." }, { "speaker": "human", "text": "Posting to the engineering blog." } ], "triggers_next": "Section published. Next section begins new iteration.", "can_restart": true } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Writing role and creative latitude agreed." }, { "from": "description", "to": "discernment", "trigger": "AI delivers draft." }, { "from": "discernment", "to": "diligence", "trigger": "Draft validated." }, { "from": "diligence", "to": "delegation", "trigger": "Next content section — restart.", "is_cycle_restart": true } ] } }, { "id": "creative-ai-collaboration", "framework_id": "4d-framework", "title": "Creative Writing with AI as Co-Creator", "domain": "writing", "file": "writing-creative-ai-collaboration.yaml", "dimensions": { "delegation": { "description": "The human writer sets and holds the creative vision, voice, and thematic intent. AI's role is to explore the possibility space: generating variations, proposing alternative phrasings, suggesting structural options, and expanding on prompts the writer provides. The writer selects, transforms, and integrates — never simply accepting. This asymmetry preserves human creative authorship while genuinely leveraging AI's generative range.", "example": "A short story writer gives AI her protagonist's voice sample and asks for ten possible opening lines for a new story. She finds two that spark something, combines elements from both, and rewrites the result into a line that is distinctly her own — using AI as a creative catalyst, not a ghostwriter.", "antipattern": "Asking AI to generate a complete story with a brief premise, then submitting it to literary publications with minimal editing — claiming authorship of work in which the human's creative contribution was limited to a topic choice and a submit button press." }, "description": { "description": "Give AI the full creative parameters it needs to generate useful material: genre conventions you are working within or against, your protagonist's established voice and psychology, the narrative constraints of the world you've built, the emotional register of the scene, stylistic influences, and what you specifically want to explore in this session. Richer briefs yield richer possibilities.", "example": "Prompt: 'Write three alternative versions of the scene where Lena realizes her sister has been lying to her for years. Lena's voice: quiet, measured, suppresses emotion until it breaks through — think Marilynne Robinson's register. Setting: kitchen, early morning, just them. Her sister doesn't know Lena knows yet. Each version should find a different emotional entry point: one through an object, one through silence, one through an unexpected mundane action.'", "antipattern": "Prompting: 'Write a scene where two sisters have a conflict.' This produces a generic dialogue with stock emotional beats that has no connection to your specific characters, your established voice, or the narrative weight the scene needs to carry in your story." }, "discernment": { "description": "Evaluate AI-generated creative material against voice consistency, originality, narrative coherence, and emotional truth — not just surface competence. Good writing that doesn't sound like you, that relies on familiar tropes, or that resolves emotional tension too easily is still wrong for your work. Actively seek and reject the generic. What makes AI output valuable is what you do with it, not what it produces on its own.", "example": "A novelist receives five AI-generated dialogue exchanges for a tense confrontation scene. She discards three as tonally flat and relying on predictable beats. One has an image — a character straightening a picture frame mid-argument — that feels true to her story. She uses only that image, embedded in dialogue she writes herself, and the scene becomes one of the book's strongest moments.", "antipattern": "Accepting AI-generated prose because it reads smoothly and competently, without checking whether it sounds like your narrator's voice, advances the scene's specific emotional purpose, or introduces tropes (the dramatic pause before the reveal, the single tear) that undercut the subtlety you are working to achieve." }, "diligence": { "description": "Be honest with your readers, your publishers, and yourself about AI's role in your creative process. Follow your publication venue's disclosure policies. Ensure your creative voice and human intent remain the primary force in the work. Maintain your craft practice — using AI as a crutch that prevents developing your own creative capabilities ultimately diminishes both you and the work.", "example": "A literary fiction writer discloses in her author's note that AI tools were used for brainstorming and exploring structural alternatives during drafting, consistent with her publisher's transparency policy. The novel reflects her voice, her thematic vision, and her years of craft development on every page.", "antipattern": "Using AI to write the bulk of a novel, submitting it under your sole authorship to a publisher who prohibits undisclosed AI content, and publishing work that cannot be defended as primarily yours — creating legal and reputational exposure and undermining the trust relationship between author and reader." } }, "score_hints": { "delegation": 0.3, "description": 0.3, "discernment": 0.2, "diligence": 0.2 }, "summary": "The human writer sets and holds the creative vision, voice, and thematic intent. AI's role is to explore the possibility space: generating variations, proposing alternative phrasings, suggesting struc", "tags": [ "creative-writing", "fiction", "co-creation", "authorship" ], "contributor": "Rick Dakan & Joseph Feller / Anthropic", "reference": "https://aifluencyframework.org", "version": "1.0.0", "collaboration": { "pattern": "cyclic", "description": "Human and AI sustain a continuous creative loop — each creative exchange re-evaluates the direction and can cycle back to re-establish creative constraints at any point.", "sequence": [ { "step": 1, "d": "delegation", "label": "Establish creative autonomy", "example_prompts": [ { "speaker": "human", "text": "Write a short story opening. You pick the genre and voice — I'll redirect if it doesn't feel right." }, { "speaker": "ai", "text": "I'll try a quiet, literary voice set in a near-future city. Should I commit to a POV character?" }, { "speaker": "human", "text": "Yes — first person, present tense." } ], "triggers_next": "Creative latitude, genre, and POV agreed." }, { "step": 2, "d": "description", "label": "Provide creative constraints and inspiration", "example_prompts": [ { "speaker": "human", "text": "The theme is isolation despite connectivity. Draw from Ballard's style — sparse, clinical." }, { "speaker": "ai", "text": "Should I include a specific visual motif or let one emerge?" }, { "speaker": "human", "text": "Let one emerge — I'll tell you if it works." } ], "triggers_next": "AI has thematic and stylistic anchors." }, { "step": 3, "d": "discernment", "label": "Evaluate creative output", "example_prompts": [ { "speaker": "human", "text": "The opening paragraph is strong but the metaphor in line 3 is too on-the-nose." }, { "speaker": "ai", "text": "I can replace it with something more oblique — do you want me to suggest three options?" }, { "speaker": "human", "text": "Just one — go with your best instinct." } ], "triggers_next": "Creative direction validated or refined." }, { "step": 4, "d": "diligence", "label": "Accept and continue or reshape", "example_prompts": [ { "speaker": "human", "text": "This version works. Saving as draft v2. Let's continue from here — next section?" }, { "speaker": "human", "text": "Actually — the voice has drifted. Let's reset the creative constraints before continuing." } ], "triggers_next": "Continues to next creative passage or cycles back to establish new constraints.", "can_restart": true } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Creative autonomy and POV agreed." }, { "from": "description", "to": "discernment", "trigger": "AI delivers creative output." }, { "from": "discernment", "to": "diligence", "trigger": "Output evaluated." }, { "from": "diligence", "to": "delegation", "trigger": "Voice drift or new creative direction needed — reset constraints.", "is_loop_back": true }, { "from": "diligence", "to": "description", "trigger": "Continue from accepted draft — provide next constraints.", "is_cycle_restart": true } ] } }, { "id": "marketing-email-campaign", "framework_id": "4d-framework", "title": "AI-Assisted Marketing Email Campaigns", "domain": "writing", "file": "writing-marketing-email-campaign.yaml", "dimensions": { "delegation": { "description": "The human marketing strategist designs the campaign's core message, audience segmentation logic, and brand voice. AI then executes variation drafting — subject line alternatives, body copy variants for A/B testing, personalization token suggestions, and CTA phrasing options. The human selects, refines, and approves; AI accelerates the variation space.", "example": "A marketing manager defines the campaign goal (re-engage lapsed subscribers with a 20% discount), the audience segment (users inactive for 90+ days), and the brand voice (friendly, direct, never pushy). She then asks AI to draft five subject line options and three body copy variants, which she narrows to one of each after testing against campaign criteria.", "antipattern": "Having AI independently design the campaign messaging strategy, choose the audience, set the offer, and draft the emails — then simply forwarding the AI output to the email platform without human strategic review or brand alignment check." }, "description": { "description": "Provide AI with a complete campaign brief: target audience demographics and psychographics, campaign objective and success metrics, desired brand voice with examples, the specific offer or message, any compliance constraints (CAN-SPAM, GDPR), and the desired call to action. The more precisely you define success, the more useful the AI drafts.", "example": "Prompt: 'Draft three subject line options and two body copy variants for a re-engagement email. Audience: B2B SaaS users, mid-level product managers, inactive 90+ days. Offer: 20% discount on annual plan upgrade. Voice: confident, peer-to-peer, not salesy — like a trusted colleague nudging, not a pushy vendor. CTA: Schedule a 15-min call. Compliance: include unsubscribe link placeholder. Max 150 words body copy.'", "antipattern": "Prompting: 'Write a marketing email for our product.' With no audience definition, no campaign goal, no voice guidance, and no offer details, AI produces a generic promotional template that fits no specific audience and advances no particular business goal." }, "discernment": { "description": "Evaluate each AI-drafted variant against your campaign goals, brand standards, audience fit, and legal requirements before sending. Check that claims are factually accurate, that the tone matches your brand, that the offer details are correct, and that no language could mislead recipients or create compliance issues.", "example": "A campaign manager reviews an AI-drafted email and flags two issues: the subject line 'You''re missing out!' violates the company's brand guideline against FOMO language, and a product claim ('the #1 tool for project managers') is unsubstantiated. She revises both before the email enters the approval workflow.", "antipattern": "Sending AI-drafted campaign emails after only a quick skim for spelling errors — missing off-brand phrasing, unverified product claims, incorrect offer details, or compliance issues that could damage brand trust or trigger regulatory scrutiny." }, "diligence": { "description": "Validate all factual claims, offer details, pricing, and legal disclosures before the email goes out. Consider the ethics of AI use in persuasive marketing communications and whether your audience has any expectation of human-crafted outreach. Maintain a human approval step in the campaign workflow regardless of AI involvement.", "example": "Before deploying a 50,000-recipient campaign, the marketing team runs the AI-drafted email through their compliance checklist (unsubscribe link present, sender identification correct, no deceptive subject lines), has the legal team verify the offer terms, and gets final sign-off from the brand director.", "antipattern": "Auto-deploying AI-drafted emails through an automated campaign platform with no human review step, sending incorrect pricing or expired offers to thousands of recipients, or using AI-generated urgency language ('Act now before midnight!') for a deadline that doesn't actually exist." } }, "score_hints": { "delegation": 0.25, "description": 0.35, "discernment": 0.2, "diligence": 0.2 }, "summary": "The human marketing strategist designs the campaign's core message, audience segmentation logic, and brand voice. AI then executes variation drafting — subject line alternatives, body copy variants fo", "tags": [ "marketing", "email-campaign", "copywriting", "brand-voice" ], "contributor": "Rick Dakan & Joseph Feller / Anthropic", "reference": "https://aifluencyframework.org", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Marketer delegates copy generation, provides audience and goal context, evaluates AI copy for brand fit, then approves send — looping back to description if messaging misses the mark.", "sequence": [ { "step": 1, "d": "delegation", "label": "Define AI copy role", "example_prompts": [ { "speaker": "human", "text": "Draft 3 subject line variants and the body for a re-engagement campaign. You choose the CTA." }, { "speaker": "ai", "text": "Should I optimize the CTA for clicks or for replies?" }, { "speaker": "human", "text": "Clicks — we want traffic to the new pricing page." } ], "triggers_next": "AI's copy role and optimization goal agreed." }, { "step": 2, "d": "description", "label": "Provide audience segment and brand context", "example_prompts": [ { "speaker": "human", "text": "Audience: lapsed users, last active 90+ days ago. Brand voice: friendly, direct, no urgency language. Goal: bring them back to see the new plan." }, { "speaker": "ai", "text": "Is there a specific pain point from exit surveys I should address?" }, { "speaker": "human", "text": "Yes — 60% cited pricing confusion. Lead with clarity on the new plan." } ], "triggers_next": "AI has audience, brand voice, and specific messaging anchor." }, { "step": 3, "d": "discernment", "label": "Evaluate copy for brand fit and accuracy", "example_prompts": [ { "speaker": "human", "text": "Subject line 2 has urgency language — 'Don't miss out' — remove it." }, { "speaker": "ai", "text": "Replaced with 'See what's new.' Does the body CTA feel too salesy?" }, { "speaker": "human", "text": "Slightly — soften to 'Take a look' from 'Upgrade now'." } ], "triggers_next": "Copy aligns with brand voice and factual accuracy confirmed.", "loop_back": { "to": "description", "condition": "Copy consistently misses tone or misrepresents product features.", "reason": "Messaging anchor or brand constraints need to be re-provided with examples." } }, { "step": 4, "d": "diligence", "label": "Approve and send", "example_prompts": [ { "speaker": "human", "text": "Legal sign-off on claims — approved. Scheduling send for Tuesday 10am." }, { "speaker": "human", "text": "Logging AI-generated copy version and override history for compliance." } ], "triggers_next": "Campaign sent. Cycle restarts for next campaign.", "can_restart": true } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Copy role and optimization goal agreed." }, { "from": "description", "to": "discernment", "trigger": "AI delivers copy variants." }, { "from": "discernment", "to": "diligence", "trigger": "Copy validated for brand and accuracy." }, { "from": "discernment", "to": "description", "trigger": "Messaging consistently off — re-provide anchor.", "is_loop_back": true }, { "from": "diligence", "to": "delegation", "trigger": "Next campaign — restart.", "is_cycle_restart": true } ] } } ], "byDomain": { "coding": [ { "id": "bug-fix-prioritization", "framework_id": "4d-framework", "title": "Bug Fix Prioritization", "domain": "coding", "file": "coding-bug-fix-prioritization.yaml", "dimensions": { "delegation": { "description": "Should this task be automated, augmented, or agentic?", "example": "AI suggests bug fix priorities based on impact and frequency.", "antipattern": "Letting AI fully decide bug fix order without human input." }, "description": { "description": "What context/framing makes the AI most useful here?", "example": "Provide bug reports, user impact, and historical data.", "antipattern": "No context, leading to poor prioritization." }, "discernment": { "description": "How do you evaluate if the AI output is trustworthy?", "example": "Cross-check AI prioritization with product manager feedback.", "antipattern": "Accepting AI priorities without review." }, "diligence": { "description": "What human accountability is required after AI involvement?", "example": "Product manager must approve final bug fix order.", "antipattern": "Deploying fixes based solely on AI suggestions." } }, "score_hints": { "delegation": 0.2, "description": 0.3, "discernment": 0.3, "diligence": 0.2 }, "summary": "Should this task be automated, augmented, or agentic?", "tags": [ "bug-fix", "prioritization", "coding" ], "contributor": "Dakan & Feller", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Human delegates triage scope, AI prioritizes bugs with context provided, human discerns the ranked list, diligence locks in the fix order — looping back to description if root cause is unclear.", "sequence": [ { "step": 1, "d": "delegation", "label": "Agree on AI triage autonomy", "example_prompts": [ { "speaker": "human", "text": "I have 20 open bugs. Can you rank them by user impact and estimated fix time without me reviewing each one?" }, { "speaker": "ai", "text": "I can rank by impact category and complexity estimate. I'd recommend you confirm the top 5 before engineering schedules — want me to auto-assign the bottom 10 to backlog?" }, { "speaker": "human", "text": "Auto-assign backlog tier, surface the top 10 for my review." } ], "triggers_next": "Triage scope and backlog rule agreed." }, { "step": 2, "d": "description", "label": "Provide bug list and product context", "example_prompts": [ { "speaker": "human", "text": "Here are the 20 bug reports with user complaint frequency and affected feature areas." }, { "speaker": "ai", "text": "Should I weight payment-flow bugs higher than UI bugs?" }, { "speaker": "human", "text": "Yes — payment and data-loss bugs are P0 regardless of frequency." } ], "triggers_next": "AI has priority rules and full bug context." }, { "step": 3, "d": "discernment", "label": "Evaluate prioritized list", "example_prompts": [ { "speaker": "human", "text": "Bug #7 is ranked P1 but I know it's a duplicate of #12 — remove it." }, { "speaker": "ai", "text": "Understood. Do you want me to merge the user complaint counts or keep them separate?" }, { "speaker": "human", "text": "Merge them — #12 now carries the combined weight." } ], "triggers_next": "Prioritized list is validated and de-duplicated.", "loop_back": { "to": "description", "condition": "Root cause of a high-priority bug is unclear or disputed.", "reason": "More engineering context is needed before ranking is meaningful." } }, { "step": 4, "d": "diligence", "label": "Commit to fix schedule and document", "example_prompts": [ { "speaker": "human", "text": "Engineering lead, confirm sprint assignment for P0 and P1 items." }, { "speaker": "human", "text": "Log the AI-generated ranking and the manual overrides in Jira for audit." } ], "triggers_next": "Sprint is committed. Cycle restarts at next triage session.", "can_restart": true } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Triage scope agreed." }, { "from": "description", "to": "discernment", "trigger": "AI delivers ranked list." }, { "from": "discernment", "to": "diligence", "trigger": "List validated and overrides applied." }, { "from": "discernment", "to": "description", "trigger": "Root cause unclear — needs more context.", "is_loop_back": true }, { "from": "diligence", "to": "delegation", "trigger": "Next triage session — restart.", "is_cycle_restart": true } ] } }, { "id": "code-review-triage", "framework_id": "4d-framework", "title": "Code Review Triage", "domain": "coding", "file": "coding-code-review-triage.yaml", "dimensions": { "delegation": { "description": "Should this task be automated, augmented, or agentic?", "example": "Use AI to triage code review comments, flagging those needing human attention.", "antipattern": "Fully automating code review without human oversight." }, "description": { "description": "What context/framing makes the AI most useful here?", "example": "Provide repository context and recent commit history for accurate triage.", "antipattern": "No context, leading to irrelevant triage suggestions." }, "discernment": { "description": "How do you evaluate if the AI output is trustworthy?", "example": "Compare flagged comments against senior developer feedback.", "antipattern": "Accepting AI triage without validation." }, "diligence": { "description": "What human accountability is required after AI involvement?", "example": "Human must review flagged comments before merging.", "antipattern": "Merging code based solely on AI triage." } }, "score_hints": { "delegation": 0.2, "description": 0.3, "discernment": 0.3, "diligence": 0.2 }, "summary": "Should this task be automated, augmented, or agentic?", "tags": [ "code-review", "triage", "automation" ], "contributor": "Dakan & Feller", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Human negotiates AI review scope, provides code context, evaluates findings, then approves — looping back to scope if false-positive rate is high.", "sequence": [ { "step": 1, "d": "delegation", "label": "Negotiate AI review scope and autonomy", "example_prompts": [ { "speaker": "human", "text": "Can you automatically approve style-only comments and flag logic and security issues for me?" }, { "speaker": "ai", "text": "I can flag logic and security issues with confidence levels. I'd recommend human approval for all security findings — want me to auto-close only style nits?" }, { "speaker": "human", "text": "Yes — auto-close style nits, surface everything else with a severity label." } ], "triggers_next": "Autonomy boundaries and severity thresholds are agreed." }, { "step": 2, "d": "description", "label": "Provide repository and PR context", "example_prompts": [ { "speaker": "human", "text": "Here is the PR diff, our style guide link, and the three open issues this PR addresses." }, { "speaker": "ai", "text": "Got it. Should I cross-reference the open issues when flagging findings?" }, { "speaker": "human", "text": "Yes — link any finding to the relevant issue if there's a match." } ], "triggers_next": "AI has enough context to begin analysis." }, { "step": 3, "d": "discernment", "label": "Evaluate AI triage findings", "example_prompts": [ { "speaker": "human", "text": "Walk me through your findings. Item 4 — is that a real security issue or a false positive?" }, { "speaker": "ai", "text": "Item 4 is likely a false positive given the existing sanitization in line 42. I flagged it because the pattern matches a known injection vector — but the guard is already in place." }, { "speaker": "human", "text": "Agreed, dismiss item 4. The rest look valid." } ], "triggers_next": "Human has validated which findings are actionable.", "loop_back": { "to": "delegation", "condition": "More than 30% of findings are false positives.", "reason": "Scope or severity thresholds need renegotiation." } }, { "step": 4, "d": "diligence", "label": "Approve findings and document decisions", "example_prompts": [ { "speaker": "human", "text": "Senior engineer, please sign off on items 1, 2, 3, and 5 before we merge." }, { "speaker": "human", "text": "I'll add a comment to the PR logging which items were AI-flagged and which were human-dismissed." } ], "triggers_next": "PR is approved and decisions are documented. Cycle restarts for the next PR.", "can_restart": true } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Autonomy level and severity thresholds agreed." }, { "from": "description", "to": "discernment", "trigger": "AI completes triage analysis." }, { "from": "discernment", "to": "diligence", "trigger": "Human validates findings as actionable." }, { "from": "discernment", "to": "delegation", "trigger": "False-positive rate too high — re-scope.", "is_loop_back": true }, { "from": "diligence", "to": "delegation", "trigger": "New PR arrives — restart cycle.", "is_cycle_restart": true } ] } }, { "id": "refactoring-suggestions", "framework_id": "4d-framework", "title": "Refactoring Suggestions", "domain": "coding", "file": "coding-refactoring-suggestions.yaml", "dimensions": { "delegation": { "description": "Should this task be automated, augmented, or agentic?", "example": "AI proposes refactoring opportunities, human reviews and approves.", "antipattern": "AI automatically refactors code without human review." }, "description": { "description": "What context/framing makes the AI most useful here?", "example": "Provide codebase structure and known pain points.", "antipattern": "No context, leading to generic suggestions." }, "discernment": { "description": "How do you evaluate if the AI output is trustworthy?", "example": "Validate suggestions against test coverage and code quality metrics.", "antipattern": "Accepting AI refactoring without testing." }, "diligence": { "description": "What human accountability is required after AI involvement?", "example": "Developer must run tests and review changes.", "antipattern": "Merging AI-refactored code without testing." } }, "score_hints": { "delegation": 0.2, "description": 0.3, "discernment": 0.3, "diligence": 0.2 }, "summary": "Should this task be automated, augmented, or agentic?", "tags": [ "refactoring", "suggestions", "coding" ], "contributor": "Dakan & Feller", "version": "1.0.0", "collaboration": { "pattern": "iterative", "description": "Human and AI iterate through multiple refactoring passes — each pass re-negotiates scope, provides updated code context, evaluates suggestions, and commits accepted changes.", "sequence": [ { "step": 1, "d": "delegation", "label": "Scope the refactoring pass", "example_prompts": [ { "speaker": "human", "text": "I want to reduce coupling in this module. Can you suggest where to start?" }, { "speaker": "ai", "text": "I see three high-coupling hotspots. Should I suggest refactors for all three in this pass or focus on the most impactful one?" }, { "speaker": "human", "text": "Focus on the most impactful hotspot first — we'll iterate." } ], "triggers_next": "Refactoring focus for this pass is agreed." }, { "step": 2, "d": "description", "label": "Provide current code and constraints", "example_prompts": [ { "speaker": "human", "text": "Here is the current module, the interface contracts it must preserve, and our no-breaking-changes constraint." }, { "speaker": "ai", "text": "Are there performance benchmarks I should keep in mind?" }, { "speaker": "human", "text": "Latency must stay under 50ms for the main path — flag anything that might affect it." } ], "triggers_next": "AI has code, contracts, and performance constraints." }, { "step": 3, "d": "discernment", "label": "Evaluate refactoring suggestions", "example_prompts": [ { "speaker": "human", "text": "Suggestion 2 breaks the existing interface — reject that one." }, { "speaker": "ai", "text": "Understood. Suggestion 3 is an alternative that preserves the interface — want me to elaborate?" }, { "speaker": "human", "text": "Yes, and check if it affects the 50ms path." } ], "triggers_next": "Accepted suggestions are identified and validated." }, { "step": 4, "d": "diligence", "label": "Commit accepted changes and verify", "example_prompts": [ { "speaker": "human", "text": "Running benchmark — 43ms, within budget. Committing suggestion 3." }, { "speaker": "human", "text": "Adding a commit note: AI-suggested refactor, human-validated against interface and perf budget." } ], "triggers_next": "Changes committed. Begin next iteration with remaining hotspots.", "can_restart": true } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Refactoring scope for this pass agreed." }, { "from": "description", "to": "discernment", "trigger": "AI delivers suggestions for this pass." }, { "from": "discernment", "to": "diligence", "trigger": "Accepted suggestions validated." }, { "from": "diligence", "to": "delegation", "trigger": "Remaining hotspots — begin next iteration.", "is_cycle_restart": true } ] } }, { "id": "test-case-generation", "framework_id": "4d-framework", "title": "Test Case Generation", "domain": "coding", "file": "coding-test-case-generation.yaml", "dimensions": { "delegation": { "description": "Should this task be automated, augmented, or agentic?", "example": "AI generates test cases, developer reviews and integrates.", "antipattern": "AI-generated tests merged without human review." }, "description": { "description": "What context/framing makes the AI most useful here?", "example": "Provide function signatures and edge case requirements.", "antipattern": "No context, leading to incomplete tests." }, "discernment": { "description": "How do you evaluate if the AI output is trustworthy?", "example": "Run generated tests and check coverage improvements.", "antipattern": "Accepting tests without execution." }, "diligence": { "description": "What human accountability is required after AI involvement?", "example": "Developer must validate and maintain test suite.", "antipattern": "Relying solely on AI for test maintenance." } }, "score_hints": { "delegation": 0.2, "description": 0.3, "discernment": 0.3, "diligence": 0.2 }, "summary": "Should this task be automated, augmented, or agentic?", "tags": [ "test-case", "generation", "coding" ], "contributor": "Dakan & Feller", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Human delegates test scope, provides spec and edge cases, evaluates AI-generated tests, then merges after CI passes — looping back to description if coverage gaps appear.", "sequence": [ { "step": 1, "d": "delegation", "label": "Define test generation scope", "example_prompts": [ { "speaker": "human", "text": "Generate unit tests for this module. Can you also decide which edge cases to include?" }, { "speaker": "ai", "text": "I can generate tests and propose edge cases, but I'd recommend you confirm the coverage targets — what's the minimum acceptable coverage percentage?" }, { "speaker": "human", "text": "90% line coverage minimum. Flag anything you're uncertain about." } ], "triggers_next": "Coverage targets and uncertainty-flagging rule agreed." }, { "step": 2, "d": "description", "label": "Provide spec, examples, and constraints", "example_prompts": [ { "speaker": "human", "text": "Here's the function spec, three existing test examples, and the list of known edge cases from the bug history." }, { "speaker": "ai", "text": "Should I test for concurrency issues or only sequential inputs?" }, { "speaker": "human", "text": "Sequential only for now — concurrency tests are a separate workstream." } ], "triggers_next": "AI has spec, examples, and constraint boundaries." }, { "step": 3, "d": "discernment", "label": "Review generated tests for correctness", "example_prompts": [ { "speaker": "human", "text": "Test #8 asserts the wrong return type — it should be a string, not null." }, { "speaker": "ai", "text": "Corrected. Also, I flagged test #12 as potentially flaky due to time-dependent assertion — want me to mock the clock?" }, { "speaker": "human", "text": "Yes, mock the clock for #12." } ], "triggers_next": "Tests pass review and CI runs green.", "loop_back": { "to": "description", "condition": "Coverage is below target or significant edge cases are missing.", "reason": "More spec detail or explicit edge case guidance is needed." } }, { "step": 4, "d": "diligence", "label": "Approve tests and add to codebase", "example_prompts": [ { "speaker": "human", "text": "Tests pass CI at 93% coverage. Merging to main." }, { "speaker": "human", "text": "Added a comment noting which tests were AI-generated for future reference." } ], "triggers_next": "Tests merged. Cycle restarts for next module.", "can_restart": true } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Coverage targets agreed." }, { "from": "description", "to": "discernment", "trigger": "AI delivers test suite." }, { "from": "discernment", "to": "diligence", "trigger": "Tests validated and CI passes." }, { "from": "discernment", "to": "description", "trigger": "Coverage gaps require more spec detail.", "is_loop_back": true }, { "from": "diligence", "to": "delegation", "trigger": "Next module — restart.", "is_cycle_restart": true } ] } } ], "education": [ { "id": "ai-equity-curriculum", "framework_id": "unesco-ai-ethics", "title": "Equitable AI Curriculum Design", "domain": "education", "file": "education-ai-equity-curriculum.yaml", "dimensions": { "human-dignity": { "description": "The curriculum is designed to serve learners of all backgrounds with equal dignity — ensuring AI education does not embed cultural bias, exclude learners with disabilities, or reinforce existing power imbalances between those who \"understand AI\" and those who do not.\n", "example": "Curriculum designer: \"Our AI literacy course uses examples from Silicon Valley companies exclusively. Is that consistent with human dignity for our predominantly African and Middle Eastern student body?\" AI: \"No — a curriculum that presents only one cultural context for AI normalizes a particular worldview as 'default.' UNESCO's principle of human dignity includes cultural respect and non-discrimination in education. I recommend auditing every case study and example for cultural diversity, and co-designing at least 30% of examples with students from the communities you serve.\"\n", "antipattern": "Designing an AI curriculum that treats a single cultural or economic context as universal — producing graduates who understand AI through one lens and are unprepared to question whose interests AI systems serve.\n" }, "environment": { "description": "The curriculum addresses the environmental cost of AI — training compute, data center energy, hardware lifecycle — and teaches learners to make environmentally informed decisions about AI system design.\n", "example": "AI: \"For the environmental module, I recommend three content blocks: (1) The energy cost of model training — a GPT-4-scale model consumes more electricity than 100 US households for a year. (2) Inference at scale — even deployed models have a per-query energy footprint that multiplies across billions of users. (3) Sustainable design choices — model distillation, efficient architectures, and green compute options. Make the environmental calculation a required component of every student capstone project.\"\n", "antipattern": "Teaching AI design without any environmental impact component — producing AI practitioners who optimize for performance and cost but are blind to ecological externalities.\n" }, "privacy": { "description": "The curriculum teaches learners to design privacy-protective AI systems and applies privacy principles to the educational technology used to deliver the course itself — including AI-powered learning platforms.\n", "example": "Human: \"Our LMS uses an AI engagement tracker that monitors keystroke patterns. Is that consistent with the privacy principle for our students?\" AI: \"That is a surveillance tool applied to learners without meaningful consent. UNESCO's privacy principle applies to learners in educational settings — they have the right to know what data is collected, why, and how to opt out. The curriculum should both teach privacy by design and practice it: audit the LMS, disclose data collection to students, and provide a genuine opt-out that does not disadvantage learning outcomes.\"\n", "antipattern": "Teaching AI privacy principles in the classroom while using AI-powered surveillance tools on students without their informed consent — undermining the curriculum's own ethical foundation.\n" }, "transparency": { "description": "The curriculum is transparent about its own design: learning objectives, assessment criteria, AI tools used in teaching, and the limitations of what the curriculum covers — including what it cannot teach.\n", "example": "AI: \"For course transparency, I recommend publishing three documents to students at enrollment: (1) What AI tools are used in this course and how their data is used. (2) What the curriculum does not cover — students should know if advanced mathematics or specific programming languages are prerequisites for deeper engagement. (3) Assessment criteria in plain language — not just rubrics, but what the institution considers 'AI literacy' and why.\"\n", "antipattern": "Presenting an AI curriculum as comprehensive when it primarily covers one paradigm (e.g., large language models) without disclosing to students what is outside its scope.\n" }, "accountability": { "description": "The curriculum has a community accountability mechanism: a student-community advisory board reviews the curriculum annually, findings are published, and the institution commits to responsive updates based on community input.\n", "example": "AI closes the cycle: \"Accountability structure for the curriculum: (1) Student advisory board — meets each semester, reviews content for relevance, equity, and cultural appropriateness. (2) Community review — annual open review inviting alumni, employers, and community organizations. (3) Published update log — every curriculum change is documented and explained to students. (4) Redress pathway — students can formally flag curriculum concerns with a 30-day response commitment from academic leadership.\"\n", "antipattern": "Reviewing the AI curriculum only through internal faculty committees without any mechanism for student or community input — producing curricula that serve institutional interests over learner needs.\n" } }, "score_hints": { "human-dignity": 0.25, "environment": 0.15, "privacy": 0.2, "transparency": 0.2, "accountability": 0.2 }, "summary": "", "tags": [ "education", "curriculum-design", "ai-literacy", "equity", "unesco" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Dignity audit identifies cultural and accessibility gaps in curriculum content → environmental module is designed with concrete metrics for learners → privacy audit of teaching tools and curriculum privacy content → transparency documents are published to students at enrollment → community accountability structure is established with annual review cycle. Loops back to human-dignity if transparency review reveals undisclosed content biases.\n", "sequence": [ { "step": 1, "d": "human-dignity", "label": "Audit curriculum content for cultural equity and accessibility", "example_prompts": [ { "speaker": "human", "text": "We're designing a new AI ethics and literacy course for undergraduates. Start with dignity — what do we audit first?" }, { "speaker": "ai", "text": "Three dignity audits before any content is finalized: (1) Cultural diversity — review every case study, example, and reading for cultural representation. Who are the AI leaders referenced? Whose AI failures are discussed? Is the student body's own cultural context represented? (2) Accessibility — is the curriculum accessible to learners with visual, auditory, and cognitive disabilities? AI tools used must meet WCAG 2.1 AA minimum. (3) Power balance — does the curriculum teach students to be AI consumers or AI critical agents? UNESCO's dignity principle requires the latter." }, { "speaker": "human", "text": "Case studies are 90% US-centric. Accessibility audit reveals the primary AI demo tool has no screen reader support." } ], "triggers_next": "Dignity gaps identified — cultural diversity gap and accessibility gap documented." }, { "step": 2, "d": "environment", "label": "Design the environmental impact module", "example_prompts": [ { "speaker": "human", "text": "How do we teach AI's environmental footprint in a way that is accurate and actionable for undergraduates?" }, { "speaker": "ai", "text": "Three-week module structure: Week 1 — The hidden cost of AI: training compute, data center water use, hardware mining. Use ML CO2 Impact calculator as a hands-on exercise. Week 2 — Inference at scale: how each AI query has an energy cost; cumulative impact of billions of queries. Week 3 — Sustainable AI design: model distillation, efficient architectures, green compute providers. Capstone requirement: every student project must include an energy footprint estimate as part of the design documentation." }, { "speaker": "human", "text": "We'll add the environmental footprint requirement to the capstone rubric." } ], "triggers_next": "Environmental module designed with concrete student deliverables." }, { "step": 3, "d": "privacy", "label": "Audit teaching tools and design privacy curriculum content", "example_prompts": [ { "speaker": "human", "text": "Our LMS has an AI engagement tracker. Should we keep it?" }, { "speaker": "ai", "text": "The engagement tracker must meet three conditions to be consistent with UNESCO privacy principles: (1) Informed consent — students must be told exactly what is tracked, why, and for how long. (2) Data minimization — only data necessary for the educational purpose is collected. (3) Opt-out without penalty — a student who opts out must not be disadvantaged in grading or participation. If the tracker does not meet all three, it must be reconfigured or replaced. For the curriculum content: I recommend a dedicated privacy by design module where students audit a real AI system's data practices." }, { "speaker": "human", "text": "We'll reconfigure the tracker: opt-out available, data deleted after semester ends." } ], "triggers_next": "Teaching tool privacy audit complete; privacy curriculum module designed." }, { "step": 4, "d": "transparency", "label": "Publish curriculum transparency documents to students", "example_prompts": [ { "speaker": "human", "text": "What transparency documents should students receive at enrollment?" }, { "speaker": "ai", "text": "Three documents at enrollment: (1) AI tools disclosure — list every AI tool used in the course, what data it collects, and how students can opt out. (2) Curriculum scope notice — what this course covers and what it does not; prerequisites and pathways for deeper study. (3) Assessment transparency — plain-language explanation of what 'AI literacy' means for this institution's graduates and how each assessment criterion maps to that definition. Publish all three on the course page, not buried in the LMS." }, { "speaker": "human", "text": "All three documents drafted and published to the course page." } ], "triggers_next": "Transparency documents published to students at enrollment.", "loop_back": { "to": "human-dignity", "condition": "Transparency review reveals that undisclosed content biases exist in the curriculum.", "reason": "Dignity audit must be re-run if new biases are uncovered through transparency review." } }, { "step": 5, "d": "accountability", "label": "Establish community accountability and annual review cycle", "example_prompts": [ { "speaker": "human", "text": "How do we build genuine accountability into the curriculum governance?" }, { "speaker": "ai", "text": "Four-part accountability structure: (1) Student advisory board — 6 student representatives, meets each semester, reviews curriculum for equity and relevance. Board recommendations are responded to in writing within 30 days. (2) Annual community review — open event inviting alumni, employers, civil society. Findings are published. (3) Public curriculum changelog — every update is documented and explained to enrolled and prospective students. (4) Formal redress pathway — students can file curriculum concerns with a named academic ombudsperson; 30-day response commitment. This structure makes accountability real, not nominal." }, { "speaker": "human", "text": "Student advisory board established. First community review scheduled for end of academic year." } ], "triggers_next": "Community accountability structure operational with annual review committed.", "can_restart": true } ], "transitions": [ { "from": "human-dignity", "to": "environment", "trigger": "Dignity gaps identified and documented." }, { "from": "environment", "to": "privacy", "trigger": "Environmental module designed with student deliverables." }, { "from": "privacy", "to": "transparency", "trigger": "Teaching tool audit complete and privacy module designed." }, { "from": "transparency", "to": "human-dignity", "trigger": "Undisclosed content biases found — dignity audit re-run.", "is_loop_back": true }, { "from": "transparency", "to": "accountability", "trigger": "Transparency documents published." }, { "from": "accountability", "to": "human-dignity", "trigger": "Annual community review triggers next curriculum cycle.", "is_cycle_restart": true } ] } }, { "id": "course-design", "framework_id": "4d-framework", "title": "AI-Augmented Course Design", "domain": "education", "file": "education-course-design.yaml", "dimensions": { "delegation": { "description": "AI can accelerate the scaffolding work of course design: generating draft learning objectives from a topic brief, suggesting module sequencing options, proposing assessment formats, brainstorming reading list candidates, and drafting rubric language. The instructor must own: the pedagogical strategy, the theoretical framework underlying the course, the sequencing rationale, and all decisions about what students will actually experience. Pedagogical authority cannot be delegated.", "example": "A professor designing a new undergraduate ethics course asks AI to generate a draft list of possible weekly topics aligned with her stated course arc (from foundational theory to applied cases). She uses this list as a stimulus to compare against her own planned sequence, adopting two AI-suggested topics she had overlooked and discarding three that don't serve her theoretical framework.", "antipattern": "Asking AI to design the full course — objectives, module structure, readings, assignments, assessments — and adopting the output with cosmetic changes, without grounding the design in a coherent pedagogical theory or ensuring it reflects the instructor's scholarly expertise." }, "description": { "description": "Provide AI with detailed instructional design context: course level and credit hours, student profile and prerequisite knowledge, program-level learning outcomes the course must serve, your pedagogical philosophy, assessment philosophy, any accreditation or institutional constraints, and the thematic arc you want the course to trace. Precision in the brief yields useful scaffolding.", "example": "Prompt: 'Help me draft learning objectives for a 3-credit upper-division course on algorithmic bias. Students are CS seniors with strong technical backgrounds but limited social science exposure. Program outcome: graduates can evaluate the societal impact of technology systems. I want the course to move from conceptual foundations (weeks 1-4) to case analysis (weeks 5-10) to policy and design response (weeks 11-14). Use Bloom's Taxonomy verbs appropriate to the upper-division level.'", "antipattern": "Prompting: 'Write learning objectives for a course on AI ethics.' Without specifying student level, program context, Bloom's taxonomy tier, or the course's theoretical arc, AI produces generic objectives that could apply to any course at any level and serve no specific program outcome." }, "discernment": { "description": "Evaluate AI-generated course design elements against pedagogical soundness, alignment to Bloom's Taxonomy, internal coherence, and fit with your students' actual preparation. Check that assessment types genuinely measure the stated learning objectives, that the workload is realistic, and that reading suggestions are current, credible, and accessible to your student population.", "example": "An instructor reviews AI-generated weekly learning objectives and notices three of them are knowledge-level objectives (define, identify, list) in weeks designed for upper-division analysis. She revises them upward to analysis and evaluation verbs to match the cognitive demand appropriate for the course level.", "antipattern": "Adopting AI-generated course syllabi and assessment designs without checking internal alignment — using multiple-choice exams to assess objectives that require critical analysis, or setting a reading workload that AI estimated without accounting for the actual length and density of the suggested texts." }, "diligence": { "description": "Verify the accuracy of all factual content AI contributes to course materials. Document the AI's role in course design per your institution's academic integrity and transparency policies. Ensure the final course design meets accreditation requirements, reflects current disciplinary knowledge, and embodies your own scholarly judgment and professional responsibility as the instructor of record.", "example": "A faculty member building a new public health law course uses AI to draft a draft syllabus framework, then spends three hours reviewing it against her institution's course approval criteria, the program's accreditation standards, and current public health law scholarship — revising heavily before submission for curricular approval.", "antipattern": "Submitting an AI-generated course proposal to a curriculum committee without personally verifying that the proposed learning objectives meet accreditation standards, that the reading list contains accurate and current citations, or that the assessment strategy is pedagogically defensible under institutional review." } }, "score_hints": { "delegation": 0.2, "description": 0.3, "discernment": 0.25, "diligence": 0.25 }, "summary": "AI can accelerate the scaffolding work of course design: generating draft learning objectives from a topic brief, suggesting module sequencing options, proposing assessment formats, brainstorming read", "tags": [ "course-design", "curriculum", "higher-education", "instructional-design" ], "contributor": "Rick Dakan & Joseph Feller / Anthropic", "reference": "https://aifluencyframework.org", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Instructor delegates curriculum scaffolding, provides learning goals and constraints, evaluates AI-drafted structure, then approves — looping back to description if pedagogical alignment is off.", "sequence": [ { "step": 1, "d": "delegation", "label": "Agree on AI's curriculum design role", "example_prompts": [ { "speaker": "human", "text": "Help me design a 10-week course on data literacy. You propose the weekly themes — I'll adjust." }, { "speaker": "ai", "text": "Should I sequence from concepts to tools, or mix both throughout?" }, { "speaker": "human", "text": "Concepts first, tools introduced in week 4 after foundations are set." } ], "triggers_next": "AI's design role and pedagogical sequencing approach agreed." }, { "step": 2, "d": "description", "label": "Provide learning outcomes and constraints", "example_prompts": [ { "speaker": "human", "text": "Students are undergraduates with no statistics background. By week 10 they should be able to read and critique a published data study." }, { "speaker": "ai", "text": "Should I include assessment design or only the content structure?" }, { "speaker": "human", "text": "Include weekly assessments — short, formative, no exams." } ], "triggers_next": "AI has learner profile, outcomes, and assessment approach." }, { "step": 3, "d": "discernment", "label": "Evaluate curriculum structure", "example_prompts": [ { "speaker": "human", "text": "Week 6 introduces regression too early — students won't have the algebra foundation yet." }, { "speaker": "ai", "text": "I can move regression to week 8 and use week 6 for data visualization instead." }, { "speaker": "human", "text": "Do that. Also add a prerequisite check activity in week 1." } ], "triggers_next": "Curriculum validated for pedagogical soundness.", "loop_back": { "to": "description", "condition": "Curriculum consistently misaligns with stated learning outcomes or student level.", "reason": "Learning goals or student profile constraints need to be re-specified." } }, { "step": 4, "d": "diligence", "label": "Approve and document", "example_prompts": [ { "speaker": "human", "text": "Department curriculum committee reviews and approves the final structure." }, { "speaker": "human", "text": "Filing AI-assisted design notes in the course development record." } ], "triggers_next": "Curriculum approved. Cycle restarts when course is revised.", "can_restart": true } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Design role and sequencing approach agreed." }, { "from": "description", "to": "discernment", "trigger": "AI delivers curriculum draft." }, { "from": "discernment", "to": "diligence", "trigger": "Structure validated." }, { "from": "discernment", "to": "description", "trigger": "Persistent misalignment — re-specify goals.", "is_loop_back": true }, { "from": "diligence", "to": "delegation", "trigger": "Course revision cycle — restart.", "is_cycle_restart": true } ] } }, { "id": "lesson-planning", "framework_id": "4d-framework", "title": "AI-Assisted Lesson Planning for Educators", "domain": "education", "file": "education-lesson-planning.yaml", "dimensions": { "delegation": { "description": "Identify which lesson planning elements AI can accelerate versus which require the teacher's direct professional judgment. AI handles well: generating activity ideas, drafting discussion questions, suggesting differentiation strategies, proposing assessment rubrics, and creating example problems. Teachers must retain: selecting content aligned to standards, setting the pedagogical arc across a unit, understanding individual student needs, and making final instructional decisions.", "example": "A 7th-grade science teacher asks AI to generate five hands-on activity ideas for a lesson on cellular respiration at a middle school level, then selects the one that fits her lab budget and her students' prior knowledge, adapts it to her pacing, and writes her own formative assessment questions.", "antipattern": "Pasting an AI-generated full lesson plan directly into the school's curriculum system without reviewing it for standard alignment, age appropriateness, or fit with the specific class's learning trajectory — treating AI as a replacement for pedagogical expertise rather than a brainstorming assistant." }, "description": { "description": "Provide AI with specific instructional context: subject and grade level, concrete learning objectives tied to standards, the students' current skill level and prior knowledge, the available time and resources, the preferred pedagogical approach, and any accessibility or differentiation needs. Generic requests produce generic plans.", "example": "Prompt: 'Help me plan a 50-minute 8th-grade ELA lesson on identifying unreliable narrators. Students have read chapters 1-5 of The Outsiders. Objective: students can cite textual evidence to explain how Ponyboy's perspective limits the reader's understanding of events. Pedagogy: discussion-based with a short collaborative activity. Class includes 3 ELL students and 2 students with reading IEPs.'", "antipattern": "Prompting: 'Write a lesson plan about unreliable narrators for middle school.' This produces a generic template disconnected from the specific text students are reading, the actual learning objective, the class's composition, and the teacher's instructional context." }, "discernment": { "description": "Evaluate AI-generated lesson plans and activities critically before adopting them. Check standard alignment, age appropriateness of content and vocabulary, timing realism, whether suggested activities match your students' actual readiness, and whether the pedagogical sequence makes instructional sense. AI does not know your students; you do.", "example": "A teacher reviews an AI-generated lesson plan and notices the suggested 'exit ticket' question requires inferential reasoning two grade levels above her current class's demonstrated ability. She replaces it with a scaffolded sentence-starter version that matches where her students actually are.", "antipattern": "Implementing AI-suggested activities without mentally simulating how your specific students will respond — discovering mid-lesson that the activity assumes prior knowledge students don't have, or that the timing estimate was wildly optimistic for the class's working pace." }, "diligence": { "description": "Maintain professional responsibility for every lesson you deliver. Verify that AI-suggested content is factually accurate, that activities are safe and appropriate for your students, and that lesson plans meet the curricular standards your students are accountable for. Your professional judgment is the final quality gate, not the AI.", "example": "An educator uses AI-generated lesson scaffolding as a starting framework, then personally verifies that all factual content aligns with state science standards, removes an activity that requires materials not available in her classroom, and adds a culturally responsive example relevant to her students' community.", "antipattern": "Delivering an AI-generated lesson that contains a factual error (e.g., an incorrect historical date or a flawed science explanation) because the teacher assumed the AI's content was accurate and did not independently verify it before presenting it to students." } }, "score_hints": { "delegation": 0.25, "description": 0.3, "discernment": 0.25, "diligence": 0.2 }, "summary": "Identify which lesson planning elements AI can accelerate versus which require the teacher's direct professional judgment. AI handles well: generating activity ideas, drafting discussion questions, su", "tags": [ "education", "lesson-planning", "pedagogy", "curriculum" ], "contributor": "Rick Dakan & Joseph Feller / Anthropic", "reference": "https://aifluencyframework.org", "version": "1.0.0", "collaboration": { "pattern": "linear", "description": "Teacher delegates lesson scaffolding, provides class context and learning objective, evaluates the AI plan, then uses it in class — single pass per lesson.", "sequence": [ { "step": 1, "d": "delegation", "label": "Define AI's lesson design role", "example_prompts": [ { "speaker": "human", "text": "Draft a 45-minute lesson plan on photosynthesis for 8th graders. You propose the activities." }, { "speaker": "ai", "text": "Should I include a hands-on activity or keep it lecture and discussion?" }, { "speaker": "human", "text": "Include one hands-on activity — the class has lab access." } ], "triggers_next": "AI's design role and activity type agreed." }, { "step": 2, "d": "description", "label": "Provide class context and objectives", "example_prompts": [ { "speaker": "human", "text": "Class of 28 students, mixed ability. Objective: understand the light-dependent reactions. Prior knowledge: cell structure." }, { "speaker": "ai", "text": "Any students with specific accessibility needs I should account for?" }, { "speaker": "human", "text": "One student uses screen-reader-compatible materials — flag anything visual-only." } ], "triggers_next": "AI has class profile, objective, and accessibility constraints." }, { "step": 3, "d": "discernment", "label": "Evaluate lesson plan quality", "example_prompts": [ { "speaker": "human", "text": "The lab activity takes 20 minutes but the setup alone is 10 — tighten it." }, { "speaker": "ai", "text": "I can use a pre-setup version with materials already in place. Reduces activity time to 12 minutes." }, { "speaker": "human", "text": "Good — and flag the visual diagram for accessibility adaptation." } ], "triggers_next": "Lesson plan validated for timing and inclusivity." }, { "step": 4, "d": "diligence", "label": "Approve and deliver", "example_prompts": [ { "speaker": "human", "text": "Head of department reviews lesson plan — approved." }, { "speaker": "human", "text": "Noting AI-drafted plan in the lesson record for reflection." } ], "triggers_next": "Lesson delivered. New lesson requires a fresh cycle." } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Design role and activity type agreed." }, { "from": "description", "to": "discernment", "trigger": "AI delivers lesson plan." }, { "from": "discernment", "to": "diligence", "trigger": "Plan validated." }, { "from": "diligence", "to": "delegation", "trigger": "New lesson — fresh cycle.", "is_cycle_restart": true } ] } }, { "id": "student-career-planning", "framework_id": "4d-framework", "title": "Student Career Planning with AI", "domain": "education", "file": "education-student-career-planning.yaml", "dimensions": { "delegation": { "description": "Students can productively delegate to AI: resume drafting from bullet points they supply, generating practice interview questions for a target role, exploring career paths in an unfamiliar field, drafting cover letter frameworks, and researching industry norms. Students must retain: decisions about which opportunities align with their values and goals, truthful representation of their own experiences, and final responsibility for all submitted application materials.", "example": "A college junior asks AI to suggest ten career paths where her combination of biology major and data analytics minor would be valued, then researches the top three that interest her and uses that understanding to craft her own narrative about why she is pursuing biostatistics.", "antipattern": "Having AI write a cover letter that fabricates or exaggerates the student's experiences, then submitting it as an accurate representation — or using AI to answer interview questions on the student's behalf via an earpiece during a live interview." }, "description": { "description": "Share with AI your actual skills, experiences, target roles, industry context, career constraints, and personal goals. The more accurately you describe yourself and your situation, the more useful the AI's suggestions will be. Vague or inflated self-descriptions lead to advice that fits a fictional version of you, not your real situation.", "example": "Prompt: 'I'm a 3rd-year environmental engineering student with a 3.4 GPA, one summer internship at a municipal water authority doing stormwater modeling, and a Python project analyzing local air quality data. I want to work in climate tech after graduation, preferably at a company working on water or air quality monitoring. Help me identify specific entry-level roles to target and the skills I should develop this year.'", "antipattern": "Prompting: 'I'm a student who wants a good job in tech. What should I do?' This produces generic career advice applicable to millions of people and useless for the student's actual situation, skills, and industry interest." }, "discernment": { "description": "Evaluate AI career advice critically. Verify that suggested roles actually exist and match what you want. Check salary ranges and job market realities against current sources like Bureau of Labor Statistics data or industry salary surveys, not just AI assertions. Assess whether AI suggestions genuinely fit your personal values, lifestyle needs, and long-term goals — not just what sounds impressive.", "example": "A student receives AI-generated advice suggesting she pursue a specific niche certification. She researches the certification independently, reads LinkedIn profiles of people who hold it, talks to two professionals in the field, and determines the certification is valued by only one employer segment — not the area she actually wants to work in.", "antipattern": "Following AI career advice without verification — enrolling in a bootcamp AI recommended, discovering it is not recognized by employers in the target field, or pursuing a role because AI said it pays well without checking current market data or speaking with anyone actually working in that field." }, "diligence": { "description": "Own every career decision you make. AI is a thinking partner, not a career counselor with knowledge of your full life context. Build your own understanding of your field. Ensure all application materials truthfully represent your actual experiences. Develop a personal policy for how you use AI in your professional development so your skills and judgment grow alongside your AI fluency.", "example": "A student uses AI to generate a list of potential resume bullet points based on her internship activities, then rewrites each one in her own voice, ensures they accurately reflect what she did, and has her university career center review the final document — treating AI as a drafting scaffold, not the author.", "antipattern": "Submitting AI-generated job applications with exaggerated credentials, relying entirely on AI career advice without informational interviews or real-world research, or using AI so heavily in application writing that the student cannot speak authentically about the experiences described in their own materials." } }, "score_hints": { "delegation": 0.25, "description": 0.3, "discernment": 0.25, "diligence": 0.2 }, "summary": "Students can productively delegate to AI: resume drafting from bullet points they supply, generating practice interview questions for a target role, exploring career paths in an unfamiliar field, draf", "tags": [ "career-planning", "student", "resume", "professional-development" ], "contributor": "Rick Dakan & Joseph Feller / Anthropic", "reference": "https://aifluencyframework.org", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Advisor delegates initial career path research, provides student profile, evaluates AI recommendations for fit, then presents to student — looping back if recommendations miss the student's actual goals.", "sequence": [ { "step": 1, "d": "delegation", "label": "Define AI's research role", "example_prompts": [ { "speaker": "human", "text": "Research career options for a student interested in environmental science with a data analytics minor." }, { "speaker": "ai", "text": "Should I focus on entry-level roles or also include graduate pathways?" }, { "speaker": "human", "text": "Both — the student hasn't decided on grad school yet." } ], "triggers_next": "Research scope and career path types agreed." }, { "step": 2, "d": "description", "label": "Provide student profile and goals", "example_prompts": [ { "speaker": "human", "text": "GPA 3.4, strong in statistics, weaker in field work. Interested in policy impact, not just research." }, { "speaker": "ai", "text": "Should I weight roles that offer remote work options?" }, { "speaker": "human", "text": "Yes — student is geographically constrained for the next 2 years." } ], "triggers_next": "AI has full student profile and constraint set." }, { "step": 3, "d": "discernment", "label": "Evaluate career path recommendations", "example_prompts": [ { "speaker": "human", "text": "Option 3 (field monitoring) doesn't fit — student has limited mobility." }, { "speaker": "ai", "text": "Replacing with environmental data analyst roles at NGOs — policy-adjacent and remote-friendly." }, { "speaker": "human", "text": "Good. Option 5 seems too senior for entry-level — adjust expectations." } ], "triggers_next": "Recommendations validated for fit and realistic expectations.", "loop_back": { "to": "description", "condition": "Recommendations consistently miss student's stated values or constraints.", "reason": "Student profile needs richer goal or constraint detail." } }, { "step": 4, "d": "diligence", "label": "Present to student and document", "example_prompts": [ { "speaker": "human", "text": "Presenting AI-curated options to the student — student picks two to explore." }, { "speaker": "human", "text": "Documenting the advisory session and noting which options were AI-generated." } ], "triggers_next": "Session complete. Next advising session begins new cycle.", "can_restart": true } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Research scope agreed." }, { "from": "description", "to": "discernment", "trigger": "AI delivers career options." }, { "from": "discernment", "to": "diligence", "trigger": "Options validated for fit." }, { "from": "discernment", "to": "description", "trigger": "Recommendations miss goals — re-profile student.", "is_loop_back": true }, { "from": "diligence", "to": "delegation", "trigger": "Next advising session — restart.", "is_cycle_restart": true } ] } } ], "enterprise": [ { "id": "ai-ethics-board-setup", "framework_id": "wef-responsible-ai", "title": "AI Ethics Board Setup", "domain": "enterprise", "file": "enterprise-ai-ethics-board-setup.yaml", "dimensions": { "strategy": { "description": "The ethics board's mandate is grounded in the organization's AI strategy — it exists to protect the organization's stated values and purpose, not to slow down deployment. The strategic framing determines what questions the board is designed to answer.\n", "example": "CEO: \"We want an AI ethics board. But I need it to help us move responsibly, not to be a blocker.\" AI: \"That framing is exactly right — and it should be written into the board's charter. The WEF Playbook frames an ethics board as a 'responsible acceleration' function: its job is to identify and resolve ethical risks early, when changes are cheap, not to review finished products. Define two things in the charter: (1) The board's purpose — protect the organization's stated values in AI deployment. (2) The board's success metric — time from ethics flag to resolution, not number of deployments blocked.\"\n", "antipattern": "Creating an ethics board whose implicit purpose is to say 'no' to AI initiatives — producing a governance structure that is adversarial to the product teams it is supposed to guide.\n" }, "governance": { "description": "The board's governance structure is designed with clear composition, real decision authority, defined escalation paths, and a cadence that can keep pace with the organization's AI deployment rhythm.\n", "example": "AI: \"For an ethics board with real authority, four design decisions: (1) Composition — include external independent members (at least 30%) who are not employees and have no financial interest in deployment speed. (2) Authority — the board must have explicit pause authority for deployments that fail ethics review; advisory-only boards are theater. (3) Escalation — define who the board escalates to when deadlocked: CEO, audit committee, or both. (4) Cadence — standing monthly meeting plus an async channel for urgent reviews that cannot wait 30 days. What is the fastest your organization currently ships an AI feature? That rhythm determines the async review SLA.\"\n", "antipattern": "Designing an ethics board that meets quarterly and has a 60-day review cycle — making it structurally unable to influence AI deployments that ship on a 2-week sprint cycle.\n" }, "risk-ethics": { "description": "The board's scope covers the full ethical risk landscape — not just fairness and bias, but mission alignment, societal impact, dual-use risks, and the ethical implications of what the organization chooses not to build.\n", "example": "Human: \"What ethical risks should the board be able to review?\" AI: \"The WEF Playbook identifies five ethical risk categories that the board should own: (1) Fairness and discrimination — AI that produces disparate outcomes for protected groups. (2) Privacy and surveillance — AI that collects or infers more than necessary. (3) Mission alignment — AI that serves financial objectives at the expense of the organization's stated purpose. (4) Dual-use — AI that could be used for purposes the organization has not sanctioned. (5) Systemic risk — AI at scale that could harm markets, democracies, or public trust even if individual uses are benign. Define which categories require mandatory board review versus optional escalation.\"\n", "antipattern": "Limiting the ethics board's scope to fairness and bias metrics — the most measurable risk category — while omitting mission alignment, dual-use, and systemic risks that are harder to quantify but often more consequential.\n" }, "implementation": { "description": "The ethics board is integrated into the development workflow through a defined review gate — triggered by risk criteria, not by voluntary submission — and is supported by a lightweight intake process that product teams can actually use.\n", "example": "AI: \"For workflow integration, define two review triggers: (1) Mandatory review — any AI feature that: (a) affects a decision about an individual (hiring, lending, healthcare, benefits); (b) involves sensitive data categories; (c) is deployed at scale (>100,000 users); or (d) is in a new domain or use case not previously reviewed. (2) Voluntary review — product teams can escalate any AI feature they have questions about. Design a one-page intake form: describe the AI, its users, its decisions, and the three ethical risks you see. That form is the only pre-meeting requirement. The board reviews the form before the meeting and asks questions — not a presentation, a conversation.\"\n", "antipattern": "Requiring product teams to prepare a 20-page ethics impact assessment before requesting board review — creating a bureaucratic burden that incentivizes teams to find reasons their product does not require review.\n" }, "accountability": { "description": "The board's decisions and reasoning are documented and disclosed — to the organization, to regulators, and in some cases to the public — creating an accountability record that demonstrates responsible AI governance in practice.\n", "example": "AI closes the setup cycle: \"Board accountability mechanisms: (1) Decision log — every board decision (approve, approve-with-conditions, pause, reject) is logged with a one-paragraph rationale. The log is reviewed quarterly by the audit committee. (2) Annual ethics report — the board chair presents an annual summary to the board of directors: how many reviews, how many conditions imposed, how many pauses, and what systemic themes emerged. (3) External disclosure — the organization's annual responsible AI report includes a summary of ethics board activity. (4) Whistleblower pathway — employees can escalate concerns about AI deployments directly to the board chair, bypassing the product team.\"\n", "antipattern": "Operating an ethics board whose deliberations and decisions are entirely internal and undisclosed — making it impossible for external stakeholders, regulators, or the public to assess whether the board is functioning effectively.\n" } }, "score_hints": { "strategy": 0.2, "governance": 0.25, "risk-ethics": 0.2, "implementation": 0.25, "accountability": 0.1 }, "summary": "", "tags": [ "ethics-board", "enterprise", "wef", "responsible-ai", "governance" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Board mandate is grounded in organizational AI strategy → governance structure with real authority is designed → ethical risk scope is defined across five categories → review gate is integrated into the development workflow → accountability mechanisms make board impact visible. Loops back to governance if implementation reveals the board's cadence cannot keep pace with the deployment rhythm.\n", "sequence": [ { "step": 1, "d": "strategy", "label": "Ground the board mandate in AI strategy", "example_prompts": [ { "speaker": "human", "text": "Leadership has approved an AI ethics board. How do we frame its mandate?" }, { "speaker": "ai", "text": "Write the mandate in the charter with two sentences: (1) Purpose — 'The AI Ethics Board exists to ensure that the organization's AI deployments are consistent with its stated values of [X] and its commitments to [Y].' Fill in the actual values and commitments from the AI strategy document. (2) Success metric — 'The board's effectiveness is measured by the time from ethics flag to resolution, and by the quality of responsible AI practices embedded in the development process — not by the number of deployments reviewed or blocked.' This framing makes the board a collaborator with product teams, not a gatekeeper." }, { "speaker": "human", "text": "Mandate drafted: purpose tied to organizational values, success metric is resolution speed and practice quality." } ], "triggers_next": "Board mandate drafted with strategic grounding and success metric." }, { "step": 2, "d": "governance", "label": "Design composition, authority, escalation, and cadence", "example_prompts": [ { "speaker": "human", "text": "Who should be on the board and how often should it meet?" }, { "speaker": "ai", "text": "Composition: 5-7 members — (1) 2 external independent members with AI ethics, law, or civil society expertise; no financial stake in the organization. (2) 1 customer or community representative if the AI affects external stakeholders at scale. (3) Chief Ethics or Responsible AI Officer as chair. (4) Representatives from legal, product, and data science in a non-voting advisory capacity. Authority: the board has explicit pause authority for any mandatory-review deployment; decisions require majority vote. Escalation: deadlock goes to CEO within 48 hours. Cadence: monthly standing meeting (2 hours) plus an async Slack or email channel for urgent reviews with a 72-hour SLA. The async channel is the most important operational design decision — it is what makes the board usable at sprint speed." }, { "speaker": "human", "text": "Five-member board approved including two external members. Async channel with 72-hour SLA confirmed." } ], "triggers_next": "Governance structure approved: composition, authority, escalation, and cadence defined.", "loop_back": { "to": "governance", "condition": "Implementation reveals the 72-hour async SLA cannot be met with the current member workload — cadence requires redesign.", "reason": "A board that cannot operate at deployment speed is structurally ineffective — governance must be re-designed." } }, { "step": 3, "d": "risk-ethics", "label": "Define the board's ethical risk scope", "example_prompts": [ { "speaker": "human", "text": "What should the board be able to review — and what is out of scope?" }, { "speaker": "ai", "text": "In scope — mandatory review triggers: (1) AI decisions about individuals in regulated domains (employment, credit, healthcare, benefits, criminal justice). (2) AI involving sensitive data (health, biometric, financial, children's data). (3) AI deployed to more than 100,000 users. (4) AI in a new domain not previously reviewed. (5) AI with identified dual-use potential. Optional escalation — any AI feature a product team has questions about. Out of scope — AI infrastructure (APIs, databases) with no direct user-facing decision function; AI for internal analytics with no individual impact. Publish the in/out scope criteria so product teams can self-assess." }, { "speaker": "human", "text": "Scope criteria approved and published to all product teams." } ], "triggers_next": "Ethical risk scope defined and published." }, { "step": 4, "d": "implementation", "label": "Integrate the review gate into the development workflow", "example_prompts": [ { "speaker": "human", "text": "How do we make the ethics review part of the standard development process?" }, { "speaker": "ai", "text": "Three integration points: (1) Design gate — at the point where a product manager writes the AI feature specification, they complete the one-page ethics intake form and self-assess against the mandatory review criteria. If criteria are met, they submit to the board — this is not optional. (2) Pre-deployment gate — the deployment checklist includes a confirmation field: 'Ethics board review completed (date) or ethics criteria not triggered (rationale).' No deployment proceeds without one of the two. (3) Post-deployment monitoring — for features approved with conditions, the product team reports back to the board at 90 days with outcome data. The intake form is the key friction point — keep it to one page or adoption will fail." }, { "speaker": "human", "text": "One-page intake form finalized. Design gate and deployment checklist updated. Engineering VP signed off." } ], "triggers_next": "Ethics review gate integrated into design and deployment workflow." }, { "step": 5, "d": "accountability", "label": "Design decision logging and external disclosure", "example_prompts": [ { "speaker": "human", "text": "How do we show externally that the ethics board is working?" }, { "speaker": "ai", "text": "Four accountability mechanisms: (1) Decision log — every board decision logged with: date, feature reviewed, decision (approve/approve-with-conditions/pause/reject), one-paragraph rationale. Log reviewed quarterly by the audit committee. (2) Annual ethics report to the board of directors — chair presents: total reviews, condition rate, pause rate, systemic themes (e.g., 'fairness in hiring AI was the most common concern in Q3'). (3) External disclosure — the organization's responsible AI report includes a summary of board activity — not individual case details, but aggregate statistics and themes. (4) Employee escalation pathway — employees can submit concerns directly to the board chair email; all submissions acknowledged within 5 business days." }, { "speaker": "human", "text": "Decision log template created. Annual report to board of directors committed. Employee escalation email established." } ], "triggers_next": "Accountability mechanisms operational; board launched.", "can_restart": true } ], "transitions": [ { "from": "strategy", "to": "governance", "trigger": "Board mandate drafted with strategic grounding." }, { "from": "governance", "to": "risk-ethics", "trigger": "Governance structure approved." }, { "from": "risk-ethics", "to": "implementation", "trigger": "Ethical risk scope defined and published." }, { "from": "implementation", "to": "governance", "trigger": "Cadence cannot match deployment rhythm — redesign governance.", "is_loop_back": true }, { "from": "implementation", "to": "accountability", "trigger": "Review gate integrated into workflow." }, { "from": "accountability", "to": "strategy", "trigger": "Annual review — reassess board mandate against strategic evolution.", "is_cycle_restart": true } ] } }, { "id": "ai-fairness-audit", "framework_id": "oecd-ai-principles", "title": "AI Fairness Audit", "domain": "enterprise", "file": "enterprise-ai-fairness-audit.yaml", "dimensions": { "inclusive-growth": { "description": "The audit assesses whether the AI system distributes its benefits and burdens equitably across demographic groups — identifying which groups are systematically advantaged or disadvantaged by the system's outputs.\n", "example": "Audit lead: \"Our hiring AI has been in production for 18 months. The audit starts with distribution: are qualified candidates from all demographic groups advancing through the funnel at equivalent rates?\" AI: \"To measure equitable distribution, I need three datasets: application pool demographics, advancement rates at each stage, and baseline qualification rates by group. With these, I can compute disparity ratios and identify where in the funnel disparities concentrate.\"\n", "antipattern": "Auditing only aggregate accuracy metrics (overall precision, recall) without disaggregating results by protected group — missing systematic disparities that are invisible in aggregate statistics.\n" }, "human-centred": { "description": "The audit verifies that the system respects fundamental rights — particularly non-discrimination — and that its design choices are consistent with democratic values and human dignity.\n", "example": "AI: \"Beyond disparity metrics, the human-centred audit should check: (1) What proxy variables does the model use that correlate with protected characteristics? (2) Is there a mechanism for candidates to challenge AI-assisted decisions? (3) Are decision criteria consistent with applicable non-discrimination law in every deployment jurisdiction?\"\n", "antipattern": "Treating the fairness audit as purely statistical, without examining whether the system's design choices (features selected, objectives optimized) are themselves ethically justified.\n" }, "transparency": { "description": "The audit produces findings that are explainable to affected individuals and decision-makers — not just technical reports for data scientists. Affected candidates should be able to understand how the AI influenced their outcome.\n", "example": "Human: \"The audit found that 'years of continuous employment' is a top predictive feature. Is that explainable to affected candidates?\" AI: \"That feature has a disparate impact on candidates who took career breaks for caregiving — disproportionately women. It may also violate applicable employment law. The explanation to a candidate should not just be 'this feature was used' but 'here is how it affected your score and here is how to request a human review.' That requires an explanation interface, not just a technical finding.\"\n", "antipattern": "Publishing an audit report in technical language inaccessible to the affected individuals, HR teams, or regulators — producing compliance theater without genuine transparency.\n" }, "robustness": { "description": "The audit methodology is itself validated — checking for data quality issues, sample size sufficiency, methodology limitations, and whether findings are stable across reasonable parameter variations.\n", "example": "AI: \"Before finalizing the disparity findings, validate the audit methodology: (1) Is the sample size sufficient for statistical significance at the reported group level? (2) Are the demographic labels in the dataset accurate and self-reported? (3) Does the disparity ratio change materially if you use a different fairness metric (demographic parity vs. equalized odds)? Audit findings that are sensitive to metric choice need explicit qualification.\"\n", "antipattern": "Presenting audit findings as definitive without assessing the statistical reliability of the methodology — especially for small subgroup populations where sample sizes may be insufficient.\n" }, "accountability": { "description": "The audit produces a remediation plan with named owners, timelines, and success criteria — not just findings. Accountability extends to disclosing the audit to relevant stakeholders and regulators.\n", "example": "AI closes the audit: \"Remediation accountability matrix: (1) Feature removal — 'years of continuous employment' replaced with validated alternative. Owner: ML team. Target: 60 days. (2) Candidate appeals mechanism — human review pathway added to hiring platform. Owner: HR tech. Target: 90 days. (3) Regulatory disclosure — audit report filed with the labor regulator. Owner: legal. Target: 30 days. (4) Re-audit — scheduled 6 months after remediation. Owner: audit lead.\"\n", "antipattern": "Completing the audit and circulating the report internally without a remediation plan, owner assignments, or a commitment to re-audit after changes are made.\n" } }, "score_hints": { "inclusive-growth": 0.25, "human-centred": 0.2, "transparency": 0.2, "robustness": 0.2, "accountability": 0.15 }, "summary": "", "tags": [ "fairness-audit", "enterprise", "hiring-ai", "oecd", "compliance" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Equitable distribution analysis identifies disparity patterns by group → human-centred review checks feature choices and rights compliance → findings are translated into explanations accessible to affected parties → audit methodology is validated for robustness → remediation plan with owners and re-audit commitment closes the cycle.\n", "sequence": [ { "step": 1, "d": "inclusive-growth", "label": "Analyze benefit and burden distribution across groups", "example_prompts": [ { "speaker": "human", "text": "Run a fairness audit on our AI hiring tool. Start with distribution." }, { "speaker": "ai", "text": "To compute equitable distribution, I'll need: application pool demographics for the past 12 months, stage-by-stage advancement rates broken out by gender, age band, and ethnicity, and baseline qualification rates by group for external benchmarking. With these three datasets, I can produce disparity ratios at each funnel stage and identify where the AI's influence is concentrated. Can you provide the data or access to the analytics system?" }, { "speaker": "human", "text": "Data is available. Disparity ratios show a 1.4 ratio for women at the technical screen stage." } ], "triggers_next": "Disparity ratios computed; high-disparity stages identified." }, { "step": 2, "d": "human-centred", "label": "Review feature design and rights compliance", "example_prompts": [ { "speaker": "human", "text": "The technical screen disparity is concentrated in two features: 'GitHub activity' and 'years of continuous employment.' Is this a rights issue?" }, { "speaker": "ai", "text": "Yes — both features have documented disparate impact on women and caregivers. GitHub activity correlates with unpaid open-source contribution time — structurally unequal across gender and socioeconomic groups. 'Years of continuous employment' penalizes career breaks. In the EU and many US states, using these features without validation of their job-relatedness creates legal exposure under non-discrimination law. Recommendation: immediately flag both features for replacement and document the legal risk finding in the audit report." }, { "speaker": "human", "text": "Legal is reviewing. Flag both features as high-risk in the audit." } ], "triggers_next": "Rights and feature compliance findings documented.", "loop_back": { "to": "inclusive-growth", "condition": "Feature replacement changes the disparity pattern — distribution must be re-measured.", "reason": "Removing a feature can shift disparities to other groups; re-measurement validates the fix." } }, { "step": 3, "d": "transparency", "label": "Translate findings into explanations for affected individuals", "example_prompts": [ { "speaker": "human", "text": "How do we explain the audit findings to the 340 candidates affected in the audit period?" }, { "speaker": "ai", "text": "Three communication levels: (1) Affected candidates — a plain-language notice: 'Our AI screening tool has been audited and found to use criteria that may have disadvantaged some candidates. If you applied in the past 12 months and were rejected at the technical screen, you may request a human review.' (2) HR leadership — the disparity ratio findings with feature attribution. (3) Regulators — full technical audit report with methodology. Draft the candidate notice first — that is the most time-sensitive accountability action." }, { "speaker": "human", "text": "Agreed. Draft the candidate notice for HR review." } ], "triggers_next": "Candidate communication drafted; regulatory report scoped." }, { "step": 4, "d": "robustness", "label": "Validate audit methodology and qualify findings", "example_prompts": [ { "speaker": "human", "text": "Is our sample size sufficient? We had 340 cases but some subgroups are small." }, { "speaker": "ai", "text": "For the disparity ratio to be statistically reliable at the 95% confidence level, you need at least 30 cases per subgroup. Check: (1) Women at technical screen — if n < 30, qualify the finding as directional rather than definitive. (2) Intersectional groups (e.g., women of color) may have n < 10 — do not report disparity ratios for these subgroups; note the gap as a data limitation requiring a larger longitudinal study. This qualification protects the audit from being challenged on statistical grounds." }, { "speaker": "human", "text": "Women n=68 — sufficient. Intersectional groups n=12 — will qualify." } ], "triggers_next": "Methodology validated; findings qualified where necessary." }, { "step": 5, "d": "accountability", "label": "Issue remediation plan with owners and re-audit commitment", "example_prompts": [ { "speaker": "human", "text": "How do we close the audit with clear accountability?" }, { "speaker": "ai", "text": "Audit close accountability matrix: (1) Feature replacement — ML team removes 'GitHub activity' and 'continuous employment' and runs validation test before re-deployment. Target: 60 days. (2) Candidate appeals — HR tech adds human review pathway to rejected candidates. Target: 90 days. (3) Candidate notice — sent within 14 days of audit approval. (4) Regulatory disclosure — full report filed with relevant labor authority within 30 days. (5) Re-audit — scheduled 6 months after feature changes are deployed. All items require sign-off from CHRO before the audit is closed." }, { "speaker": "human", "text": "CHRO signed off. Audit closed with remediation plan." } ], "triggers_next": "Audit closed with remediation plan, regulatory disclosure, and re-audit date.", "can_restart": true } ], "transitions": [ { "from": "inclusive-growth", "to": "human-centred", "trigger": "Disparity ratios computed and high-disparity stages identified." }, { "from": "human-centred", "to": "inclusive-growth", "trigger": "Feature replacement changes disparity pattern — re-measure.", "is_loop_back": true }, { "from": "human-centred", "to": "transparency", "trigger": "Rights and feature compliance findings documented." }, { "from": "transparency", "to": "robustness", "trigger": "Candidate communication drafted; regulatory report scoped." }, { "from": "robustness", "to": "accountability", "trigger": "Methodology validated and findings qualified." }, { "from": "accountability", "to": "inclusive-growth", "trigger": "Re-audit cycle begins 6 months after remediation.", "is_cycle_restart": true } ] } }, { "id": "ai-incident-response", "framework_id": "nist-ai-rmf", "title": "AI Incident Response", "domain": "enterprise", "file": "enterprise-ai-incident-response.yaml", "dimensions": { "govern": { "description": "The incident response governance structure is activated: the incident commander is identified, escalation thresholds are applied, and the AI system's risk owner is notified and engaged within the defined SLA.\n", "example": "Incident commander: \"The AI-generated customer communication contained incorrect legal information sent to 2,300 customers. I'm activating our AI incident protocol. Risk owner and legal are notified. Severity is High — system is paused pending investigation.\"\n", "antipattern": "Treating an AI incident as a software bug fix without activating risk governance — allowing the response to be owned by engineering alone, without legal, compliance, or leadership involvement.\n" }, "map": { "description": "The team maps the incident: what the AI did, which customers or systems were affected, what data was involved, whether regulatory notification is triggered, and what caused the failure.\n", "example": "AI: \"Based on the incident log, I can help map four dimensions: (1) Output scope — what was generated and sent. (2) Affected population — who received it and any vulnerable groups. (3) Root cause candidates — model error, prompt injection, data pipeline issue, or deployment configuration. (4) Regulatory triggers — do breach notification or AI incident reporting obligations apply? Which do you want to map first?\"\n", "antipattern": "Jumping to root cause analysis before scoping who was affected — fixing the technical problem while customers remain harmed and notifications are delayed.\n" }, "measure": { "description": "The team quantifies the incident's impact: number of affected parties, severity of harm, legal exposure, reputational damage potential, and the likelihood of recurrence without remediation.\n", "example": "Human: \"Legal says the incorrect information could expose us to consumer protection complaints. How do we measure the legal risk?\" AI: \"Measure it along two axes: (1) Volume — 2,300 affected customers is above most jurisdictions' mandatory notification thresholds. (2) Materiality — if any customer acted on the incorrect information (e.g., missed a deadline), individual harm is material. Pull a sample of 50 customers for a harm survey before filing the incident report.\"\n", "antipattern": "Reporting an incident as \"low impact\" based on the volume alone without assessing whether individual harm occurred — underestimating legal exposure.\n" }, "manage": { "description": "The team executes the response: customer remediation, regulatory notification if required, root cause fix, system restart protocol, and a post-incident review that updates the risk register and governance policy.\n", "example": "AI closes the response: \"Here is the remediation matrix: (1) Customer remediation — correction notice sent within 24 hours, owner: customer success. (2) Regulatory notification — filed within 72 hours if notification is triggered, owner: legal. (3) Root cause fix — output validation layer added to the prompt pipeline, owner: engineering. (4) Post-incident review — scheduled for next week, output feeds back into the risk register, owner: risk lead.\"\n", "antipattern": "Closing the incident after the technical fix without conducting a post-incident review — missing the governance improvement loop and allowing the same failure to recur.\n" } }, "score_hints": { "govern": 0.3, "map": 0.25, "measure": 0.2, "manage": 0.25 }, "summary": "", "tags": [ "incident-response", "enterprise", "ai-governance", "risk-management" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Governance activates the incident protocol and escalates within SLA → the team maps affected scope, root cause candidates, and regulatory triggers → impact is measured across volume, severity, and legal dimensions → remediation is executed with owners and timelines, and a post-incident review closes the loop back into governance. Loops back to Map if new affected parties are discovered during measurement.\n", "sequence": [ { "step": 1, "d": "govern", "label": "Activate incident governance and escalate", "example_prompts": [ { "speaker": "human", "text": "Our AI recommendation engine served a batch of incorrect outputs to users this morning. We're seeing complaints. What's the first step?" }, { "speaker": "ai", "text": "First, activate your AI incident protocol: (1) Name an incident commander now — this can't be the engineer who runs the system. (2) Pause the AI system if you can't immediately determine the scope of incorrect outputs. (3) Notify the AI risk owner within your defined SLA — if you don't have one, escalate to the most senior accountable leader immediately. (4) Open an incident ticket with timestamp. Who is the named incident commander?" }, { "speaker": "human", "text": "I'm taking incident command. Risk owner is the Head of Product. System is paused. Ticket opened at 09:14." } ], "triggers_next": "Incident command activated, system paused, risk owner notified." }, { "step": 2, "d": "map", "label": "Map scope, affected parties, and root cause candidates", "example_prompts": [ { "speaker": "human", "text": "Logs show the model returned outputs outside its expected range for about 400 users between 08:00 and 09:14. Help me map the full scope." }, { "speaker": "ai", "text": "Scope map: (1) Affected users — 400 users received anomalous outputs. Check whether any are in protected categories (minors, healthcare, financial decisions). (2) Data involved — what personal data did the model process for these users? (3) Root cause candidates — a/b test misconfiguration, upstream data pipeline failure, model update without validation, or prompt injection. (4) Regulatory triggers — does your jurisdiction require notification for AI incidents involving personal data? I'd check GDPR Art. 33 and any sector-specific AI incident rules." }, { "speaker": "human", "text": "Some users are in the healthcare domain. That changes the severity." } ], "triggers_next": "Affected scope, data categories, and regulatory triggers mapped.", "loop_back": { "to": "map", "condition": "Measurement reveals additional affected users or data categories not in the initial map.", "reason": "Scope must be updated before regulatory notifications are filed." } }, { "step": 3, "d": "measure", "label": "Measure impact severity and legal exposure", "example_prompts": [ { "speaker": "human", "text": "400 users, healthcare domain, some may have received treatment recommendations. How do we measure this?" }, { "speaker": "ai", "text": "Measure along three axes: (1) Clinical harm potential — did any user receive a recommendation they could have acted on? Pull a sample of 20 outputs and have a clinician review. (2) Legal exposure — healthcare AI incidents in most EU and US jurisdictions trigger mandatory incident reporting. Check your sector regulator. (3) Reputational impact — if this becomes public, what is the narrative risk? Prepare a holding statement now, before any media inquiry. Severity: Critical pending clinical review." }, { "speaker": "human", "text": "Clinical review in progress. Legal filing timeline confirmed: 72 hours." } ], "triggers_next": "Impact severity quantified, legal exposure assessed, notification timeline set." }, { "step": 4, "d": "manage", "label": "Execute remediation and close with post-incident review", "example_prompts": [ { "speaker": "human", "text": "Clinical review found no actionable harm, but we're notifying all 400 users. Root cause was a misconfigured A/B test. How do we close?" }, { "speaker": "ai", "text": "Remediation matrix: (1) User notification — send within 24 hours, include what happened and what to do if they acted on the output. Owner: customer success. (2) Regulatory — file incident report to sector regulator within 72-hour window. Owner: legal. (3) Technical fix — disable A/B test framework for AI systems until validation gates are added. Owner: engineering, target: today. (4) Post-incident review — scheduled for 5 business days, outputs update the risk register and A/B test governance policy. Owner: you as incident commander. This cycle restarts at the next AI system launch or quarterly AI risk review." }, { "speaker": "human", "text": "Agreed. All four owners confirmed." } ], "triggers_next": "Remediation complete, regulatory filed, post-incident review scheduled.", "can_restart": true } ], "transitions": [ { "from": "govern", "to": "map", "trigger": "Incident command activated and system paused." }, { "from": "map", "to": "measure", "trigger": "Scope, affected parties, and regulatory triggers mapped." }, { "from": "measure", "to": "map", "trigger": "New affected parties or data categories discovered.", "is_loop_back": true }, { "from": "measure", "to": "manage", "trigger": "Impact severity and legal exposure assessed." }, { "from": "manage", "to": "govern", "trigger": "Post-incident review triggers governance policy update — cycle restarts.", "is_cycle_restart": true } ] } }, { "id": "ai-performance-audit", "framework_id": "iso-42001", "title": "AI Management System Performance Audit", "domain": "enterprise", "file": "enterprise-ai-performance-audit.yaml", "dimensions": { "context": { "description": "The audit verifies that the AIMS scope and organizational context remain valid — checking whether changes in the organization's AI footprint, regulatory environment, or stakeholder landscape have rendered the current scope obsolete.\n", "example": "Auditor: \"The AIMS was scoped to five AI systems 12 months ago. We now have eight. Is the scope still valid?\" AI: \"Scope validity check: (1) The three new AI systems must be assessed for inclusion — are they within the AIMS boundary as currently defined? If yes, they are a nonconformity: in-scope systems not covered by the AIMS. If no, a scope update is required to explicitly exclude them with documented rationale. (2) Have any new regulations come into force in the past 12 months that affect the AIMS scope? (3) Have any new stakeholders emerged — a new regulator, a new customer segment, a new supplier — who should be in the interested parties register? Document findings for each.\"\n", "antipattern": "Auditing the AIMS against the original scope document without checking whether the scope is still accurate — allowing new AI systems to operate outside the AIMS boundary undetected.\n" }, "leadership": { "description": "The audit verifies that top management commitment is genuine and current — checking whether the AI policy has been reviewed, whether the AI management representative has the authority and resources needed, and whether AI risk appears in executive reporting.\n", "example": "AI: \"Leadership evidence checklist for the audit: (1) AI policy review — was the AI policy reviewed in the past 12 months? Who approved the review? (2) Management representative authority — have there been cases where the AI management representative needed to make a decision and could not due to resource or authority constraints? (3) Executive reporting — pull the last four board or executive reports: does AI risk appear as a standing item? If AI risk only appears when there is an incident, governance is reactive, not systematic.\"\n", "antipattern": "Accepting a signed AI policy as evidence of leadership commitment without checking whether the policy has been reviewed, whether the management representative has real authority, and whether AI risk is integrated into executive reporting.\n" }, "planning": { "description": "The audit assesses progress against the AIMS objectives set in the previous planning cycle — verifying that risk treatments were implemented on schedule, that objectives are still measurable, and that the risk register is current.\n", "example": "Human: \"Three AIMS objectives were set last year. How do we audit progress?\" AI: \"For each objective: (1) Is the objective still measurable — is the metric and target still valid, or has it become obsolete due to system changes? (2) What is the current performance against target — provide evidence, not narrative. (3) For objectives not on track — what is the root cause? Was the target unrealistic, was the treatment action not implemented, or did circumstances change? (4) Risk register currency — pull five risk entries at random: are treatment actions implemented? Are residual risk ratings still accurate given changes in the past 12 months?\"\n", "antipattern": "Reporting AIMS objectives as 'in progress' without providing quantitative evidence of current performance against target — producing an audit finding that cannot distinguish between genuine progress and stalled implementation.\n" }, "operation": { "description": "The audit samples operational records to verify that documented AIMS processes are being followed in practice — checking model cards, change control logs, incident logs, and supplier documentation.\n", "example": "AI: \"Operational sampling for the audit — pull records for three AI systems deployed in the past 12 months and verify: (1) Model card completeness — does the model card exist, is it current (updated within 30 days of the last material change), and does it contain all required fields? (2) Change control — were there material AI system changes? Was a documented impact assessment completed before deployment? (3) Incident log — are all AI incidents logged? Sample three months and cross-reference with the service desk for unreported incidents. (4) Supplier documentation — are model cards or technical specifications on file for all AI suppliers?\"\n", "antipattern": "Auditing AIMS operational processes by interviewing process owners rather than sampling records — hearing how processes are supposed to work rather than verifying that they actually work.\n" }, "performance": { "description": "The audit produces formal findings, nonconformities, and observations — and feeds these into a management review that produces a written AIMS effectiveness conclusion and an approved corrective action plan.\n", "example": "AI closes the audit cycle: \"Audit summary for management review: Two major nonconformities — (1) Three AI systems deployed in the past 6 months have no model cards (Clause 8, Operation). Root cause: new development team was not trained on AIMS documentation requirements. Required action: training completed, retrospective model cards drafted. (2) Risk register not updated for 9 months — two risk treatments overdue (Clause 6, Planning). Required action: risk register reviewed and updated within 30 days. Two observations — scope does not cover three new AI systems; AI policy has not been reviewed in 18 months. Management review must produce a written AIMS effectiveness conclusion and approve corrective action owners and deadlines.\"\n", "antipattern": "Completing the internal audit, identifying nonconformities, and then allowing the management review to be cancelled or deferred — leaving nonconformities without corrective actions and the AIMS without a formal effectiveness determination.\n" } }, "score_hints": { "context": 0.15, "leadership": 0.2, "planning": 0.25, "operation": 0.25, "performance": 0.15 }, "summary": "", "tags": [ "iso-42001", "internal-audit", "enterprise", "performance", "management-review" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "AIMS scope validity is verified against current AI footprint → leadership commitment evidence is checked against four concrete indicators → planning objective progress is assessed with quantitative evidence → operational records are sampled for process conformity → audit findings feed the management review which produces corrective actions and an effectiveness conclusion.\n", "sequence": [ { "step": 1, "d": "context", "label": "Verify AIMS scope validity and context currency", "example_prompts": [ { "speaker": "human", "text": "We're running the annual AIMS internal audit. Start with context." }, { "speaker": "ai", "text": "Scope validity check — four questions: (1) How many AI systems are in production today versus when the scope was last updated? Any new systems must be assessed for AIMS inclusion. (2) Have any new regulations come into force affecting the AIMS scope — EU AI Act, sector-specific AI rules? (3) Are all interested parties in the register still current — any new regulators, customers, or suppliers? (4) Has the organizational context changed — mergers, acquisitions, new markets — that affects the AI risk landscape? Document findings for each; scope gaps are a likely nonconformity finding." }, { "speaker": "human", "text": "Three new AI systems not in scope. EU AI Act now applies — not reflected in the AIMS. Two interested parties added." } ], "triggers_next": "Scope validity findings documented — three new systems and regulatory gap identified." }, { "step": 2, "d": "leadership", "label": "Check leadership commitment evidence", "example_prompts": [ { "speaker": "human", "text": "How do we audit leadership commitment beyond checking the signed AI policy?" }, { "speaker": "ai", "text": "Four evidence checks: (1) AI policy review — request the review record: who reviewed it, when, who approved it? If no review in the past 12 months, that is an observation (not a major nonconformity unless the policy is materially outdated). (2) Management representative — interview them: have they had authority or resource constraints in the past 12 months that prevented AIMS decisions? If yes, document specific cases. (3) Executive reporting — review board minutes or executive reports for the past four quarters. Does AI risk appear as a standing agenda item? (4) AIMS budget — was the approved AIMS budget fully allocated? If significant budget was rescinded, that is a leadership commitment finding." }, { "speaker": "human", "text": "AI policy not reviewed in 18 months. Executive reports show AI risk only appears in incident months. Observation documented." } ], "triggers_next": "Leadership commitment evidence assessed; two observations documented." }, { "step": 3, "d": "planning", "label": "Assess objective progress and risk register currency", "example_prompts": [ { "speaker": "human", "text": "How do we audit the three AIMS objectives from last year's planning cycle?" }, { "speaker": "ai", "text": "For each objective, pull quantitative evidence: (1) 'All new AI deployments have a model card by Q3' — how many deployments occurred? How many have model cards? If three of six have cards, that is a 50% achievement rate against a 100% target — a major nonconformity. (2) 'Zero unlogged AI incidents by Q2' — cross-reference the incident log with service desk records. Any discrepancy is a nonconformity. (3) 'First internal audit completed by Q4' — we are doing it now, so this objective is met. For the risk register: pull five entries at random and check: are treatment actions implemented? Are target dates past due? Overdue treatment actions are a nonconformity finding." }, { "speaker": "human", "text": "Model card objective: 3 of 6 — major nonconformity. Risk register: two overdue treatments — major nonconformity." } ], "triggers_next": "Two major nonconformities documented from planning audit.", "loop_back": { "to": "context", "condition": "Planning audit reveals that the risk register was not updated when new AI systems were added — scope and planning are linked nonconformities.", "reason": "Linked nonconformities require both context and planning sections to be re-audited together." } }, { "step": 4, "d": "operation", "label": "Sample operational records for process conformity", "example_prompts": [ { "speaker": "human", "text": "Which operational records should we sample for the audit?" }, { "speaker": "ai", "text": "Sample three AI systems deployed in the past 12 months. For each, check: (1) Model card — exists, is current, contains required fields. (2) Change control — pull the change log: were there material changes? Was an impact assessment completed before deployment? (3) Incident log — pull the past 6 months. Cross-reference with the service desk: any incidents reported to the service desk but not in the AIMS incident log? (4) Supplier documentation — pull the AI supplier register: do all suppliers have model cards or technical specifications on file? Sampling is sufficient for the audit — you are not required to check every system." }, { "speaker": "human", "text": "Three systems sampled. Two have no model cards — already flagged. One change control record missing impact assessment — additional nonconformity." } ], "triggers_next": "Operational sampling complete — third major nonconformity identified." }, { "step": 5, "d": "performance", "label": "Conduct management review and approve corrective actions", "example_prompts": [ { "speaker": "human", "text": "We have three major nonconformities. How do we close the audit?" }, { "speaker": "ai", "text": "Management review agenda: (1) Audit findings summary — present all three major nonconformities with root cause analysis. Do not just list findings; explain why each occurred. (2) Corrective action approval — for each nonconformity, management approves: the corrective action, the owner, and the target date. Required: (a) Model cards for all six deployments within 30 days; training for new dev team. Owner: AIMS manager. (b) Risk register reviewed and all overdue treatments completed within 30 days. Owner: risk lead. (c) Change control process retrained and missing impact assessment documented retrospectively. Owner: engineering lead. (3) AIMS effectiveness conclusion — management must formally conclude: is the AIMS achieving its intended outcomes? Document the conclusion in the review minutes. (4) Next audit date — set the date for the next internal audit now." }, { "speaker": "human", "text": "Management review complete. Three corrective actions approved with owners. AIMS effectiveness conclusion: Partially Effective — improvement required." } ], "triggers_next": "Management review complete; corrective actions approved; next audit date set.", "can_restart": true } ], "transitions": [ { "from": "context", "to": "leadership", "trigger": "Scope validity findings documented." }, { "from": "leadership", "to": "planning", "trigger": "Leadership commitment evidence assessed." }, { "from": "planning", "to": "context", "trigger": "Risk register gap linked to scope — re-audit context.", "is_loop_back": true }, { "from": "planning", "to": "operation", "trigger": "Planning objective progress assessed; nonconformities documented." }, { "from": "operation", "to": "performance", "trigger": "Operational sampling complete." }, { "from": "performance", "to": "context", "trigger": "Next annual audit cycle begins.", "is_cycle_restart": true } ] } }, { "id": "ai-risk-assessment", "framework_id": "nist-ai-rmf", "title": "Enterprise AI Risk Assessment", "domain": "enterprise", "file": "enterprise-ai-risk-assessment.yaml", "dimensions": { "govern": { "description": "Before assessing any risk, the team confirms that governance structures are in place: a named AI risk owner, a defined risk appetite, and a clear mandate for who can accept residual risk.\n", "example": "Risk governance lead: \"Before we map any risks, I need us to confirm three things: who owns this AI system's risk posture, what our risk appetite is for automated decisions in this domain, and what sign-off is required before deployment.\"\n", "antipattern": "Starting a risk assessment without an owner — producing a risk register that no one is accountable for acting on.\n" }, "map": { "description": "The team systematically identifies what the AI system does, who is affected (including non-users), what can go wrong, and where risks originate — distinguishing technical, operational, and societal risks.\n", "example": "AI: \"Based on the system description, I can identify six risk categories: data quality risks affecting prediction accuracy, fairness risks for the demographic groups in scope, security risks from adversarial inputs, operational risks from model drift, legal risks from the jurisdiction's AI regulations, and reputational risks from public misperception. Which of these are within scope for this assessment?\"\n", "antipattern": "Mapping only technical risks (model accuracy, latency) and omitting societal, legal, and operational risks that are harder to quantify.\n" }, "measure": { "description": "Each mapped risk is scored for likelihood and impact using consistent criteria. The team uses evidence from testing, historical data, and stakeholder input — not gut feel — to justify scores.\n", "example": "Human: \"The AI flags fairness risk. How do we score likelihood?\" AI: \"I recommend using your testing data: run the model outputs across demographic groups and compare disparity ratios. If the disparity ratio exceeds your defined threshold, likelihood of harm is high regardless of intent.\"\n", "antipattern": "Scoring risks subjectively without evidence — producing scores that reflect the team's optimism rather than the system's actual behavior.\n" }, "manage": { "description": "The team selects a treatment for each measured risk (accept, mitigate, avoid, transfer), documents residual risk, assigns owners, and defines monitoring checkpoints for post-deployment.\n", "example": "Risk owner: \"For the fairness risk — treatment is mitigation via quarterly disparity audits. Owner is the data team lead. Residual risk is accepted at Low. If disparity ratio exceeds threshold, the system is paused pending review.\" AI: \"I'll draft the risk register entry with those fields. Do you want me to also generate the monitoring alert specification?\"\n", "antipattern": "Closing a risk entry after selecting mitigation without documenting residual risk or a monitoring trigger — leaving the risk effectively untracked after deployment.\n" } }, "score_hints": { "govern": 0.25, "map": 0.25, "measure": 0.25, "manage": 0.25 }, "summary": "", "tags": [ "risk-assessment", "enterprise", "ai-governance", "pre-deployment" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Governance readiness is confirmed before any risk work begins → risks are mapped across technical, operational, societal, and legal dimensions → each risk is scored using evidence → treatment plans with owners and monitoring triggers are documented. Loops back to Map if measurement reveals unmapped risks.\n", "sequence": [ { "step": 1, "d": "govern", "label": "Confirm governance readiness and risk ownership", "example_prompts": [ { "speaker": "human", "text": "We're about to assess a new loan-decisioning AI. Before we start mapping risks, can you help us confirm what governance needs to be in place?" }, { "speaker": "ai", "text": "Three things need to be confirmed first: (1) Who is the named risk owner with authority to accept or reject deployment? (2) What is your organization's risk appetite for automated decisions in lending — do you have a documented threshold? (3) What approval is required before deployment proceeds? Without these, any risk register we produce will be orphaned." }, { "speaker": "human", "text": "The CRO owns lending AI risk, our appetite is Low for decisions affecting credit access, and deployment requires CRO sign-off plus legal review." } ], "triggers_next": "Risk owner named, appetite defined, approval path confirmed." }, { "step": 2, "d": "map", "label": "Map risks across all affected dimensions", "example_prompts": [ { "speaker": "human", "text": "The system uses applicant financial data and a proprietary model to automate 80% of loan decisions. Map the risk landscape." }, { "speaker": "ai", "text": "I'll map six risk categories: (1) Data quality — training data may not reflect current economic conditions. (2) Fairness — automated decisions at scale amplify demographic disparities. (3) Security — model inversion attacks could expose applicant data. (4) Operational — model drift without monitoring could degrade accuracy undetected. (5) Legal — jurisdiction-specific fair lending laws may impose explainability requirements. (6) Reputational — public perception of algorithmic lending decisions. Which require deeper mapping?" }, { "speaker": "human", "text": "Fairness and legal are top priority — map those in detail." } ], "triggers_next": "Risk categories mapped with stakeholders and impact domains identified.", "loop_back": { "to": "map", "condition": "Measurement reveals a risk not captured in the initial map.", "reason": "Scope must be extended before the new risk can be measured." } }, { "step": 3, "d": "measure", "label": "Score each risk using evidence and consistent criteria", "example_prompts": [ { "speaker": "human", "text": "We ran the model on a holdout set. Demographic disparity ratio is 1.34 for one protected group. How do we score this?" }, { "speaker": "ai", "text": "A ratio of 1.34 is above the 1.25 threshold used by most fair lending regulators as a trigger for adverse impact review. Likelihood of harm: High. Impact: High, given the credit access consequences and legal exposure. This scores as a Critical risk — it requires mitigation, not acceptance." }, { "speaker": "human", "text": "What evidence do we need for the legal risk score?" }, { "speaker": "ai", "text": "For legal risk, you need a jurisdiction mapping: list every jurisdiction where the system will operate and check each against applicable AI and fair lending regulation. The evidence is the legal review memo, not the model output." } ], "triggers_next": "All priority risks scored with evidence citations." }, { "step": 4, "d": "manage", "label": "Define treatment, residual risk, and monitoring for each risk", "example_prompts": [ { "speaker": "human", "text": "For the fairness risk — what treatment options do we have?" }, { "speaker": "ai", "text": "Three options: (1) Mitigate — rebalance training data and re-evaluate; target disparity ratio below 1.15. (2) Avoid — remove the demographic-correlated features from the model. (3) Transfer — purchase fairness insurance and accept current disparity with disclosed risk. Given your Low risk appetite, option 1 or 2 is required. Which do you want in the risk register?" }, { "speaker": "human", "text": "Option 1. Owner is data science lead, target date is next sprint, monitoring is monthly disparity audit. Residual risk: Medium pending re-evaluation." } ], "triggers_next": "Risk register complete, all entries have treatment, owner, timeline, and residual risk.", "can_restart": true } ], "transitions": [ { "from": "govern", "to": "map", "trigger": "Risk owner named, appetite defined, approval path confirmed." }, { "from": "map", "to": "measure", "trigger": "Risk landscape mapped with stakeholders and impact domains." }, { "from": "measure", "to": "map", "trigger": "New risk identified during measurement — not in original map.", "is_loop_back": true }, { "from": "measure", "to": "manage", "trigger": "All priority risks scored with evidence." }, { "from": "manage", "to": "govern", "trigger": "New AI system or material change triggers a new assessment cycle.", "is_cycle_restart": true } ] } }, { "id": "ai-strategy-alignment", "framework_id": "wef-responsible-ai", "title": "AI Strategy Alignment with Organizational Purpose", "domain": "enterprise", "file": "enterprise-ai-strategy-alignment.yaml", "dimensions": { "strategy": { "description": "The leadership team articulates how AI initiatives connect to the organization's stated purpose, values, and societal commitments — and uses this connection as a filter for AI investment decisions.\n", "example": "CEO: \"We've approved six AI initiatives this year. I want to know which ones actually serve our mission as a public health organization.\" AI: \"Apply the purpose test to each initiative: (1) Does this AI initiative serve patients and communities, or does it primarily serve operational efficiency for the organization? (2) Could this AI use create a conflict of interest between our mission and our financial incentives? (3) If this initiative became public tomorrow, would it be consistent with how we want to be seen? Run all six initiatives through these three questions and rank them by mission alignment before the next board meeting.\"\n", "antipattern": "Approving AI initiatives based exclusively on ROI projections and operational efficiency gains, with no mechanism to verify whether they serve the organization's stated mission and societal purpose.\n" }, "governance": { "description": "The organization designs an oversight structure for responsible AI with real decision authority — including who can pause or veto deployments, how ethics concerns are escalated, and what the governance cadence is.\n", "example": "AI: \"For responsible AI governance, the WEF Playbook recommends three layers: (1) Operational — an AI review team embedded in the product and engineering workflow that screens every AI deployment before it goes live. (2) Strategic — an AI ethics committee at the VP/Director level with authority to pause high-stakes deployments. (3) Board — an AI governance item on the board agenda at least quarterly, with a named board member as AI accountability sponsor. Which layer is currently missing or weakest in your organization?\"\n", "antipattern": "Creating an AI ethics committee that meets quarterly and can only advise — with no authority to pause deployments and no connection to operational AI decisions being made daily in product teams.\n" }, "risk-ethics": { "description": "The organization assesses the ethical risks of its AI portfolio — not just technical risks — including who could be harmed, how, and whether the harm is proportionate to the benefit claimed.\n", "example": "Human: \"Our patient scheduling AI prioritizes patients with better payment histories. Is that an ethical risk?\" AI: \"Yes — this is a high-severity ethical risk. The harm is direct and systematic: patients with worse payment histories (often lower-income or underinsured) receive worse access to care. In a public health context, this directly conflicts with your mission and may violate health equity law. The WEF Playbook would classify this as an unacceptable ethics risk — a mission conflict, not just a fairness metric. Recommendation: pause this feature and replace the payment history signal with clinically appropriate prioritization criteria.\"\n", "antipattern": "Treating 'payment history' as a neutral data feature without assessing its societal and mission implications — allowing financial logic to override clinical and ethical judgment.\n" }, "implementation": { "description": "The organization embeds responsible AI practices into its operational workflows — making ethics reviews, documentation requirements, and fairness checks part of the standard development process, not optional extras.\n", "example": "AI: \"To embed responsible AI in your product workflow, I recommend three changes to the current development process: (1) Add an ethics checkpoint at the design phase — before any AI feature is engineered, a one-page ethics impact brief is required. (2) Require an equity review for any AI feature affecting patient access or outcomes — run by clinical and social work staff, not just engineers. (3) Add a responsible AI sign-off to the deployment checklist — a named individual confirms the ethics checkpoint and equity review were completed. These add less than one week to the average release cycle.\"\n", "antipattern": "Publishing a responsible AI policy and expecting development teams to self-apply it without any process change, tooling, or accountability mechanism — producing policies that exist on paper but not in code.\n" }, "accountability": { "description": "The organization tracks whether its AI initiatives are achieving their stated purpose, reports transparently on outcomes — including failures — and uses evidence to drive continuous improvement of the responsible AI program.\n", "example": "AI closes the cycle: \"Accountability structure for the responsible AI program: (1) Quarterly outcome report — for each AI system, track three metrics: mission alignment score (purpose test results), equity metric (disparity in outcomes across patient groups), and incident count. (2) Annual external report — published to stakeholders including community partners, describing responsible AI commitments and progress. (3) Board accountability item — AI ethics committee presents to the board annually with a forward improvement plan. (4) Whistleblower pathway — staff can report responsible AI concerns anonymously with a named executive reviewer.\"\n", "antipattern": "Reporting only AI successes externally while keeping failures and ethical concerns internal — producing a responsible AI narrative that is not grounded in transparent evidence.\n" } }, "score_hints": { "strategy": 0.25, "governance": 0.2, "risk-ethics": 0.25, "implementation": 0.2, "accountability": 0.1 }, "summary": "", "tags": [ "ai-strategy", "responsible-ai", "enterprise", "wef", "healthcare" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "AI initiatives are filtered against organizational purpose → governance structure with real authority is designed → ethical risks in the AI portfolio are assessed → responsible AI practices are embedded in development workflows → outcome tracking and external reporting closes the accountability loop. Loops back to strategy if risk-ethics assessment reveals initiatives that conflict with mission.\n", "sequence": [ { "step": 1, "d": "strategy", "label": "Filter AI initiatives against organizational purpose", "example_prompts": [ { "speaker": "human", "text": "We have a board-approved AI roadmap with 8 initiatives. How do we know which ones are aligned with our mission?" }, { "speaker": "ai", "text": "Run the purpose test on all 8 initiatives. For each, answer: (1) Who is the primary beneficiary — the organization or the people it serves? (2) Does this initiative serve our core mission or a financial objective that happens to use AI? (3) Would this initiative be defensible if reported by a journalist covering 'AI in healthcare'? Score each initiative Red (mission conflict), Yellow (unclear alignment), or Green (clear mission alignment). Share the results before the next board meeting — Red and Yellow items require a strategy discussion, not just an approval." }, { "speaker": "human", "text": "Three initiatives score Red including the payment-priority scheduler. Two are Yellow. Three are Green." } ], "triggers_next": "AI initiatives scored against mission; conflicts identified." }, { "step": 2, "d": "governance", "label": "Design responsible AI governance with real authority", "example_prompts": [ { "speaker": "human", "text": "We have an AI ethics advisory group but it has no authority to stop anything. How do we fix this?" }, { "speaker": "ai", "text": "Restructure in three steps: (1) Rename the group to AI Ethics Committee and update the charter to give it explicit pause authority for any AI deployment that scores Red on the purpose test or fails an equity review. (2) Define the escalation path — product team flags concern → AI review team → ethics committee → CEO if committee is deadlocked. (3) Give the committee a direct reporting line to the board's governance committee, not to the CTO. The CTO is an interested party in deployment decisions; the board is the right accountability principal." }, { "speaker": "human", "text": "Charter update drafted. CEO approved pause authority for the ethics committee." } ], "triggers_next": "Governance structure with real authority approved and documented." }, { "step": 3, "d": "risk-ethics", "label": "Assess ethical risks in the AI portfolio", "example_prompts": [ { "speaker": "human", "text": "The three Red initiatives — what are the specific ethical risks?" }, { "speaker": "ai", "text": "For the payment-priority scheduler: ethical risk is direct — it systematically disadvantages lower-income patients in access to care. This is a mission conflict and a potential health equity law violation. Recommend: pause immediately, replace with clinically validated priority criteria. For the AI-assisted discharge planning tool: risk is opacity — clinicians cannot see why the model recommends discharge timing, creating accountability gaps. Recommend: require explainability layer before deployment. For the predictive readmission model: risk is feedback loop — if the model is used to ration follow-up care, its errors compound. Recommend: human review required for all model outputs above a risk threshold." }, { "speaker": "human", "text": "Ethics committee has reviewed all three. Pause orders issued for payment scheduler." } ], "triggers_next": "Ethical risks assessed; pause orders issued for mission-conflicting initiatives.", "loop_back": { "to": "strategy", "condition": "Risk-ethics assessment reveals additional initiatives with mission conflicts not identified in the purpose test.", "reason": "Strategy filter must be re-run with updated criteria before ethics committee reviews remaining portfolio." } }, { "step": 4, "d": "implementation", "label": "Embed responsible AI practices in development workflow", "example_prompts": [ { "speaker": "human", "text": "How do we make sure the remaining five Green initiatives stay responsible as they're built?" }, { "speaker": "ai", "text": "Three workflow changes: (1) Ethics impact brief — one-page document required at the design phase for every AI feature. Template: what problem are we solving, who could be harmed, what is the mitigation. Owner: product manager. (2) Equity review — any AI feature affecting patient access or clinical outcomes goes through a 2-hour review with clinical informatics and social work. Owner: clinical lead. (3) Deployment checklist — responsible AI sign-off added as a required gate before any AI feature goes to production. Named individual confirms the ethics brief and equity review were completed. These changes add approximately 3-5 days to the standard release cycle." }, { "speaker": "human", "text": "Three changes approved by engineering VP. Adding to the SDLC documentation." } ], "triggers_next": "Responsible AI practices embedded in development workflow." }, { "step": 5, "d": "accountability", "label": "Establish outcome tracking and external reporting", "example_prompts": [ { "speaker": "human", "text": "How do we demonstrate accountability for our responsible AI program externally?" }, { "speaker": "ai", "text": "Accountability framework: (1) Quarterly internal report — AI ethics committee receives: mission alignment scores, equity metrics per system, incident log, open pause items. (2) Annual external report — published to community partners and on the website: responsible AI commitments made, progress against them, and one honest failure and what was learned. (3) Board agenda item — ethics committee presents annually with a forward improvement plan. (4) Community input mechanism — annual open meeting with patient advocacy groups to review the responsible AI program. The external report is the most important item — it creates genuine accountability by making commitments public." }, { "speaker": "human", "text": "Annual report committed for Q4. Community meeting scheduled. Board agenda item approved." } ], "triggers_next": "Accountability structure operational; external reporting committed.", "can_restart": true } ], "transitions": [ { "from": "strategy", "to": "governance", "trigger": "AI initiatives scored against mission; conflicts identified." }, { "from": "governance", "to": "risk-ethics", "trigger": "Governance structure with real authority approved." }, { "from": "risk-ethics", "to": "strategy", "trigger": "Additional mission-conflicting initiatives discovered — re-run purpose test.", "is_loop_back": true }, { "from": "risk-ethics", "to": "implementation", "trigger": "Ethical risks assessed and pause orders issued where needed." }, { "from": "implementation", "to": "accountability", "trigger": "Responsible AI practices embedded in workflow." }, { "from": "accountability", "to": "strategy", "trigger": "Annual review cycle — reassess AI portfolio against mission.", "is_cycle_restart": true } ] } }, { "id": "ai-supplier-assessment", "framework_id": "iso-42001", "title": "AI Supplier Assessment", "domain": "enterprise", "file": "enterprise-ai-supplier-assessment.yaml", "dimensions": { "context": { "description": "The organization maps the supplier's role within the AIMS scope — whether the supplier develops, deploys, or provides AI infrastructure — and identifies the specific regulatory and contractual context that governs the supplier relationship.\n", "example": "AIMS manager: \"We are evaluating a cloud AI platform provider. How do we define their role in our AIMS?\" AI: \"For ISO 42001, supplier classification determines what is required. Three roles to assess: (1) AI system developer — do they develop the AI model itself? If yes, they are a critical AIMS supplier and must meet your AI policy minimums. (2) AI infrastructure provider — do they provide compute, storage, or APIs without developing the model? Different obligations apply. (3) AI-enabled service provider — do they use AI internally in services they provide to you? The most common and often overlooked category. Document the supplier's role before setting assessment requirements.\"\n", "antipattern": "Applying the same supplier assessment template to all AI-related vendors regardless of their role — over-burdening infrastructure providers while under-assessing AI developers with more material risk.\n" }, "leadership": { "description": "The organization evaluates the supplier's own AI governance maturity — whether they have an AI policy, named accountability, and a governance structure that can back the commitments they make in the contract.\n", "example": "AI: \"Four leadership maturity questions for the supplier: (1) Do they have a published AI policy? Ask for it — a policy that exists only for sales conversations is not evidence of governance. (2) Is there a named executive accountable for AI risk? Not a 'responsible AI team' — a named individual with a title and reporting line. (3) Have they completed any AI management system certification (ISO 42001, NIST AI RMF alignment)? Third-party evidence is more reliable than self-attestation. (4) What is their incident notification track record — have they disclosed AI incidents to clients previously? Ask references.\"\n", "antipattern": "Accepting a supplier's AI ethics statement as evidence of governance maturity without asking for the four concrete evidence items above — assessing values rather than systems.\n" }, "planning": { "description": "The organization documents the specific AI risks the supplier introduces into the AIMS risk register and plans treatment actions — including contractual mitigations, technical controls, and monitoring requirements.\n", "example": "Human: \"The supplier's AI platform processes our customer data. What risks do they introduce to our AIMS?\" AI: \"Four supplier-introduced risks to add to the AIMS risk register: (1) Data sovereignty — where is customer data processed? If outside your jurisdiction, transfer mechanisms must be in the DPA. Risk: High. (2) Model change without notice — if the supplier updates their AI model, it could change outputs affecting your products. Require 30-day advance notice of material model changes. Risk: Medium. (3) Supplier AI incident — if the supplier has an AI incident, how quickly are you notified and what are your obligations? Require 48-hour notification SLA. Risk: High. (4) Concentration risk — are you dependent on a single AI platform provider? Risk: Medium. Document treatment for each.\"\n", "antipattern": "Adding a supplier to the AIMS without updating the risk register — treating supplier onboarding as a procurement task rather than an AIMS risk management event.\n" }, "operation": { "description": "The organization defines the operational controls that govern the supplier relationship throughout the contract lifecycle — audit rights, documentation requirements, change management, and incident handling.\n", "example": "AI: \"Operational controls for the supplier agreement: (1) AI documentation requirement — supplier must provide a model card or technical specification for each AI component within the scope of your AIMS. (2) Audit right — annual audit right with 30-day notice; supplier must make AI risk documentation available. (3) Change management — material AI model changes trigger a 30-day notice period and a change impact assessment before your organization accepts the change. (4) Incident integration — supplier AI incidents are integrated into your AIMS incident log within 24 hours of supplier notification. All four must be in the contract before signature.\"\n", "antipattern": "Signing a supplier contract with standard SaaS terms that make no provision for AI-specific documentation, audit rights, or AI incident notification — leaving the AIMS with no operational visibility into supplier AI behavior.\n" }, "performance": { "description": "The organization monitors supplier AI performance against agreed metrics throughout the contract, conducts periodic assessments, and includes supplier performance in the annual AIMS management review.\n", "example": "AI closes the assessment cycle: \"Supplier performance monitoring plan: (1) Quarterly review — track: AI incident count, model change notifications received, documentation currency (is the model card up to date?). (2) Annual assessment — re-run the supplier risk assessment; has the supplier's governance maturity improved or degraded? (3) AIMS management review input — include supplier performance in the annual management review as a standing agenda item. (4) Corrective action trigger — if the supplier fails two consecutive quarterly reviews, issue a formal corrective action request with a 60-day remediation deadline. Failure to remediate triggers contract review.\"\n", "antipattern": "Completing the initial supplier assessment at onboarding and conducting no further performance monitoring — treating supplier AI governance as a one-time due diligence event rather than an ongoing AIMS obligation.\n" } }, "score_hints": { "context": 0.15, "leadership": 0.2, "planning": 0.25, "operation": 0.25, "performance": 0.15 }, "summary": "", "tags": [ "supplier-assessment", "enterprise", "iso-42001", "third-party", "procurement" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Supplier role in the AIMS is classified → supplier governance maturity is assessed against four evidence criteria → supplier-introduced risks are added to the AIMS risk register with treatments → operational controls are embedded in the contract → ongoing performance monitoring is defined for the contract lifecycle.\n", "sequence": [ { "step": 1, "d": "context", "label": "Classify supplier role within the AIMS", "example_prompts": [ { "speaker": "human", "text": "We're onboarding a new AI platform vendor. How do we integrate them into our AIMS?" }, { "speaker": "ai", "text": "Start by classifying the supplier's role: (1) Are they developing the AI model — the algorithm itself? (2) Are they providing AI infrastructure — compute, APIs, data pipelines — without model development? (3) Are they delivering an AI-enabled service where AI is embedded in what they provide? The classification determines the assessment depth and contract requirements. A model developer carries the most AIMS risk; an infrastructure provider carries less but is often overlooked. What does this supplier do?" }, { "speaker": "human", "text": "They provide an AI-powered customer analytics platform — role 3, AI-enabled service." } ], "triggers_next": "Supplier classified as AI-enabled service provider; assessment scope defined." }, { "step": 2, "d": "leadership", "label": "Assess supplier AI governance maturity", "example_prompts": [ { "speaker": "human", "text": "What evidence should we request to assess their AI governance?" }, { "speaker": "ai", "text": "Four evidence requests: (1) Published AI policy — ask for their public or shareable AI policy document. A policy that exists only for sales is not governance. (2) Named AI accountability — who is the named executive accountable for AI risk? Request name, title, and reporting line. (3) Third-party certification or alignment — have they completed ISO 42001 certification, NIST AI RMF alignment, or an equivalent independent assessment? Self-attestation is not sufficient. (4) Incident disclosure track record — have they disclosed AI incidents to clients? Ask two reference customers. Score governance maturity as Mature, Developing, or Absent based on evidence received." }, { "speaker": "human", "text": "Supplier has a published AI policy and a named Head of AI Ethics. No third-party certification. References report one disclosed incident handled well. Score: Developing." } ], "triggers_next": "Supplier governance maturity scored as Developing; gaps documented.", "loop_back": { "to": "context", "condition": "Governance assessment reveals the supplier also develops the underlying AI model — role reclassification required.", "reason": "AI model developers require a more rigorous assessment scope than AI-enabled service providers." } }, { "step": 3, "d": "planning", "label": "Add supplier-introduced risks to the AIMS risk register", "example_prompts": [ { "speaker": "human", "text": "What AIMS risks does this supplier introduce?" }, { "speaker": "ai", "text": "Four risks for the register: (1) Data residency — customer analytics data processed outside our jurisdiction. Likelihood: High (US-based supplier). Impact: High (GDPR exposure). Treatment: Mitigate via Standard Contractual Clauses in DPA. Owner: Legal. (2) Model opacity — proprietary analytics model with no published model card. Likelihood: High. Impact: Medium (limits our ability to explain outputs to customers). Treatment: Require model card as contract condition. Owner: AIMS manager. (3) Supplier AI incident — 48-hour notification SLA not currently in standard contract terms. Likelihood: Low. Impact: High. Treatment: Contractual SLA. Owner: Legal. (4) Concentration risk — no alternative analytics provider evaluated. Risk: Medium. Treatment: Evaluate one alternative provider annually." }, { "speaker": "human", "text": "All four risks added to the AIMS risk register with owners and target dates." } ], "triggers_next": "Supplier risks registered with treatments and owners." }, { "step": 4, "d": "operation", "label": "Define operational controls and embed in the contract", "example_prompts": [ { "speaker": "human", "text": "What contract clauses do we need for AI-specific operational control?" }, { "speaker": "ai", "text": "Four contract clauses beyond standard SaaS terms: (1) Model documentation — supplier provides a model card or technical specification for the analytics AI within 30 days of contract signature and updates it within 30 days of any material model change. (2) Change notification — 30-day advance notice of material AI model changes; buyer may request a change impact assessment period before accepting. (3) Audit right — annual audit right; supplier provides AI risk documentation on request with 30-day notice. (4) AI incident notification — supplier notifies buyer within 48 hours of any AI incident affecting buyer's data or analytics outputs. All four to be included in the main agreement or an AI schedule appended to the contract." }, { "speaker": "human", "text": "All four clauses accepted by supplier. Contract signed with AI schedule attached." } ], "triggers_next": "Operational controls embedded in contract; supplier onboarded into AIMS." }, { "step": 5, "d": "performance", "label": "Define ongoing monitoring and AIMS management review input", "example_prompts": [ { "speaker": "human", "text": "How do we monitor this supplier's AI performance throughout the contract?" }, { "speaker": "ai", "text": "Quarterly supplier review cadence: (1) Metrics to track: AI incident count and resolution time, model change notifications received vs. expected, model card currency (last update date). (2) Annual re-assessment: re-run the governance maturity assessment; has the supplier moved from Developing to Mature? (3) AIMS management review: include a supplier AI performance summary as a standing agenda item; flag any corrective actions open. (4) Corrective action trigger: two consecutive quarterly reviews with performance below agreed thresholds triggers a formal corrective action request. Non-resolution within 60 days triggers contract review. Add the first quarterly review date to the AIMS calendar." }, { "speaker": "human", "text": "First quarterly review scheduled. Supplier added to AIMS management review agenda." } ], "triggers_next": "Supplier performance monitoring operational; integrated into AIMS calendar.", "can_restart": true } ], "transitions": [ { "from": "context", "to": "leadership", "trigger": "Supplier role classified and assessment scope defined." }, { "from": "leadership", "to": "context", "trigger": "Governance assessment reveals role reclassification needed.", "is_loop_back": true }, { "from": "leadership", "to": "planning", "trigger": "Supplier governance maturity scored and gaps documented." }, { "from": "planning", "to": "operation", "trigger": "Supplier risks added to AIMS risk register." }, { "from": "operation", "to": "performance", "trigger": "Operational controls embedded in contract." }, { "from": "performance", "to": "context", "trigger": "Annual re-assessment cycle — re-classify and re-assess.", "is_cycle_restart": true } ] } }, { "id": "ai-transparency-reporting", "framework_id": "oecd-ai-principles", "title": "AI Transparency Reporting", "domain": "enterprise", "file": "enterprise-ai-transparency-reporting.yaml", "dimensions": { "inclusive-growth": { "description": "The report discloses which populations benefit from the organization's AI systems, which bear disproportionate risk, and what the organization is doing to close identified equity gaps — backed by data, not assertions.\n", "example": "Reporting lead: \"Our transparency report says we are 'committed to inclusive AI.' How do we make that substantive?\" AI: \"Replace the commitment statement with three data points: (1) For each major AI system, who uses it and what demographic groups benefit? (2) Where disparity audits found gaps, what was the disparity ratio and what action was taken? (3) What is the organization's equity improvement target for next year, and how will it be measured? A transparency report that makes no measurable commitments is a public relations document, not an accountability one.\"\n", "antipattern": "Publishing general statements about 'commitment to inclusive AI' without any data on who benefits, who is disadvantaged, and what concrete actions are being taken to close identified gaps.\n" }, "human-centred": { "description": "The report identifies which human rights are most implicated by the organization's AI systems and discloses how those rights are protected — including the results of any rights impact assessments conducted.\n", "example": "AI: \"For the human-centred section, structure it as: (1) Rights at stake — list the top three human rights implicated by your AI systems (e.g., right to non-discrimination for hiring AI, right to privacy for data AI, right to explanation for credit AI). (2) Protection measures — for each right, what mechanism protects it? (3) Assessment results — were any rights impact assessments conducted? What did they find? If no assessment was conducted, say so — incomplete disclosure is still more credible than vague assurance.\"\n", "antipattern": "Referencing 'human rights' in the report without naming which rights are implicated, how they are protected, or whether any assessment of rights impacts was conducted.\n" }, "transparency": { "description": "The report itself is transparent about its scope limitations — what AI systems are covered, what is excluded and why, and what the organization does not yet know about its own AI impacts.\n", "example": "Human: \"Should we disclose that we have three AI systems we couldn't include because they are under NDA with the vendor?\" AI: \"Yes — disclosing scope limitations is more credible than implying complete coverage. State: 'This report covers eight of eleven AI systems in production. Three systems operated under third-party vendor agreements that restrict disclosure. We are working with vendors to enable disclosure in next year's report.' Readers who discover undisclosed systems will question everything in the report; readers who see honest scope limitations will trust the disclosed content more.\"\n", "antipattern": "Publishing a transparency report that does not disclose its own scope limitations — implying complete coverage when significant AI systems are excluded.\n" }, "robustness": { "description": "The report discloses the organization's approach to AI system safety and security testing — including what testing was conducted, by whom, and what the results indicated — not just that testing occurred.\n", "example": "AI: \"For robustness disclosure, three elements: (1) Testing scope — which systems were tested for safety and security, and which were not? (2) Methodology — was testing internal, third-party, or regulatory? Third-party testing is more credible. (3) Material findings — were any significant safety or security issues found? If so, what was the remediation? Disclosing a finding and its remediation demonstrates a mature program; concealing it creates legal and reputational risk if the issue is later discovered externally.\"\n", "antipattern": "Stating 'all AI systems undergo rigorous testing' without specifying what was tested, by whom, and what the results were — making the claim unverifiable and therefore meaningless.\n" }, "accountability": { "description": "The report names who is accountable for the organization's AI program, what governance structures exist, and how stakeholders can raise concerns — with a commitment to respond to feedback before the next report.\n", "example": "AI closes the reporting cycle: \"Accountability section structure: (1) Named AI leadership — the executive responsible for AI governance and their reporting line. (2) Governance bodies — AI ethics committee, board oversight item, internal audit scope. (3) Incident summary — how many AI incidents occurred, how many were resolved, and what systemic changes resulted. (4) Stakeholder engagement — how did the organization gather external input for this report? (5) Contact for feedback — a named channel for stakeholders to respond to this report, with a commitment to acknowledge receipt within 30 days.\"\n", "antipattern": "Publishing an AI transparency report with no named executive, no governance disclosure, no incident summary, and no way for stakeholders to provide feedback — making 'accountability' a heading rather than a reality.\n" } }, "score_hints": { "inclusive-growth": 0.2, "human-centred": 0.2, "transparency": 0.25, "robustness": 0.15, "accountability": 0.2 }, "summary": "", "tags": [ "transparency-reporting", "enterprise", "oecd", "responsible-ai", "disclosure" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Equity data is gathered and converted from assertions to evidence → human rights implications are named and protection measures disclosed → report scope limitations are explicitly disclosed → robustness testing results are summarized with methodology → accountability structure and feedback mechanism close the report. Loops back to inclusive-growth if rights impact assessment reveals equity gaps not captured in the initial data pull.\n", "sequence": [ { "step": 1, "d": "inclusive-growth", "label": "Convert equity commitments to data-backed disclosures", "example_prompts": [ { "speaker": "human", "text": "We want to publish our first AI transparency report. The draft says we are 'committed to equitable AI.' How do we make this substantive?" }, { "speaker": "ai", "text": "Three data requests to replace the commitment statement: (1) Pull disparity audit results for each AI system — do they exist? If not, note the gap and commit to conducting them by a named date. (2) For systems with audits, what were the disparity ratios and what actions were taken? (3) What is the measurable equity target for next year — e.g., 'reduce disparity ratio in hiring AI from 1.34 to below 1.15 by Q4'? A report with one specific target and its baseline is more credible than five pages of aspirational language." }, { "speaker": "human", "text": "Hiring AI disparity ratio: 1.34. Credit AI: no audit conducted. Equity target: hiring AI ratio below 1.15 by Q4." } ], "triggers_next": "Equity data gathered; targets set; audit gaps disclosed." }, { "step": 2, "d": "human-centred", "label": "Name rights at stake and disclose protection mechanisms", "example_prompts": [ { "speaker": "human", "text": "Which human rights should we reference in the report?" }, { "speaker": "ai", "text": "Map your AI systems to rights: (1) Hiring AI — right to non-discrimination (Article 21, EU Charter; Title VII equivalent in US); right to explanation for automated decisions (GDPR Article 22). (2) Credit AI — right to non-discrimination; right to human review of automated credit decisions. (3) Customer analytics AI — right to privacy and data protection. For each right, document: what mechanism protects it? Has a rights impact assessment been conducted? If no assessment exists, say so and commit to one — that honest disclosure is more credible than vague assurance." }, { "speaker": "human", "text": "No formal rights impact assessment has been conducted. We'll disclose this and commit to one for hiring AI by Q2." } ], "triggers_next": "Rights at stake named; protection mechanisms disclosed; assessment gaps acknowledged.", "loop_back": { "to": "inclusive-growth", "condition": "Rights impact assessment reveals equity gaps not captured in the initial disparity data.", "reason": "Equity section must be updated to reflect rights-based findings." } }, { "step": 3, "d": "transparency", "label": "Disclose report scope and limitations explicitly", "example_prompts": [ { "speaker": "human", "text": "Three of our AI systems are covered by vendor NDAs. Do we include them?" }, { "speaker": "ai", "text": "Disclose the limitation explicitly: 'This report covers eight of eleven AI systems in production. Three systems are operated under third-party vendor agreements that currently restrict public disclosure. We are engaging vendors to enable disclosure in next year's report.' This is the right approach for three reasons: (1) Stakeholders who find the undisclosed systems will question the entire report. (2) Named limitations signal a mature transparency program. (3) The vendor engagement commitment creates accountability for next year's disclosure. Add the three system categories without identifying the vendors if NDA permits." }, { "speaker": "human", "text": "Scope limitation section drafted with vendor engagement commitment." } ], "triggers_next": "Report scope and limitations explicitly disclosed." }, { "step": 4, "d": "robustness", "label": "Summarize testing methodology and material findings", "example_prompts": [ { "speaker": "human", "text": "Our security team ran penetration tests on four AI systems. Should we disclose results?" }, { "speaker": "ai", "text": "Disclose at the finding level, not the vulnerability level: 'Four AI systems underwent third-party penetration testing in Q2. Two systems had findings that were remediated within 30 days of discovery. No findings remain open.' This discloses that testing occurred, that issues were found and fixed, and that nothing is outstanding — without providing a map for attackers. If a finding is still open, say so with its severity and target remediation date. Concealing open findings in a transparency report creates legal exposure if the vulnerability is later exploited." }, { "speaker": "human", "text": "Two findings, both remediated. Summary language drafted for robustness section." } ], "triggers_next": "Testing methodology and material findings summarized without operational security risk." }, { "step": 5, "d": "accountability", "label": "Name executives, governance bodies, and feedback channel", "example_prompts": [ { "speaker": "human", "text": "How do we close the report with genuine accountability?" }, { "speaker": "ai", "text": "Accountability section: (1) Named AI executive — 'AI governance is the responsibility of [Name], Chief Technology Officer, reporting to the CEO and the Board Governance Committee.' (2) Governance bodies — AI Ethics Committee (members listed by role, not name if preferred), meets quarterly, has pause authority for high-risk deployments. (3) Incident summary — '3 AI incidents logged in the reporting period; all resolved; 1 systemic process change resulted.' (4) Stakeholder engagement — 'This report was reviewed by an external civil society organization before publication.' (5) Feedback channel — 'Submit feedback at [email/form]; we commit to acknowledging receipt within 30 days and publishing a summary of feedback received in next year's report.'" }, { "speaker": "human", "text": "Accountability section complete. Report ready for executive review before publication." } ], "triggers_next": "Report complete with named accountability, incident summary, and feedback channel.", "can_restart": true } ], "transitions": [ { "from": "inclusive-growth", "to": "human-centred", "trigger": "Equity data gathered and targets set." }, { "from": "human-centred", "to": "inclusive-growth", "trigger": "Rights assessment reveals equity gaps not in initial data.", "is_loop_back": true }, { "from": "human-centred", "to": "transparency", "trigger": "Rights implications named and protection mechanisms disclosed." }, { "from": "transparency", "to": "robustness", "trigger": "Scope limitations explicitly disclosed." }, { "from": "robustness", "to": "accountability", "trigger": "Testing methodology and findings summarized." }, { "from": "accountability", "to": "inclusive-growth", "trigger": "Annual reporting cycle — begin data collection for next report.", "is_cycle_restart": true } ] } }, { "id": "ai-vendor-governance", "framework_id": "nist-ai-rmf", "title": "Third-Party AI Vendor Governance", "domain": "enterprise", "file": "enterprise-ai-vendor-governance.yaml", "dimensions": { "govern": { "description": "The enterprise defines what governance requirements apply to third-party AI vendors — minimum documentation standards, audit rights, incident notification obligations, and the internal owner responsible for vendor AI risk throughout the contract lifecycle.\n", "example": "Procurement lead: \"Before we evaluate any vendor, we need to confirm our minimum governance requirements: What AI documentation must vendors provide? Do we have audit rights in the contract? Who internally owns this vendor relationship for AI risk? Without these baselines, every vendor assessment will be inconsistent.\"\n", "antipattern": "Evaluating vendors on functionality and price without establishing governance baselines — signing contracts that grant no audit rights and impose no AI risk notification obligations on the vendor.\n" }, "map": { "description": "The team maps risks introduced by the vendor's AI: data handling practices, model opacity, supply chain dependencies, jurisdictional exposure, and what happens to the enterprise's risk posture if the vendor is acquired, changes its model, or has an incident.\n", "example": "AI: \"For this vendor, I can map six risk areas: (1) Data residency — where is your data processed and stored? (2) Model transparency — can you inspect or audit the model? (3) Vendor concentration risk — how dependent would you be on this single supplier? (4) Supply chain — what third parties does the vendor rely on? (5) Regulatory exposure — does using this vendor trigger AI regulation obligations for you? (6) Continuity risk — what happens if the vendor exits this product? Which are in scope?\"\n", "antipattern": "Mapping only the vendor's feature set and price, and ignoring the risk that the vendor's AI practices introduce into the buyer's own risk and compliance posture.\n" }, "measure": { "description": "The team scores each vendor risk area using evidence from the vendor's documentation, security questionnaire, third-party audits, and reference checks — not marketing materials or verbal assurances.\n", "example": "Human: \"Vendor claims their model is 'fair and unbiased.' How do we score the fairness risk?\" AI: \"A claim is not evidence. Ask for: (1) A third-party bias audit report, not older than 12 months. (2) Disparity metrics across the demographic groups relevant to your use case. (3) Their process for updating the model when disparity is detected. If they cannot provide these, score fairness risk as High and unknown — which is worse than a known High.\"\n", "antipattern": "Accepting vendor self-attestation as evidence for risk scoring, especially for fairness, security, and regulatory compliance claims.\n" }, "manage": { "description": "The team converts risk assessment outcomes into contractual obligations, operational controls, and ongoing monitoring requirements — including the right to audit, incident notification windows, and exit provisions.\n", "example": "AI: \"Based on the risk scores, here are the contract provisions I recommend: (1) Data residency — explicitly named jurisdictions in the DPA. (2) Audit rights — annual audit right with 30-day notice. (3) Incident notification — 48-hour notification SLA for any AI incident affecting your data or outputs. (4) Model change notification — 30-day notice before any material model update. (5) Exit provision — data portability and 90-day transition support.\"\n", "antipattern": "Completing the vendor risk assessment and then handing off to legal with no specific contract requirements derived from the risk findings — allowing standard contract terms to override the assessed risks.\n" } }, "score_hints": { "govern": 0.2, "map": 0.3, "measure": 0.3, "manage": 0.2 }, "summary": "", "tags": [ "vendor-governance", "procurement", "enterprise", "third-party-risk" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Enterprise governance baselines are set before any vendor contact → vendor-introduced risks are mapped systematically → risks are scored using evidence, not self-attestation → risk findings are converted into contract provisions and ongoing monitoring requirements. Loops back to Map if due diligence reveals undisclosed vendor dependencies.\n", "sequence": [ { "step": 1, "d": "govern", "label": "Set enterprise AI vendor governance baselines", "example_prompts": [ { "speaker": "human", "text": "We're evaluating three AI vendors for our HR screening tool. Before we start, what governance baselines do we need?" }, { "speaker": "ai", "text": "Three baselines before any vendor contact: (1) Minimum documentation requirements — what must every vendor provide? At minimum: model card or equivalent, data handling practices, most recent security audit. (2) Contract non-negotiables — audit rights, incident notification SLA, data deletion on contract termination. (3) Internal ownership — who owns this vendor relationship for AI risk throughout the 3-year contract lifecycle? Name the person now, not after signature." }, { "speaker": "human", "text": "HR tech risk owner is the CHRO's office. Baselines agreed: model card required, 48-hour incident SLA, annual audit right." } ], "triggers_next": "Governance baselines defined and internal owner named." }, { "step": 2, "d": "map", "label": "Map risks introduced by the vendor's AI", "example_prompts": [ { "speaker": "human", "text": "Vendor A is US-based, uses a proprietary LLM, and will process EU applicant data. Map the risks." }, { "speaker": "ai", "text": "Risk map for Vendor A: (1) Data residency — EU applicant data processed by a US company triggers GDPR Chapter V (international transfers). Is a Standard Contractual Clause or adequacy decision in place? (2) Model opacity — proprietary LLM with no published model card means fairness risk is unmeasurable without a vendor disclosure. (3) Regulatory exposure — the EU AI Act classifies AI used in employment screening as high-risk. You inherit compliance obligations as the deployer. (4) Concentration risk — single vendor for a compliance-critical process. (5) Continuity — what is their exit policy?" }, { "speaker": "human", "text": "EU AI Act high-risk classification changes our obligations significantly. We need to add that to the assessment scope." } ], "triggers_next": "Vendor risk landscape fully mapped including regulatory exposure.", "loop_back": { "to": "map", "condition": "Due diligence reveals undisclosed vendor sub-processors or supply chain dependencies.", "reason": "Sub-processor risks must be mapped before scoring can be accurate." } }, { "step": 3, "d": "measure", "label": "Score each vendor risk using evidence", "example_prompts": [ { "speaker": "human", "text": "Vendor A provided a one-page 'AI ethics statement.' Is that sufficient for our fairness risk score?" }, { "speaker": "ai", "text": "No. For an HR AI classified as high-risk under the EU AI Act, you need: (1) A third-party bias audit against your jurisdiction's protected characteristics — not an internal statement. (2) Disparity metrics for gender, age, and ethnicity for the role types you'll screen. (3) Their re-training process when disparity is detected. A one-page statement scores as: evidence quality — Insufficient. Fairness risk — High and unknown. That is a disqualifying finding unless they provide substantive documentation within your due diligence window." }, { "speaker": "human", "text": "We'll issue a formal evidence request with a 10-business-day deadline." } ], "triggers_next": "All priority risks scored with evidence ratings and gaps documented." }, { "step": 4, "d": "manage", "label": "Convert risk findings into contract terms and monitoring plan", "example_prompts": [ { "speaker": "human", "text": "Risk assessment complete. Vendor A has high fairness risk and data residency gaps. What contract terms do we need?" }, { "speaker": "ai", "text": "Contract requirements derived from risk findings: (1) Data residency — Standard Contractual Clauses with named processing locations, no sub-processor changes without 30-day notice. (2) Fairness — annual third-party bias audit provided to buyer within 30 days of completion; material disparity findings trigger a 60-day remediation obligation. (3) EU AI Act compliance — vendor certifies conformity assessment status at contract signature and at each annual renewal. (4) Incident — 48-hour notification of any AI incident affecting buyer's data or outputs. (5) Exit — 90-day transition support, data deletion certificate within 30 days of termination. Monitoring: quarterly vendor review cadence with CHRO office." }, { "speaker": "human", "text": "These terms go to legal for contract drafting." } ], "triggers_next": "Contract provisions drafted, monitoring cadence defined, vendor risk register created.", "can_restart": true } ], "transitions": [ { "from": "govern", "to": "map", "trigger": "Governance baselines and internal owner confirmed." }, { "from": "map", "to": "measure", "trigger": "Vendor risk landscape fully mapped." }, { "from": "measure", "to": "map", "trigger": "Due diligence reveals undisclosed sub-processors or dependencies.", "is_loop_back": true }, { "from": "measure", "to": "manage", "trigger": "All priority risks scored with evidence." }, { "from": "manage", "to": "govern", "trigger": "Contract renewal or new vendor triggers a new assessment cycle.", "is_cycle_restart": true } ] } }, { "id": "aims-implementation", "framework_id": "iso-42001", "title": "AI Management System Implementation", "domain": "enterprise", "file": "enterprise-aims-implementation.yaml", "dimensions": { "context": { "description": "The organization defines the internal and external context for the AIMS: which AI systems are in scope, who the relevant stakeholders are, what legal and regulatory obligations apply, and where the organization's current AI practices stand relative to the standard's requirements.\n", "example": "Project lead: \"We run five AI systems in production. How do we determine which are in scope for the AIMS?\" AI: \"ISO 42001 scoping requires you to assess three factors: (1) Which AI systems are you responsible for as the developer or deployer? (2) What is the potential impact of each system — high-impact systems (those affecting employment, credit, healthcare) should be in scope regardless of size. (3) What are your legal obligations — does any jurisdiction require you to have an AI management system? Start with a gap assessment: map each of the five systems against these criteria.\"\n", "antipattern": "Scoping the AIMS to only the systems that are easiest to document, while excluding higher-risk systems that require more effort — producing a certified AIMS that does not cover the organization's material AI risks.\n" }, "leadership": { "description": "Top management demonstrates commitment to the AIMS by approving an AI policy, assigning roles and responsibilities, providing resources, and integrating the AIMS into the organization's existing management system structure.\n", "example": "AI: \"For the ISO 42001 leadership requirements, the CEO or equivalent must: (1) Approve the AI policy in writing — not delegate approval. (2) Name an AI management representative with the authority to make AIMS decisions without seeking approval for each action. (3) Allocate a budget for AIMS implementation, maintenance, and certification. (4) Integrate AI risk into the existing enterprise risk management reporting cadence. Has leadership explicitly committed to these four?\"\n", "antipattern": "Delegating AIMS implementation entirely to a technical team without top management commitment — producing an AIMS that has no authority to enforce AI policy across business units.\n" }, "planning": { "description": "The organization conducts an AI risk and opportunity assessment scoped to all in-scope AI systems, sets measurable AI objectives, and produces treatment plans for identified risks — all documented as formal inputs to the AIMS operational stage.\n", "example": "Human: \"We've scoped five systems and have leadership commitment. What does the risk assessment look like for ISO 42001?\" AI: \"ISO 42001 risk assessment has two layers: (1) AIMS-level risks — what could prevent the management system itself from working? (e.g., inadequate documentation, key-person dependency, regulatory change.) (2) AI system-level risks — what risks does each AI system pose to the organization and to affected parties? For each AI system, document: system purpose, affected parties, risk categories (fairness, safety, privacy, operational), likelihood, impact, and treatment option.\"\n", "antipattern": "Producing an AIMS risk register that describes risks in general terms without linking each risk to a specific AI system and a specific treatment action — creating a compliance document rather than a decision tool.\n" }, "operation": { "description": "The organization implements controlled processes for AI development and deployment, including documentation requirements, change management, supplier AI requirements, and incident handling — all within the AIMS governance structure.\n", "example": "AI: \"For AIMS operation, I recommend implementing four process controls in the first 90 days: (1) AI system lifecycle documentation — model card or equivalent required before any AI system is deployed to production. (2) Change control — material AI system changes require a documented impact assessment before deployment. (3) Supplier AI requirements — third-party AI vendors must meet your AI policy minimums as a contract condition. (4) Incident logging — all AI incidents are logged and reviewed monthly by the AI management representative.\"\n", "antipattern": "Implementing AIMS documentation requirements without change control — allowing AI systems to be updated post-documentation without triggering a documentation update, leaving the AIMS records diverged from reality.\n" }, "performance": { "description": "The organization monitors AIMS effectiveness through KPIs, conducts the first internal audit within the implementation timeline, holds a management review that formally assesses AIMS performance, and identifies nonconformities for corrective action.\n", "example": "AI closes the implementation cycle: \"For the first internal audit, audit three areas: (1) Clause conformity — are all required AIMS elements implemented? (2) Operational effectiveness — are the process controls working as designed? Pull three AI system records and verify they meet the documentation requirements. (3) Risk register currency — are the risk entries up to date? Have treatments been implemented on schedule? Audit findings feed the first management review, which must produce a formal AIMS effectiveness decision from top management.\"\n", "antipattern": "Scheduling the first internal audit only in the week before the external certification assessment — treating it as a rehearsal rather than a genuine performance check.\n" } }, "score_hints": { "context": 0.2, "leadership": 0.2, "planning": 0.25, "operation": 0.25, "performance": 0.1 }, "summary": "", "tags": [ "iso-42001", "aims", "enterprise", "certification", "management-system" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "AIMS scope and gap assessment completed → leadership commitment and AI policy approved → risk assessment and objectives set → operational controls implemented → first internal audit conducted and management review held. Loops back to planning if operational implementation reveals unscoped risks.\n", "sequence": [ { "step": 1, "d": "context", "label": "Define AIMS scope and conduct gap assessment", "example_prompts": [ { "speaker": "human", "text": "We want to implement ISO 42001. Where do we start?" }, { "speaker": "ai", "text": "Start with a context and gap assessment before any documentation work. Three outputs needed: (1) AIMS scope document — which AI systems, which organizational units, which jurisdictions are in scope. (2) Interested parties register — who has a stake in the organization's AI activities? Include regulators, customers, employees, and AI suppliers. (3) Gap assessment — for each ISO 42001 clause, what currently exists and what is missing? This gives you a prioritized implementation roadmap rather than a generic project plan." }, { "speaker": "human", "text": "Scope: five production AI systems, EU and US operations, financial services sector. Gap assessment: no formal AI policy, no AI risk register, no incident logging." } ], "triggers_next": "AIMS scope defined; gap assessment complete with prioritized gaps." }, { "step": 2, "d": "leadership", "label": "Secure top management commitment and AI policy approval", "example_prompts": [ { "speaker": "human", "text": "How do we get the right leadership commitment for ISO 42001?" }, { "speaker": "ai", "text": "ISO 42001 requires documented top management commitment — not just verbal support. Deliverables: (1) AI policy document approved and signed by CEO. Policy must include: organizational commitment to responsible AI, key AI values and prohibited uses, and a commitment to continual improvement of the AIMS. (2) AI management representative named with formal authority. (3) AIMS budget approved in the current fiscal cycle. (4) AI risk added to the board/executive risk reporting cadence. I can draft the AI policy for CEO review — do you want a one-page or full policy document?" }, { "speaker": "human", "text": "Full policy document please. CEO review is next week." } ], "triggers_next": "AI policy approved; AI management representative named; budget allocated." }, { "step": 3, "d": "planning", "label": "Conduct AI risk assessment and set measurable objectives", "example_prompts": [ { "speaker": "human", "text": "How do we structure the risk assessment for all five AI systems?" }, { "speaker": "ai", "text": "Use a structured risk register with six columns per system: (1) System name and purpose. (2) Affected parties — who is impacted by this system's outputs? (3) Risk categories — fairness, privacy, safety, operational, legal. (4) Likelihood and impact score (1-5 scale). (5) Treatment option — accept, mitigate, avoid, or transfer. (6) Owner and target date. For objectives: set at least three AIMS-level objectives (e.g., 100% of new AI deployments have a model card by Q3; zero unlogged AI incidents by Q2; first internal audit completed by Q4). I'll draft the risk register template." }, { "speaker": "human", "text": "Risk register drafted. Three AIMS objectives approved by AI management rep." } ], "triggers_next": "Risk register complete; measurable AIMS objectives approved.", "loop_back": { "to": "planning", "condition": "Operational implementation reveals AI systems or risk categories not captured in the initial assessment.", "reason": "Planning documents must be updated before operational records can be accurate." } }, { "step": 4, "d": "operation", "label": "Implement operational process controls", "example_prompts": [ { "speaker": "human", "text": "Which operational controls should we implement first?" }, { "speaker": "ai", "text": "Prioritize by risk: (1) Model card requirement — implement within 30 days; all five existing systems need retrospective cards within 60 days. (2) Change control — any material AI system change requires a documented impact assessment before deployment; implement in the CI/CD pipeline. (3) Incident log — create a shared log, set a monthly review meeting with the AI management rep. (4) Supplier AI requirements — add an AI policy conformance clause to all new AI vendor contracts. These four controls address the most common ISO 42001 nonconformity findings in initial certification audits." }, { "speaker": "human", "text": "All four controls implemented. Model cards complete for four of five systems." } ], "triggers_next": "Operational controls implemented and documented." }, { "step": 5, "d": "performance", "label": "Conduct first internal audit and management review", "example_prompts": [ { "speaker": "human", "text": "We're approaching the first internal audit. What should it cover?" }, { "speaker": "ai", "text": "First internal audit scope: (1) Clause conformity check — walk through all ISO 42001 clauses and verify documented evidence exists for each. (2) Operational effectiveness sample — pull three AI system records (model card, change control log, incident log) and verify they meet the documented requirements. (3) Objective progress — are the three AIMS objectives on track? (4) Risk register currency — are treatments being implemented on schedule? Audit report goes to top management for the first formal management review. The review must produce a written AIMS effectiveness conclusion — not just minutes." }, { "speaker": "human", "text": "Internal audit complete. Two minor nonconformities found. Management review scheduled." } ], "triggers_next": "Internal audit complete; management review held; corrective actions assigned.", "can_restart": true } ], "transitions": [ { "from": "context", "to": "leadership", "trigger": "AIMS scope defined and gap assessment completed." }, { "from": "leadership", "to": "planning", "trigger": "AI policy approved and AI management representative named." }, { "from": "planning", "to": "operation", "trigger": "Risk register complete and AIMS objectives approved." }, { "from": "operation", "to": "planning", "trigger": "New AI systems or risk categories discovered during implementation.", "is_loop_back": true }, { "from": "operation", "to": "performance", "trigger": "Operational controls implemented and documented." }, { "from": "performance", "to": "context", "trigger": "Annual AIMS review cycle — reassess context and scope.", "is_cycle_restart": true } ] } }, { "id": "eu-conformity-assessment", "framework_id": "eu-ai-act", "title": "EU AI Act Conformity Assessment", "domain": "enterprise", "file": "enterprise-eu-conformity-assessment.yaml", "dimensions": { "risk-classification": { "description": "The conformity assessment begins by confirming that the risk classification is accurate and current — verifying the Annex III basis, the intended purpose as actually deployed, and whether any post-classification changes trigger a new assessment.\n", "example": "Compliance officer: \"We classified the system as high-risk six months ago. Do we need to re-confirm before the conformity assessment?\" AI: \"Yes — the conformity assessment must be based on the current deployed configuration, not the original classification. Three re-confirmation checks: (1) Has the system's intended purpose changed since classification? A widened scope may add Annex III categories. (2) Has the system been materially updated — new training data, new model version, new deployment geography? Material changes may require a new conformity assessment. (3) Has the regulatory environment changed? New harmonized standards or Commission guidance may affect which conformity pathway applies. Document each check with a 'confirmed' or 'change identified' status.\"\n", "antipattern": "Running the conformity assessment against the original classification document without re-confirming that the system has not changed materially in the intervening months — producing a conformity assessment that does not match the deployed system.\n" }, "transparency": { "description": "The conformity assessment audits the technical documentation package — technical file, instructions for use, logging specification, and user notification — for completeness, accuracy, and currency against the currently deployed system.\n", "example": "AI: \"Technical file audit checklist for the conformity assessment: (1) Completeness — does the file contain all required sections under Article 11? Check against the annex listing. (2) Currency — is every section current with the deployed system version? Compare the file's version timestamps against the deployment changelog. (3) Performance metrics accuracy — do the metrics in the file match the most recent production evaluation results? Pull the current production metrics and compare. (4) Instructions for use — are they in plain language accessible to the deployer's operational staff? Have deployers reviewed them? (5) User notification — is the notification mechanism live in production? Test it.\"\n", "antipattern": "Accepting the technical file at face value without auditing it against the deployed system — certifying documentation that describes a system that no longer exists in its original form.\n" }, "human-oversight": { "description": "The conformity assessment verifies that the human oversight mechanism meets Article 14's effectiveness standard — checking design, training, override capability, and production override rate evidence.\n", "example": "Human: \"Our conformity assessment auditor asked for evidence that human oversight is 'effective' under Article 14. What do we provide?\" AI: \"Four evidence items for Article 14 effectiveness: (1) Override capability — demonstrate the override function in a screen recording of the production system; show that an operator can pause or override the AI output without technical barriers. (2) Training records — provide completion records for all current operators showing they completed the oversight training program, including the module on the system's known failure modes. (3) Production override data — pull the past 90 days of override events: count, rate, and a sample of 5 documented override decisions with their documented reason. (4) Operator survey — a brief survey asking operators: do they feel they understand the system's limitations well enough to know when to override? Score of less than 70% confident is a red flag.\"\n", "antipattern": "Providing only the written oversight procedure as Article 14 evidence — demonstrating how oversight is supposed to work rather than evidence that it actually works in production.\n" }, "robustness": { "description": "The conformity assessment verifies that the robustness evidence meets the technical standards applicable to the system — checking whether harmonized standards were applied, what the current production performance metrics show, and whether cybersecurity is current.\n", "example": "AI: \"Robustness conformity check: (1) Harmonized standards — which harmonized European standard or common specification was applied? If no harmonized standard exists for the specific domain, document the alternative technical solution and its equivalence justification. (2) Performance currency — pull current production metrics, not just pre-deployment test results. High-risk systems must demonstrate continued accuracy in production, not just at launch. (3) Cybersecurity currency — is the penetration test result still valid (less than 12 months)? If not, commission a new test before the conformity assessment is closed. (4) Fairness metrics — are subgroup performance metrics still within the acceptable range in production? Model drift can widen disparity gaps post-deployment.\"\n", "antipattern": "Submitting pre-deployment robustness evidence for a conformity assessment of a system that has been in production for months — missing the possibility that model drift or production conditions have degraded performance below conformity thresholds.\n" }, "governance": { "description": "The conformity assessment produces the formal outputs required for lawful market deployment: the completed assessment record, the Declaration of Conformity, EU database registration confirmation, and the operational post-market monitoring system.\n", "example": "AI closes the conformity cycle: \"Conformity assessment closure: (1) Assessment record — document the assessment process: who conducted it, what was reviewed, what findings were identified and how resolved, and the final conformity conclusion. Retain for 10 years. (2) Declaration of Conformity — signed by the provider's authorized representative; includes system identification, conformity assessment basis, and applied standards. (3) EU database entry — verify the registration is current and complete; update if system details have changed since initial registration. (4) Post-market monitoring activation — confirm the monitoring system is live, the first review is scheduled, and the incident reporting escalation path has been tested end-to-end. Deployment is lawful when all four are complete.\"\n", "antipattern": "Signing the Declaration of Conformity before all assessment findings are resolved — treating the declaration as the last step in a checklist rather than the formal attestation that all requirements are met.\n" } }, "score_hints": { "risk-classification": 0.15, "transparency": 0.25, "human-oversight": 0.25, "robustness": 0.2, "governance": 0.15 }, "summary": "", "tags": [ "eu-ai-act", "conformity-assessment", "enterprise", "compliance", "high-risk" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Classification currency is re-confirmed before assessment begins → technical documentation is audited for completeness and currency → human oversight effectiveness is verified with production evidence → robustness evidence is checked for currency and standard alignment → assessment record, Declaration of Conformity, and database registration complete the governance closure.\n", "sequence": [ { "step": 1, "d": "risk-classification", "label": "Re-confirm classification currency before assessment", "example_prompts": [ { "speaker": "human", "text": "We're starting the conformity assessment for our hiring AI. Where do we begin?" }, { "speaker": "ai", "text": "Before any assessment work: re-confirm the classification is still accurate. Three checks: (1) System changes — pull the change log since the original classification. Any material change (new training data, new model version, new deployment geography) requires a classification review before the assessment proceeds. (2) Scope changes — has the system been used for purposes beyond the originally classified use? If yes, additional Annex III entries may apply. (3) Regulatory updates — have any Commission delegated acts or guidance documents been issued since the original classification that affect the Annex III interpretation for employment AI? Document each check with a status." }, { "speaker": "human", "text": "Classification confirmed current. One model update in the past 6 months — assessed as non-material. No scope changes. EU AI Office issued guidance on employment AI — reviewed and classification unaffected." } ], "triggers_next": "Classification currency confirmed; non-material change documented." }, { "step": 2, "d": "transparency", "label": "Audit technical documentation for completeness and currency", "example_prompts": [ { "speaker": "human", "text": "We have a technical file from the initial deployment. What do we audit?" }, { "speaker": "ai", "text": "Technical file audit — four checks: (1) Section completeness — walk through Article 11 Annex IV: does each required section exist? Flag missing sections as major findings. (2) Version currency — for each section, compare the document version date to the deployment changelog. Any section not updated since the last material change is a currency finding. (3) Performance metrics — pull current production evaluation results and compare to the metrics in the technical file. If production metrics have degraded more than 5% from the file's figures, update required. (4) User notification — test the notification mechanism in production: do applicants receive notification that AI is used in screening? Provide a test log as evidence." }, { "speaker": "human", "text": "Section completeness: all sections present. Currency issue: performance metrics section last updated 8 months ago. Notification: live and tested." } ], "triggers_next": "Technical file audit complete — performance metrics section requires update." }, { "step": 3, "d": "human-oversight", "label": "Verify oversight effectiveness with production evidence", "example_prompts": [ { "speaker": "human", "text": "The auditor wants Article 14 effectiveness evidence. What do we produce?" }, { "speaker": "ai", "text": "Four evidence items: (1) Override function demonstration — screen recording of an operator using the override in the production system (with test data). Duration: under 3 minutes. Shows: how the override is accessed, what information the operator sees, and what happens after override. (2) Training completion records — list of all current operators with training completion date and assessment score. Flag any operator with completion more than 18 months ago — refresher training may be required. (3) Override rate data — past 90 days: total AI recommendations, total overrides, override rate. Provide a table broken down by operator and week. (4) Operator survey results — what percentage of operators report confidence in knowing when to override? If below 70%, this is an Article 14 finding." }, { "speaker": "human", "text": "Override rate: 11%. Operator confidence: 82%. Training records current for all 12 operators." } ], "triggers_next": "Human oversight effectiveness evidenced — all four items compiled.", "loop_back": { "to": "risk-classification", "condition": "Oversight evidence reveals the system is being used in additional deployment contexts not covered by the current classification.", "reason": "New deployment contexts require classification re-review before the assessment can be completed." } }, { "step": 4, "d": "robustness", "label": "Verify robustness evidence currency and standard alignment", "example_prompts": [ { "speaker": "human", "text": "Our pre-deployment bias audit is 14 months old. Is it still valid for the conformity assessment?" }, { "speaker": "ai", "text": "A 14-month-old bias audit has two issues: (1) Currency — 12 months is the practical freshness threshold for employment AI bias audits; 14 months is borderline. Check if there have been model updates or population shifts in the past 14 months that could have changed the disparity profile. (2) Standard alignment — does the audit methodology align with any harmonized standard or Commission guidance issued in the past 14 months? If new guidance specifies a different disparity metric, the old audit may not satisfy it. Recommendation: commission a refresh audit scoped to the current production model version; it will be faster than the original since the methodology is established. The 14-month gap is a manageable finding, not a blocker, if you can show it was reviewed and no material change is expected." }, { "speaker": "human", "text": "Refresh bias audit commissioned. Cybersecurity penetration test: 9 months old — still valid." } ], "triggers_next": "Robustness evidence plan in place; refresh audit underway." }, { "step": 5, "d": "governance", "label": "Complete assessment record and conformity declaration", "example_prompts": [ { "speaker": "human", "text": "All findings are resolved. How do we close the conformity assessment?" }, { "speaker": "ai", "text": "Four closure actions: (1) Assessment record — document: assessment scope, methodology, all findings identified, evidence reviewed for each finding, resolution status. The record must be signed by the assessment lead and retained for 10 years. (2) Open findings — confirm all findings from steps 2-4 are resolved: technical file performance metrics updated, refresh bias audit complete and results acceptable, operator training refresh scheduled. No Declaration of Conformity until all major findings are closed. (3) Declaration of Conformity — signed by the provider's authorized representative. Contains: system name and version, Annex III basis, conformity assessment route, applied standards, assessment date, and authorized representative name and address. (4) EU database update — if any system details changed since initial registration (version, deployment scope), update the database entry. Confirm registration is current." }, { "speaker": "human", "text": "All findings closed. Declaration signed. EU database updated. Post-market monitoring active." } ], "triggers_next": "Conformity assessment complete; deployment lawful.", "can_restart": true } ], "transitions": [ { "from": "risk-classification", "to": "transparency", "trigger": "Classification currency confirmed." }, { "from": "transparency", "to": "human-oversight", "trigger": "Technical documentation audit complete." }, { "from": "human-oversight", "to": "risk-classification", "trigger": "New deployment contexts discovered — classification re-review required.", "is_loop_back": true }, { "from": "human-oversight", "to": "robustness", "trigger": "Oversight effectiveness evidenced." }, { "from": "robustness", "to": "governance", "trigger": "Robustness evidence plan in place." }, { "from": "governance", "to": "risk-classification", "trigger": "Material system change triggers new conformity assessment cycle.", "is_cycle_restart": true } ] } }, { "id": "responsible-ai-deployment", "framework_id": "wef-responsible-ai", "title": "Responsible AI Deployment", "domain": "enterprise", "file": "enterprise-responsible-ai-deployment.yaml", "dimensions": { "strategy": { "description": "Before engineering begins, the deployment is evaluated against the organization's AI strategy — confirming it serves the mission, is consistent with stated values, and would pass the organization's own purpose test.\n", "example": "Product manager: \"We want to add an AI feature that recommends premium subscription upgrades to users based on their engagement patterns. Does this pass the purpose test?\" AI: \"Apply the purpose test: (1) Who is the primary beneficiary — the user getting a relevant recommendation, or the organization increasing revenue? If the recommendation is optimized for conversion rather than user value, the primary beneficiary is the organization. (2) Is this consistent with your stated AI values? Pull your AI policy and check. (3) If this feature were reported in a consumer protection context tomorrow, would it be defensible? A recommendation engine that targets high-engagement users for upselling — particularly if those users are in vulnerable demographics — may not be. Flag for ethics review.\"\n", "antipattern": "Beginning engineering work on an AI feature before evaluating whether it serves the organization's stated purpose — discovering mission alignment issues when the feature is already built and deployment pressure is high.\n" }, "governance": { "description": "The deployment passes through the organization's ethics review gate — with a completed intake form, a board decision, and any conditions documented in the deployment plan before a single line of production code is written.\n", "example": "AI: \"Governance checklist for this deployment: (1) Ethics intake form completed — does the feature trigger mandatory review criteria? If it targets behavior patterns linked to engagement (potentially addictive behavior), it may trigger the 'individual impact in a sensitive context' criterion. (2) Ethics board review — if triggered, submit the intake form before engineering sprint planning. (3) Conditions documented — if the board approves with conditions (e.g., exclude users below a usage frequency threshold), those conditions are written into the product spec as non-negotiable requirements, not post-launch enhancements.\"\n", "antipattern": "Submitting to ethics review after the feature is built — when conditions imposed by the board require architectural changes that are expensive to implement, creating pressure to water down or ignore the conditions.\n" }, "risk-ethics": { "description": "The product team conducts a focused ethical risk assessment before the ethics board review — identifying the three most significant ethical risks and proposed mitigations, so the board can focus on evaluation rather than discovery.\n", "example": "Human: \"The ethics intake form asks for our three biggest ethical risks. What are they for a subscription upsell AI?\" AI: \"Three material ethical risks: (1) Targeting vulnerability — if high engagement correlates with addictive behavior patterns, targeting these users for upselling raises a harm question. Mitigation: exclude users flagged by the safety or wellness team. (2) Dark patterns — if the recommendation is displayed in a way that makes it hard to dismiss, it may cross into manipulative design. Mitigation: design review with UX ethics checklist. (3) Data use beyond original consent — were users told their engagement data would be used for upsell targeting? Mitigation: check consent terms; add explicit disclosure if not covered.\"\n", "antipattern": "Listing only compliance risks (GDPR, data minimization) in the ethics assessment while omitting behavioral and mission alignment risks — producing a legally safe product that is ethically questionable.\n" }, "implementation": { "description": "Ethics board conditions are implemented as engineering requirements — not as optional enhancements — and the deployment includes responsible AI operational controls: fairness checks, bias testing, and a documented override pathway for the ethics conditions.\n", "example": "AI: \"Ethics conditions to engineering requirements: (1) Exclusion list — 'Exclude users in the safety flag category from recommendation targeting' becomes: a safety_flag boolean check in the recommendation service, tested in CI, and verified in the deployment QA checklist. (2) Disclosure — 'Add explicit disclosure that engagement data is used for recommendations' becomes: a UI string approved by legal and product, required on the recommendation card before launch. (3) Override monitoring — set up a dashboard tracking exclusion list coverage and disclosure click-through rate. Any deviation from expected metrics triggers a responsible AI incident.\"\n", "antipattern": "Documenting ethics board conditions in a decision log but not converting them into engineering tickets with acceptance criteria — allowing conditions to be 'completed' without verification that they were actually implemented.\n" }, "accountability": { "description": "Ninety days post-launch, the product team reports back to the ethics board with outcome data — verifying that conditions were met, that no unexpected ethical harms emerged, and that the feature is performing consistently with the responsible AI commitments made before deployment.\n", "example": "AI closes the cycle: \"90-day accountability report structure: (1) Condition verification — for each ethics board condition, provide evidence of implementation: exclusion list coverage rate, disclosure display rate. (2) Outcome metrics — what happened? Conversion rate, exclusion rate, and any complaints or escalations related to the feature. (3) Unexpected harms — were any ethical issues identified post-launch that were not anticipated in the risk assessment? If yes, what action was taken? (4) Forward plan — is the feature performing within the ethical parameters approved? Any changes planned that would require a new ethics review? The 90-day report is the accountability mechanism that closes the loop — without it, deployment is a one-way gate.\"\n", "antipattern": "Treating the ethics board approval as permanent and never reporting back — allowing a feature to evolve post-launch in ways that move it outside the ethical parameters it was approved under, with no governance visibility.\n" } }, "score_hints": { "strategy": 0.2, "governance": 0.25, "risk-ethics": 0.2, "implementation": 0.25, "accountability": 0.1 }, "summary": "", "tags": [ "responsible-ai", "deployment", "enterprise", "wef", "product" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Deployment passes purpose test before engineering begins → ethics intake form and board review completed before sprint planning → product team conducts focused ethical risk assessment as board input → ethics conditions are converted to engineering requirements → 90-day post-launch accountability report closes the loop. Loops back to governance if risk assessment reveals risks requiring board guidance before conditions can be specified.\n", "sequence": [ { "step": 1, "d": "strategy", "label": "Apply purpose test before engineering begins", "example_prompts": [ { "speaker": "human", "text": "We're planning an AI feature for the next sprint. What's the responsible AI process?" }, { "speaker": "ai", "text": "Before any sprint planning: apply the purpose test to the feature. Three questions: (1) Does this feature primarily serve the user or primarily serve the organization's financial metrics? If the answer is unclear or mixed, that is a flag. (2) Is this feature consistent with the organization's AI policy commitments — specifically the values and prohibited use cases listed? (3) If a journalist covered this feature in the context of 'AI companies manipulating users,' would we be comfortable with how it is described? If the answer to any of these is 'no' or 'uncertain,' the feature requires ethics board review before sprint planning. Document the purpose test result in the feature spec." }, { "speaker": "human", "text": "Purpose test result: primary beneficiary is mixed — some user value, some upsell optimization. Flagged for ethics review before sprint." } ], "triggers_next": "Purpose test completed; feature flagged for ethics review." }, { "step": 2, "d": "governance", "label": "Complete ethics intake and obtain board decision", "example_prompts": [ { "speaker": "human", "text": "We need to submit to the ethics board. What does the intake form need?" }, { "speaker": "ai", "text": "One-page intake form: (1) Feature description — what does the AI do, what data does it use, who are the users? (2) Mandatory review trigger — which criterion triggered review? (3) Three ethical risks — the product team's own assessment of the top three risks. (4) Proposed mitigations — what has the product team already designed to address each risk? (5) Timeline — when is the feature planned for launch? The board needs 72 hours minimum for async review; 5 business days for a full session. Submit now — before sprint planning, not after the sprint is 80% complete." }, { "speaker": "human", "text": "Intake form submitted. Board async review requested. 72-hour window started." } ], "triggers_next": "Ethics intake submitted; board review in progress.", "loop_back": { "to": "risk-ethics", "condition": "Board requests additional risk analysis before issuing a decision.", "reason": "Board guidance on specific risk dimensions must inform the risk assessment before conditions can be set." } }, { "step": 3, "d": "risk-ethics", "label": "Conduct focused ethical risk assessment as board input", "example_prompts": [ { "speaker": "human", "text": "The board wants a deeper risk analysis on the targeting and data consent risks. What do we provide?" }, { "speaker": "ai", "text": "For targeting risk: (1) Pull engagement distribution data — what percentage of targeted users are in the top 10% of engagement? Is that distribution correlated with any demographic variables? (2) Define 'high engagement' operationally — is it time spent, frequency, or a behavioral pattern? If time spent, is there a threshold above which targeting becomes potentially exploitative? (3) For data consent: pull the current consent terms — what did users consent to when they signed up? Provide the exact text to the board. If engagement data for targeting is not covered, identify when the next consent refresh is scheduled. The board needs evidence, not narrative." }, { "speaker": "human", "text": "Engagement data: top 10% skews younger, 18-24 demographic. Consent terms: engagement data for targeting not explicitly covered. Both findings submitted to board." } ], "triggers_next": "Risk analysis with evidence submitted to board." }, { "step": 4, "d": "implementation", "label": "Convert ethics conditions to engineering requirements", "example_prompts": [ { "speaker": "human", "text": "The board approved with three conditions. How do we make sure they are implemented?" }, { "speaker": "ai", "text": "Convert each condition to an engineering ticket with an acceptance criterion: (1) Condition: 'Exclude users under 21 from targeting.' Ticket: Add age_gate check (age < 21 → exclude from recommendation cohort). Acceptance: unit test passes; QA verifies exclusion in staging with test accounts. (2) Condition: 'Update consent terms before launch.' Ticket: Legal drafts consent update; product adds consent re-affirmation flow for existing users. Acceptance: legal sign-off and consent re-affirmation completion rate >80% before feature activates. (3) Condition: 'Add responsible AI monitoring dashboard.' Ticket: Dashboard showing exclusion coverage rate and consent completion rate. Acceptance: dashboard live in production with alert thresholds set. No deployment gate closes until all three acceptance criteria are verified." }, { "speaker": "human", "text": "Three engineering tickets created with acceptance criteria. Added to sprint as blocking requirements." } ], "triggers_next": "Ethics conditions converted to blocking engineering requirements." }, { "step": 5, "d": "accountability", "label": "Submit 90-day post-launch accountability report", "example_prompts": [ { "speaker": "human", "text": "It's been 90 days since launch. What does the ethics board report need?" }, { "speaker": "ai", "text": "90-day report: (1) Condition verification — exclusion rate: X% of users excluded via age gate (expected >5% for 18-24 skewed user base). Consent re-affirmation rate: 87% (above 80% threshold). Monitoring dashboard: live with zero alert triggers. (2) Outcome metrics — conversion rate among targeted users: +12%. No complaints or escalations related to the feature in support tickets or social media. (3) Unexpected issues — the exclusion logic had a bug for 3 days post-launch; 340 users under 21 were incorrectly included. Bug fixed within 72 hours; incident logged. (4) Forward plan — no planned changes that would require new ethics review. Feature performing within approved parameters. This report is submitted to the board chair and logged in the decision record." }, { "speaker": "human", "text": "Report submitted. Board acknowledges and closes the review cycle." } ], "triggers_next": "90-day report submitted; ethics review cycle closed.", "can_restart": true } ], "transitions": [ { "from": "strategy", "to": "governance", "trigger": "Purpose test flags feature for ethics review." }, { "from": "governance", "to": "risk-ethics", "trigger": "Board requests additional risk analysis.", "is_loop_back": true }, { "from": "governance", "to": "implementation", "trigger": "Board approves with conditions." }, { "from": "risk-ethics", "to": "governance", "trigger": "Risk analysis with evidence submitted to board." }, { "from": "implementation", "to": "accountability", "trigger": "All ethics conditions implemented and verified." }, { "from": "accountability", "to": "strategy", "trigger": "Feature changes or new AI deployment trigger new cycle.", "is_cycle_restart": true } ] } } ], "general": [ { "id": "ai-cultural-heritage-preservation", "framework_id": "unesco-ai-ethics", "title": "AI for Cultural Heritage Preservation", "domain": "general", "file": "general-ai-cultural-heritage-preservation.yaml", "dimensions": { "human-dignity": { "description": "The institution ensures that AI-assisted heritage digitization and description respects the cultural dignity of source communities — including their right to determine how their heritage is represented, who has access to it, and whether certain sacred or sensitive materials should be excluded from AI processing.\n", "example": "Project lead: \"We are digitizing 40,000 ethnographic photographs using AI tagging. What dignity issues should we address?\" AI: \"Four dignity considerations before deploying AI on ethnographic materials: (1) Source community consent — have the communities whose heritage is depicted been consulted about AI processing of these images? Consent for original archiving does not extend to AI analysis. (2) Sacred or restricted materials — some communities restrict who may view certain ceremonial objects or images. AI tagging and search could make restricted materials publicly discoverable. (3) Representation — AI object recognition systems are known to mislabel and stereotype non-Western cultural objects. Human expert review by community members is required. (4) Repatriation alignment — if communities have outstanding repatriation claims, AI accessibility projects must not undermine those claims by creating commercial derivatives.\"\n", "antipattern": "Using AI to automate description and public access for ethnographic collections without consulting source communities — treating cultural objects as data assets rather than living heritage with community rights.\n" }, "environment": { "description": "The project chooses AI approaches that minimize computational waste — preferring efficient, task-specific models over large general-purpose ones for digitization and cataloging tasks that do not require general intelligence.\n", "example": "AI: \"For cultural heritage digitization, three efficient AI choices: (1) For optical character recognition of manuscripts — use a domain-specific OCR model trained on historical scripts rather than a large language model; the task is well-defined and the efficiency difference is significant. (2) For image tagging — a fine-tuned vision model on your specific collection domain uses a fraction of the compute of a general-purpose multimodal model. (3) For metadata generation — use AI to draft, with mandatory human expert review, rather than full automation; this reduces both compute and error costs.\"\n", "antipattern": "Deploying large general-purpose AI models for well-defined cataloging tasks (OCR, classification, tagging) where specialized efficient models would produce equivalent or better results at a fraction of the environmental cost.\n" }, "privacy": { "description": "The project protects the privacy of living individuals who may appear in heritage materials — particularly photographs — and respects community data sovereignty over materials that belong culturally to specific groups.\n", "example": "Human: \"Our collection includes photographs of living community members from the 1960s–1990s. Can we use AI facial recognition for cataloging?\" AI: \"No — facial recognition on living individuals without consent is a serious privacy violation under GDPR and most data protection laws, regardless of the cultural heritage context. For the photography collection: (1) Do not use facial recognition for any image that could contain living individuals. (2) For deceased individuals, check jurisdiction-specific rules — some protect images of recently deceased persons. (3) For community data sovereignty — consult with the communities whether they consider community-wide images to be personal community data requiring collective consent, not just individual consent.\"\n", "antipattern": "Using AI facial recognition on heritage photography collections on the assumption that historical context removes privacy obligations — missing both legal requirements and the deeper community sovereignty dimension.\n" }, "transparency": { "description": "The institution is transparent with the public, researchers, and source communities about what AI was used, what it produced, how it was validated, and what the known error rates and limitations are for AI-generated metadata.\n", "example": "AI: \"For the public-facing collection, add an AI disclosure banner: 'Descriptive metadata for this collection was generated with AI assistance and reviewed by human curators. AI-generated descriptions may contain errors; report corrections using the feedback link below.' For researchers, provide a methodology document: which AI tools were used, what the validation process was, and what the estimated error rate is for different material types. For source communities, provide a separate report in accessible language explaining what AI did and did not do to their heritage.\"\n", "antipattern": "Presenting AI-generated heritage metadata as authoritative curatorial description without disclosing its AI origin, known error rates, or the validation process — misleading researchers and the public about the metadata's reliability.\n" }, "accountability": { "description": "The project establishes a community advisory board with real authority over how AI-processed heritage materials are described, accessed, and used — including the right to request removal or restriction of specific materials.\n", "example": "AI closes the cycle: \"Community accountability governance for the heritage AI project: (1) Community advisory board — one representative per source community with materials in scope; meets quarterly; has authority to request removal, restriction, or reclassification of any item. (2) Correction pathway — public-facing feedback tool for reporting AI metadata errors; institution commits to review within 30 days. (3) Annual community report — published in accessible language describing what AI produced, what was corrected, and what will change in the next year. (4) Commercial use prohibition — AI-processed heritage materials may not be licensed for commercial use without separate community consent.\"\n", "antipattern": "Creating a heritage AI project with an academic advisory board of heritage scholars but no representation from the source communities whose cultural materials are being processed — producing governance that serves institutional interests over community rights.\n" } }, "score_hints": { "human-dignity": 0.35, "environment": 0.1, "privacy": 0.2, "transparency": 0.2, "accountability": 0.15 }, "summary": "", "tags": [ "cultural-heritage", "general", "digitization", "community-rights", "unesco" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Source community consultation determines which materials may be AI-processed and under what conditions → efficient AI tools are selected to minimize environmental footprint → privacy protections are designed for living individuals and community data sovereignty → public transparency disclosure is prepared → community advisory board with real authority is established before launch.\n", "sequence": [ { "step": 1, "d": "human-dignity", "label": "Consult source communities on consent and access restrictions", "example_prompts": [ { "speaker": "human", "text": "We want to use AI to catalog 40,000 ethnographic photographs. Where do we start?" }, { "speaker": "ai", "text": "Before any AI processing: identify the source communities for each collection segment and initiate consultation. The consultation must address four questions: (1) Do community members consent to AI processing of these materials — including object recognition, automated description, and public search indexing? (2) Are any materials sacred, restricted, or ceremonially sensitive and should be excluded from AI processing? (3) Who from the community has authority to give consent — an individual elder, a cultural council, a formal governance body? (4) What are the community's conditions for participation — do they want co-authorship of descriptions, veto over public access, or a separate community-controlled access layer? This consultation cannot be replaced by a website notice or opt-out form." }, { "speaker": "human", "text": "Three communities identified. Two agreed to participate with restrictions. One requested all their materials be excluded from AI processing until a formal agreement is signed." } ], "triggers_next": "Community consent and access restrictions documented per collection segment." }, { "step": 2, "d": "environment", "label": "Select efficient AI tools proportionate to the task", "example_prompts": [ { "speaker": "human", "text": "Our vendor recommends using GPT-4V for image description across all 40,000 photographs. Is that the right choice?" }, { "speaker": "ai", "text": "That is likely over-engineered and environmentally wasteful for this task. For heritage photograph description, compare three options: (1) A fine-tuned domain-specific vision model trained on similar cultural collections — higher accuracy for your specific material types, significantly lower compute per image. (2) GPT-4V — high general capability but expensive and energy-intensive at 40,000 images; better suited for complex or ambiguous edge cases. (3) Hybrid — use the efficient model for 90% of straightforward images, route ambiguous or complex cases to the larger model. The hybrid approach is both the most accurate and the most environmentally responsible. Estimate compute cost for all three before deciding." }, { "speaker": "human", "text": "Hybrid approach approved. Efficient model handles standard catalog; GPT-4V handles complex or ambiguous cases." } ], "triggers_next": "AI tooling selected with environmental efficiency rationale documented." }, { "step": 3, "d": "privacy", "label": "Design privacy protections for individuals and community data", "example_prompts": [ { "speaker": "human", "text": "Many photographs include identifiable people, some of whom may still be living. How do we handle this?" }, { "speaker": "ai", "text": "Three-tier privacy approach: (1) Living individuals — do not use facial recognition. For photographs estimated to include living individuals (roughly 1960s onward), manually review before AI processing. If AI is used for description, configure the model to describe the scene without identifying individuals. (2) Recently deceased — check applicable law; some jurisdictions protect image rights for 70 years post-death. (3) Community data sovereignty — for materials depicting community ceremonies or practices, the entire community's collective consent is required for AI processing and public access, not just the consent of individuals pictured. Document the privacy approach per collection segment and make it auditable." }, { "speaker": "human", "text": "Facial recognition disabled. 1960s onward photographs flagged for manual review before AI processing." } ], "triggers_next": "Privacy controls implemented per collection segment with documented rationale." }, { "step": 4, "d": "transparency", "label": "Prepare AI disclosure for public, researchers, and communities", "example_prompts": [ { "speaker": "human", "text": "How do we disclose the AI's role in our catalog to different audiences?" }, { "speaker": "ai", "text": "Three disclosure levels: (1) Public-facing — banner on every AI-assisted record: 'Description generated with AI assistance and reviewed by a human curator. Estimated error rate: 8% for object classification, 12% for cultural context. Report corrections below.' (2) Researcher methodology document — AI tools used, training data sources, validation methodology, error rates by material type, and human review process. Posted in the collection's methodology section. (3) Community report — plain-language summary for each source community: what AI did to their heritage materials, what restrictions are enforced, and how to request corrections or restrictions. Delivered in the community's primary language if possible." }, { "speaker": "human", "text": "All three disclosure documents drafted. Community reports translated into two languages." } ], "triggers_next": "Transparency documents prepared for all three audiences.", "loop_back": { "to": "human-dignity", "condition": "Community review of AI-generated descriptions reveals systematic misrepresentation of cultural objects.", "reason": "Systematic misrepresentation is a dignity issue requiring community re-consultation before public access." } }, { "step": 5, "d": "accountability", "label": "Establish community advisory board with real authority", "example_prompts": [ { "speaker": "human", "text": "How do we build genuine community accountability into the project governance?" }, { "speaker": "ai", "text": "Community advisory board structure: (1) Composition — one representative per source community, appointed by the community (not by the institution). Two academic heritage experts. One digital rights specialist. Chair rotates annually. (2) Authority — the board has binding authority to: request removal or access restriction of any item; reject AI-generated descriptions for culturally sensitive materials; approve or reject any secondary use of the digitized collection. Recommendations must be implemented within 60 days. (3) Quarterly reporting — institution provides the board with: AI error reports, correction log, access statistics, any commercial use requests. (4) Public correction channel — anyone can report AI metadata errors; institution commits to 30-day review and public correction log." }, { "speaker": "human", "text": "Community advisory board established with binding authority charter. First meeting scheduled." } ], "triggers_next": "Community advisory board operational with binding authority.", "can_restart": true } ], "transitions": [ { "from": "human-dignity", "to": "environment", "trigger": "Community consent documented and access restrictions defined." }, { "from": "environment", "to": "privacy", "trigger": "AI tooling selected with environmental rationale." }, { "from": "privacy", "to": "transparency", "trigger": "Privacy controls implemented per collection segment." }, { "from": "transparency", "to": "human-dignity", "trigger": "AI descriptions show systematic cultural misrepresentation — re-consult communities.", "is_loop_back": true }, { "from": "transparency", "to": "accountability", "trigger": "Transparency documents prepared for all audiences." }, { "from": "accountability", "to": "human-dignity", "trigger": "Annual review cycle — community re-consultation on scope changes.", "is_cycle_restart": true } ] } }, { "id": "email-writing", "framework_id": "4d-framework", "title": "Professional Email Writing with AI", "domain": "general", "file": "general-email-writing.yaml", "dimensions": { "delegation": { "description": "Decide whether AI should produce the full draft or only assist with structure, tone, or phrasing. High-stakes emails (termination notices, executive communications, sensitive negotiations) should remain human-led with AI as an editor at most. Routine emails (meeting requests, status updates, acknowledgment replies) are strong candidates for full AI drafting.", "example": "A manager uses AI to draft a meeting invitation and a project status update, then writes a performance feedback email herself because it requires nuanced personal knowledge of the employee's growth journey.", "antipattern": "Delegating every email including sensitive HR communications, client dispute responses, or apology letters entirely to AI without assessing the relationship stakes or the potential for misrepresentation." }, "description": { "description": "Provide AI with the full context it needs to draft an effective email — recipient relationship, communication purpose, desired tone, relevant background, and any constraints on length or formality. The quality of the draft is directly proportional to the richness of the context you provide.", "example": "Prompt: 'Draft a follow-up email to Sarah Chen, our enterprise client at Meridian Corp. We met Tuesday to discuss their Q3 data migration delay. Tone: professional but warm — we have a 3-year relationship. Acknowledge the delay empathetically, confirm next steps (kick-off call Friday 2pm), and close with confidence. Keep it under 200 words.'", "antipattern": "Prompting with only: 'Write an email to my client about the project delay.' This gives AI no information about tone, relationship history, specific facts, or the desired outcome, resulting in a generic template that fails to represent the actual situation." }, "discernment": { "description": "After receiving the AI draft, carefully evaluate whether the tone matches the real relationship, whether all factual claims are accurate, whether the intent is captured correctly, and whether the email could be misinterpreted. Read it as the recipient would, not as the author.", "example": "A marketing director reviews an AI-drafted client email and notices the phrase 'as we discussed' refers to a meeting that hasn't happened yet — a factual error the AI introduced. She corrects the timeline before sending.", "antipattern": "Copying the AI draft directly into the email client and hitting send without reading it through the recipient's eyes, missing tone mismatches (e.g., too formal for a casual colleague) or factual inaccuracies introduced by the model." }, "diligence": { "description": "Take responsibility for the email you send regardless of how it was drafted. In professional contexts, consider whether AI-assisted drafting should be disclosed. Verify all facts, names, dates, and commitments in the email before sending. Your name on the email means you own the content.", "example": "A consultant discloses in her firm's engagement letter that AI tools assist with drafting client communications, and she maintains a personal checklist — verify dates, names, attachments, and factual claims — that she runs on every AI-assisted email before sending.", "antipattern": "Sending an AI-drafted email containing an incorrect meeting date, a misspelled client name, or a commitment you didn't actually make, because you assumed the AI had accurate information and skipped personal review." } }, "score_hints": { "delegation": 0.2, "description": 0.35, "discernment": 0.25, "diligence": 0.2 }, "summary": "Decide whether AI should produce the full draft or only assist with structure, tone, or phrasing. High-stakes emails (termination notices, executive communications, sensitive negotiations) should rema", "tags": [ "email", "professional-communication", "drafting", "workplace" ], "contributor": "Rick Dakan & Joseph Feller / Anthropic", "reference": "https://aifluencyframework.org", "version": "1.0.0", "collaboration": { "pattern": "linear", "description": "Human delegates email drafting, provides recipient context and goal, evaluates AI draft for tone and accuracy, then sends — single-pass for routine communication.", "sequence": [ { "step": 1, "d": "delegation", "label": "Define AI's drafting role", "example_prompts": [ { "speaker": "human", "text": "Draft a follow-up email to a prospect after a demo call. You write the body — I'll adjust the opening and sign-off." }, { "speaker": "ai", "text": "Should I include next steps or leave that for you to add?" }, { "speaker": "human", "text": "Propose next steps — I'll confirm or modify them." } ], "triggers_next": "AI's drafting scope and human adjustment responsibility agreed." }, { "step": 2, "d": "description", "label": "Provide recipient and goal context", "example_prompts": [ { "speaker": "human", "text": "Recipient is the VP of Engineering at a mid-size SaaS company. They seemed interested in the security features. Goal: schedule a technical deep-dive." }, { "speaker": "ai", "text": "Should I reference the specific feature they asked about?" }, { "speaker": "human", "text": "Yes — mention the SSO integration they asked about." } ], "triggers_next": "AI has recipient profile, goal, and specific talking point." }, { "step": 3, "d": "discernment", "label": "Evaluate draft for tone and accuracy", "example_prompts": [ { "speaker": "human", "text": "The opening is too casual — this is a VP, not a peer. Adjust tone." }, { "speaker": "ai", "text": "Revised to a more formal but still warm register. Does this work?" }, { "speaker": "human", "text": "Yes. Also change 'our best feature' to 'the SSO integration' — more specific." } ], "triggers_next": "Draft validated for tone, accuracy, and specificity." }, { "step": 4, "d": "diligence", "label": "Final review and send", "example_prompts": [ { "speaker": "human", "text": "Re-reading in full — looks good. Sending." }, { "speaker": "human", "text": "Logging in CRM with AI-draft tag for tracking." } ], "triggers_next": "Email sent. Next communication requires a fresh cycle." } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Drafting scope agreed." }, { "from": "description", "to": "discernment", "trigger": "AI delivers draft." }, { "from": "discernment", "to": "diligence", "trigger": "Draft validated." }, { "from": "diligence", "to": "delegation", "trigger": "Next email — fresh cycle.", "is_cycle_restart": true } ] } }, { "id": "idea-to-action-with-ai-personas", "framework_id": "4d-framework", "title": "From Idea to Action: AI as a Complementary Expert Panel", "domain": "general", "file": "general-idea-to-action-with-ai-personas.yaml", "dimensions": { "delegation": { "description": "The human owns the idea and all decisions about direction and viability. AI is granted autonomy to roleplay expert personas and surface blind spots, but never to decide whether the idea is good or should proceed. Persona selection is negotiated explicitly at the start of each session.\n", "example": "Amara says: \"I have an idea for a community food hub. I don't have a business background. Can you act as a business model strategist and ask me the ten questions an investor would ask — but explain each one in plain language before asking it?\" AI responds: \"Understood. I'll act as a business strategist who explains jargon before using it. You decide which questions matter for your context. Ready when you are.\"\n", "antipattern": "Letting AI declare the idea \"viable\" or \"not viable\" without the human having verified the assumptions the AI used to reach that judgment.\n" }, "description": { "description": "The human describes the idea in their own words — not in technical or business language — and explicitly names what they know, what they don't know, and which expertise gaps they feel most exposed by. The AI uses this to assemble the right persona(s) for the session.\n", "example": "\"I want to create a space where local farmers sell directly to urban families. I know the neighborhood. I don't know how food regulations work, how to price things, or whether anyone has tried this and failed. I feel most lost on the legal and financial side.\" AI: \"I'll play three roles for you: a food-sector regulatory guide (plain language, no legal advice), a pricing strategist, and a 'what-went-wrong' researcher who will surface similar initiatives that struggled and why.\"\n", "antipattern": "AI adopting a single generic \"expert\" persona without asking which expertise gaps the human actually feels, leading to answers that are confident but miss the real blind spots.\n" }, "discernment": { "description": "The human explicitly challenges AI outputs before accepting them. For each key claim the AI makes — market size, regulatory summary, pricing model — the human asks: \"How confident are you? What would change this answer? Can you show me a counter-argument?\" AI is prompted to flag its own uncertainty rather than maintain a persona of false authority.\n", "example": "AI (as pricing strategist): \"A 15–20% margin on fresh produce is typical for direct-to-consumer models.\" Human: \"Are you sure about that? Where would that figure break down?\" AI: \"Good push. That figure holds for established platforms with volume. A new, low-volume hub could see margins squeezed to 5–8% in the first year. I'd recommend verifying this with a local food-sector operator before using it in any plan.\"\n", "antipattern": "Human accepting AI's persona-delivered facts as expert knowledge without asking for confidence levels or sources — the persona voice creates an illusion of authority that plain-text answers do not.\n" }, "diligence": { "description": "Before any idea output (pitch, plan, financial model, regulatory checklist) is used in the real world, the human must route at least one AI-generated claim per domain through a real-world check: a practitioner conversation, a public database, a regulatory body. The AI closes each session by naming the specific claims that need external validation and by whom.\n", "example": "AI closes the session: \"Three claims in today's session need verification before you act on them: (1) the 20% margin figure — validate with a farmer's market operator; (2) the food safety certification requirement — confirm with your local health authority; (3) the 'community hub grant' I mentioned — check availability with your municipal economic development office. These are the three things I cannot verify for you.\"\n", "antipattern": "Human treating the AI session output as a completed plan, moving to execution without validating the domain-specific claims that the AI surfaced under persona authority.\n" } }, "score_hints": { "delegation": 0.2, "description": 0.3, "discernment": 0.3, "diligence": 0.2 }, "summary": "The human owns the idea and all decisions about direction and viability. AI is granted autonomy to roleplay expert personas and surface blind spots, but never to decide whether the idea is good or sho", "tags": [ "ideation", "entrepreneurship", "persona", "non-technical", "innovation", "strategy", "complementary-expertise" ], "contributor": "Dr. Faïçal CONGO", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Human shares raw idea and named gaps → AI assembles personas → AI probes and surfaces blind spots → Human challenges outputs → AI closes with a specific validation checklist → Human validates before acting. Loops back to Description if the human's framing shifts during the session.\n", "sequence": [ { "step": 1, "d": "delegation", "label": "Negotiate persona scope", "example_prompts": [ { "speaker": "human", "text": "\"I have an idea but I'm out of my depth on the business and technical sides. Can you play the roles I'm missing and ask me the hard questions without overwhelming me with jargon?\"\n" }, { "speaker": "ai", "text": "\"Yes. Tell me your idea in plain words, then tell me what you know well and what feels most unclear. I'll assemble the right roles and explain what each one will do before starting.\"\n" } ], "triggers_next": "Persona roles and autonomy limits agreed" }, { "step": 2, "d": "description", "label": "Human frames idea and gaps", "example_prompts": [ { "speaker": "human", "text": "\"I want to build X. I know Y. I don't know Z. The part that scares me most is [financial / legal / technical / market].\"\n" }, { "speaker": "ai", "text": "\"Understood. I'll play [role A], [role B], and [role C]. [Role A] will handle [domain]. I'll flag when I'm uncertain and ask you before making assumptions.\"\n" } ], "triggers_next": "AI has enough context to begin structured probing", "loop_back": { "to": "delegation", "condition": "Idea scope shifts significantly during probing", "reason": "Persona mix may need to change if the core idea changes" } }, { "step": 3, "d": "discernment", "label": "Human challenges AI persona outputs", "example_prompts": [ { "speaker": "human", "text": "Are you confident about that? What would make that wrong?" }, { "speaker": "ai", "text": "\"My confidence here is [low/medium/high] because [reason]. This would break down if [condition]. I'd recommend verifying [specific claim] with [specific source type] before using it.\"\n" } ], "triggers_next": "Human accepts output with named uncertainties acknowledged" }, { "step": 4, "d": "diligence", "label": "AI delivers validation checklist", "example_prompts": [ { "speaker": "ai", "text": "\"Before you act on anything from this session, validate these three claims: [claim 1] — check with [source]; [claim 2] — confirm via [source]; [claim 3] — speak to [practitioner type]. These are the things I cannot verify for you.\"\n" }, { "speaker": "human", "text": "Understood. I'll take [claim 1] to [person/source] this week." } ], "triggers_next": "Human has a concrete validation action for each AI-sourced claim", "can_restart": true } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Persona scope agreed and autonomy limits set" }, { "from": "description", "to": "discernment", "trigger": "AI has enough framing to begin probing" }, { "from": "discernment", "to": "diligence", "trigger": "Human has challenged outputs and acknowledged uncertainties" }, { "from": "description", "to": "delegation", "trigger": "Idea scope shifted — persona mix needs renegotiation", "is_loop_back": true }, { "from": "diligence", "to": "delegation", "trigger": "New idea dimension emerges after validation", "is_cycle_restart": true } ] } }, { "id": "iterative-refinement-loop", "framework_id": "4d-framework", "title": "Description-Discernment Iterative Refinement Loop", "domain": "general", "file": "general-iterative-refinement-loop.yaml", "dimensions": { "delegation": { "description": "Treat AI as a co-creator in an ongoing dialogue, not a one-shot command executor. The first AI output is a draft that begins a conversation, not an end product. Structure your workflow so that each AI output triggers a human evaluation, which generates a refined prompt, which produces a better output — repeating until the result meets your standard. This iterative posture is the fundamental AI collaboration pattern across all domains.", "example": "A product manager uses AI to draft a feature brief, evaluates it, identifies three gaps (missing user persona context, weak success metrics, no edge case consideration), feeds those gaps back into a refined prompt, gets a second draft, and repeats twice more until the brief meets her standard — treating each cycle as a productive step, not a failure.", "antipattern": "Running a single AI prompt, receiving an output that is clearly incomplete or off-target, and then either submitting that output as-is or abandoning the AI approach entirely — failing to use the iterative loop that is the actual mechanism through which AI collaboration produces quality results." }, "description": { "description": "In iterative refinement, each round of prompting is an act of description — but later rounds are more powerful because they are informed by what you learned evaluating the previous output. Describe not just what you want but what was wrong with the last version and why. Specific corrective feedback is the engine of the loop.", "example": "Round 1: 'Draft a product requirements doc for a mobile notification system.' Round 2 (after evaluation): 'The previous draft lacked user permission flow details and assumed push always on. Revise to add: (1) permission request UX at onboarding, (2) notification preference center spec, (3) opt-out flows per notification type. Keep the same structure.'", "antipattern": "After receiving a poor first output, re-prompting with an equally vague request ('Make it better' or 'Try again') rather than articulating specifically what was insufficient and why — failing to use what you learned from evaluating the first output to produce a meaningfully improved next prompt." }, "discernment": { "description": "After each AI output, conduct a structured evaluation before generating the next prompt. Assess accuracy against facts you know, relevance to your actual goal, completeness against your requirements, audience fit, and quality of reasoning. The discernment step is not a final judgment — it is the input to the next description. Make your evaluation explicit so you can articulate it in your refined prompt.", "example": "A writer receives an AI-drafted article section and explicitly scores it against four criteria: factual accuracy (3/5 — two claims need verification), tone (4/5 — mostly right, one paragraph too formal), completeness (2/5 — missing the key counterargument), audience fit (4/5 — appropriate vocabulary). This structured evaluation drives her next prompt precisely.", "antipattern": "Skimming AI output and forming a vague sense that 'it's not quite right' without identifying specifically what is wrong — then producing a corrective prompt that is equally vague, resulting in a marginally different output that still misses the target in the same ways." }, "diligence": { "description": "Do not ship the first AI output, or even the second, without it having survived genuine evaluative scrutiny. Document your iteration path — the prompts used, the key decisions at each evaluation, and why you accepted the final output — especially for consequential work. Iteration transparency is accountability: it shows the work was human-directed, not just human-forwarded.", "example": "A communications team maintains a prompt log for all AI-assisted client reports, recording each prompt version and the reason for the refinement. When a client questions a report's methodology, the team can demonstrate the three-round refinement process and the human judgment applied at each evaluation step.", "antipattern": "Accepting and submitting the first AI output that seems 'good enough' without completing even one full evaluate-refine cycle — then, when the output contains errors or misses the mark, having no record of the process and no basis for explaining why the AI's first guess was treated as a final answer." } }, "score_hints": { "delegation": 0.2, "description": 0.35, "discernment": 0.3, "diligence": 0.15 }, "summary": "Treat AI as a co-creator in an ongoing dialogue, not a one-shot command executor. The first AI output is a draft that begins a conversation, not an end product. Structure your workflow so that each AI", "tags": [ "iteration", "prompting", "workflow", "refinement" ], "contributor": "Rick Dakan & Joseph Feller / Anthropic", "reference": "https://aifluencyframework.org", "version": "1.0.0", "collaboration": { "pattern": "iterative", "description": "Human and AI iterate through multiple refinement passes — each pass establishes scope, provides richer context from prior output, evaluates quality, and commits the improvement before the next round.", "sequence": [ { "step": 1, "d": "delegation", "label": "Define refinement goal for this pass", "example_prompts": [ { "speaker": "human", "text": "This draft is too verbose. In this pass, focus on cutting word count by 30% without losing key ideas." }, { "speaker": "ai", "text": "Should I prioritize cutting filler phrases or condensing full paragraphs?" }, { "speaker": "human", "text": "Both — flag any paragraph I should consider cutting entirely." } ], "triggers_next": "Refinement goal and cut strategy agreed for this pass." }, { "step": 2, "d": "description", "label": "Provide current artifact and refinement constraints", "example_prompts": [ { "speaker": "human", "text": "Here is the current draft. The core argument in section 2 must not be weakened — everything else is fair game." }, { "speaker": "ai", "text": "Is the technical terminology in section 3 intended for a specialist audience?" }, { "speaker": "human", "text": "Yes — keep the technical terms, simplify the surrounding prose." } ], "triggers_next": "AI has current artifact, non-negotiables, and simplification targets." }, { "step": 3, "d": "discernment", "label": "Evaluate refinement quality", "example_prompts": [ { "speaker": "human", "text": "The cut version of paragraph 4 loses the nuance — restore the second sentence." }, { "speaker": "ai", "text": "Restored. Overall word count is now down 28% — one more light pass would reach 30%." }, { "speaker": "human", "text": "Let's do a final light pass in the next iteration." } ], "triggers_next": "Refinement quality validated for this pass." }, { "step": 4, "d": "diligence", "label": "Commit refined version", "example_prompts": [ { "speaker": "human", "text": "Saving this version as v3. The prior version is archived." }, { "speaker": "human", "text": "Noting what was changed and why in the revision log." } ], "triggers_next": "Version committed. Next iteration targets remaining improvements.", "can_restart": true } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Refinement goal for this pass agreed." }, { "from": "description", "to": "discernment", "trigger": "AI delivers refined version." }, { "from": "discernment", "to": "diligence", "trigger": "Quality validated for this pass." }, { "from": "diligence", "to": "delegation", "trigger": "Next refinement pass — new goal.", "is_cycle_restart": true } ] } }, { "id": "problem-to-solution-with-ai-guidance", "framework_id": "4d-framework", "title": "From Problem to Solution: AI as a Structured Problem-Solving Partner", "domain": "general", "file": "general-problem-to-solution-with-ai-guidance.yaml", "dimensions": { "delegation": { "description": "The human owns the problem definition and the final decision on which solution path to pursue. AI is granted autonomy to ask structured diagnostic questions, propose solution frameworks, and surface resource and financial considerations — but never to declare a solution \"correct\" or a budget \"sufficient\" without the human having verified the underlying assumptions. The human explicitly sets the constraint envelope (budget ceiling, timeline, available people) before AI begins structuring anything.\n", "example": "Human: \"I run a small community health clinic. Our patient records are still on paper. I know this is a problem but I don't know if the solution is software, people, or both — and I have no idea what it costs or how long it takes. Can you help me structure this without assuming I have a tech team?\" AI: \"Understood. I'll help you structure the problem and map what a solution would require — people, money, time, and procurement. I won't assume any technical capacity on your side. You tell me what's real; I'll tell you what questions to ask next. First: what is the problem costing you right now, even roughly?\"\n", "antipattern": "AI jumping directly to solution recommendations before fully understanding the human's actual constraints — proposing a cloud-based EHR system to a clinic with no IT budget and unreliable internet, because that is the \"standard\" answer.\n" }, "description": { "description": "The human describes the problem from lived experience — not in technical or managerial language — and explicitly names what they have tried, what failed, and what constraints are non-negotiable. AI uses this to map four axes before proposing anything: (1) financial envelope and funding sources, (2) procurement path (buy, build, hire, partner), (3) human resources available or needed, (4) realistic timeline given the constraint set. Each axis is surfaced as a question to the human, not as an AI assumption.\n", "example": "AI: \"Before I suggest anything, I need to map four things with you. First, finances: do you have a rough budget in mind, or do we need to figure out what this could cost before you can say? Second, procurement: are you open to buying an off-the-shelf tool, hiring someone, or doing this yourself with guidance? Third, people: who in your clinic could own this — even part-time? Fourth, time: is there a deadline driving this, or is it open?\" Human: \"Budget: I genuinely don't know. Procurement: I'd rather buy than build. People: me and one administrator. Time: before the rainy season when patient volume doubles — four months.\" AI: \"Good. Four months, two people, buy-not-build. That constraint set rules out most custom solutions immediately. Let me map what exists in that envelope.\"\n", "antipattern": "AI presenting a fully-formed solution plan — with costs, vendors, and timelines — before the human has confirmed the constraint set, forcing the human into a reactive \"yes/no\" rather than a collaborative build.\n" }, "discernment": { "description": "For every resource estimate, cost figure, vendor recommendation, or timeline the AI surfaces, the human explicitly asks: \"Is this real for my context, or is this a global average?\" AI is required to flag when a figure comes from a general knowledge base versus local market reality, and to name the specific assumption that could make the estimate wrong. The human is coached to distinguish between AI-structured thinking (high reliability) and AI-generated numbers (medium-to-low reliability without local validation).\n", "example": "AI: \"A basic electronic health record system for a small clinic typically costs between $200 and $500 per month on a subscription model, with a one-time setup of $500 to $2,000.\" Human: \"Is that true for Morocco?\" AI: \"Honest answer: that figure is from North American and European market data. In Morocco, locally-hosted solutions or regional vendors may be significantly cheaper — or have different pricing models entirely. The number I gave you is useful as a ceiling estimate, not a budget figure. Before using it, you need one conversation with a local health IT vendor or your regional Ministry of Health digital health desk. That single call will tell you more than I can.\"\n", "antipattern": "Human treating AI cost and timeline estimates as a budget, presenting them to funders or management without local validation — AI's global averages can be off by a factor of three or more in specific markets.\n" }, "diligence": { "description": "Before the human acts on any element of the AI-structured plan — commits budget, signs a procurement contract, hires a person, or sets a deadline with stakeholders — they must validate the four axes through real-world checks. AI closes each session with a named accountability matrix: one validation action per axis, one named person or source responsible, and a realistic date. The plan is not a plan until the matrix is filled by the human, not the AI.\n", "example": "AI closes the session: \"Here is your validation matrix before this becomes a real plan: (1) Financial — get one local vendor quote to ground the cost estimate: target this week, owner: you. (2) Procurement — call your regional Ministry of Health digital health desk to ask if there is a subsidized or recommended solution for clinics your size: target within 10 days, owner: you. (3) Human resources — confirm with your administrator that they can own the data migration task: target before you sign anything, owner: you. (4) Timeline — validate the four-month window against the vendor's typical onboarding duration: ask in the vendor call. None of these take more than two hours total. Until they are done, treat everything we built today as a structured hypothesis, not a plan.\"\n", "antipattern": "Human sharing the AI-generated plan with stakeholders, funders, or management before completing the validation matrix — the plan has the appearance of rigor but the substance of a first draft.\n" } }, "score_hints": { "delegation": 0.2, "description": 0.35, "discernment": 0.25, "diligence": 0.2 }, "summary": "The human owns the problem definition and the final decision on which solution path to pursue. AI is granted autonomy to ask structured diagnostic questions, propose solution frameworks, and surface r", "tags": [ "problem-solving", "planning", "non-technical", "resources", "finance", "procurement", "timeline", "complementary-expertise" ], "contributor": "Dr. Faïçal CONGO", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Human names the problem from lived experience → AI maps constraint axes (financial, procurement, resources, timeline) through structured questions → AI surfaces solution options within the constraint set → Human challenges all estimates for local/contextual fit → AI closes with a named validation matrix. Loops back to Description if new constraints surface during discernment.\n", "sequence": [ { "step": 1, "d": "delegation", "label": "Name the problem and set the constraint envelope", "example_prompts": [ { "speaker": "human", "text": "\"I have a problem I need to fix. I think AI can help but I don't know how. The problem is [X]. I have roughly [budget / no idea on budget]. I need it solved by [date / as soon as possible]. I have [these people / just myself].\"\n" }, { "speaker": "ai", "text": "\"Understood. Before I suggest anything, I'll map what a solution requires across four axes: finances, procurement, people, and time. You confirm what's real; I structure from there. You stay in charge of what's acceptable. Let's start with the constraint that feels most fixed to you.\"\n" } ], "triggers_next": "Problem named and at least one constraint confirmed as non-negotiable" }, { "step": 2, "d": "description", "label": "Map the four axes through structured dialogue", "example_prompts": [ { "speaker": "ai", "text": "\"Financial axis: do you have a figure in mind, or do we need to estimate what this category of solution costs before you can set a ceiling? Procurement axis: buy, build, hire, or partner — which feels most realistic given your context? Resource axis: who would own implementation — name a person, not a role? Timeline axis: is there a hard deadline, or a soft one? What happens if you miss it?\"\n" }, { "speaker": "human", "text": "\"Budget: [figure or 'I don't know']. Procurement: [preference]. People: [name or 'just me']. Timeline: [date and consequence].\"\n" } ], "triggers_next": "All four axes mapped — AI has enough to propose options within the constraint set", "loop_back": { "to": "delegation", "condition": "A new constraint surfaces that changes the problem definition", "reason": "Problem scope must be renegotiated before solution mapping continues" } }, { "step": 3, "d": "discernment", "label": "Human challenges every estimate for local and contextual fit", "example_prompts": [ { "speaker": "human", "text": "\"Is that cost figure real for my context — my country, my sector, my scale? What assumption would make it wrong?\"\n" }, { "speaker": "ai", "text": "\"That figure comes from [source type / general knowledge]. It would be wrong if [specific condition — local market, sector pricing, scale factor]. Before using it, verify with [specific source type]. My structured thinking is reliable; my numbers need local grounding.\"\n" } ], "triggers_next": "Human understands which outputs are structural (reliable) vs numerical (needs validation)" }, { "step": 4, "d": "diligence", "label": "AI delivers named validation matrix — one action per axis", "example_prompts": [ { "speaker": "ai", "text": "\"Your validation matrix: (1) Financial — [specific action], owner: you, target: [date]. (2) Procurement — [specific action], owner: [name], target: [date]. (3) Resources — [specific action], owner: [name], target: [date]. (4) Timeline — [specific action], confirm in [call/meeting]. Until this matrix is complete, treat today's output as a structured hypothesis, not a plan.\"\n" }, { "speaker": "human", "text": "\"I'll take action (1) to [person/source] by [date]. Action (2) I'll delegate to [name].\"\n" } ], "triggers_next": "Human has a named owner and date for each validation action", "can_restart": true } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Problem named and at least one hard constraint confirmed" }, { "from": "description", "to": "discernment", "trigger": "All four axes mapped within the constraint set" }, { "from": "discernment", "to": "diligence", "trigger": "Human understands reliability boundaries of AI outputs" }, { "from": "description", "to": "delegation", "trigger": "New constraint surfaces that changes the problem scope", "is_loop_back": true }, { "from": "diligence", "to": "delegation", "trigger": "Validation reveals the problem was mis-scoped — restart needed", "is_cycle_restart": true } ] } } ], "healthcare": [ { "id": "healthcare-ai-ethics-review", "framework_id": "unesco-ai-ethics", "title": "Healthcare AI Ethics Review", "domain": "healthcare", "file": "healthcare-ai-ethics-review.yaml", "dimensions": { "human-dignity": { "description": "The review assesses whether the AI system treats all patients with equal dignity — examining whether the system produces disparate outcomes for vulnerable populations, whether consent is meaningful, and whether the system's use is consistent with patient autonomy.\n", "example": "Ethics committee chair: \"The proposed AI triage system ranks patients by 'predicted survival probability.' What dignity issues does that raise?\" AI: \"Three dignity concerns: (1) Algorithmic rationing — if the score is used to deprioritize patients, it must be validated on populations matching your hospital's demographic mix, not just the training dataset. Historical survival data often encodes systemic inequities. (2) Consent — do patients know their triage priority may be influenced by an AI score? Informed consent in AI-assisted triage is an emerging but real obligation. (3) Autonomy — is there a pathway for a patient or family member to request human-only triage? If not, the system overrides patient autonomy by default.\"\n", "antipattern": "Approving a clinical AI system based on aggregate accuracy metrics without assessing whether the system produces disparate outcomes for elderly, disabled, or minority patients — groups frequently under-represented in training datasets.\n" }, "environment": { "description": "The review considers the environmental footprint of the clinical AI system — energy consumption for training and inference — and whether the hospital has chosen the most resource-efficient option that meets clinical requirements.\n", "example": "AI: \"For a clinical AI system running continuous inference on patient data, estimate the annual compute cost: (1) How many inferences per day? (2) What is the model size — a distilled clinical model uses significantly less energy than a general-purpose large model. (3) Is the compute on-premise or cloud-based — and is the cloud provider on a renewable energy commitment? For a hospital with sustainability commitments, the choice between a 7B and 70B parameter model for the same clinical task is an environmental decision, not just a performance one.\"\n", "antipattern": "Selecting the largest available AI model for a clinical task because it scores marginally higher on benchmarks, without assessing whether a smaller, more efficient model meets the clinical threshold — ignoring the environmental cost difference.\n" }, "privacy": { "description": "The review verifies that the AI system handles patient data according to the strictest applicable privacy standards — covering data minimization, retention, cross-border transfer restrictions, and secondary use prohibitions on clinical data.\n", "example": "Human: \"The vendor's AI trains on patient data from multiple hospitals. Do our patients' data stay within our system?\" AI: \"Critical questions for the vendor: (1) Is patient data used to retrain or improve the model after deployment? If yes, is patient consent for this use in place? (2) Is patient data processed outside your jurisdiction — triggering cross-border transfer obligations? (3) Is the model's inference output (e.g., a risk score) itself personal data requiring protection? In most EU jurisdictions, an AI-generated health score linked to a patient is personal data under GDPR. (4) What is the data deletion protocol when the contract ends? Get all four answers in writing before contracting.\"\n", "antipattern": "Accepting a vendor's statement that 'patient data is secure' without obtaining written answers to data residency, secondary use, and deletion protocol questions — leaving the hospital with contractual exposure if a privacy incident occurs.\n" }, "transparency": { "description": "The review ensures that the AI system's outputs are explainable to the clinicians using it and, where appropriate, to the patients it affects — with particular attention to whether clinicians can identify when to distrust the system's recommendations.\n", "example": "AI: \"Clinician transparency for a triage AI requires three things: (1) The clinician must see the key factors driving the score for each patient — not just a number. (2) The clinician must be trained on the system's known failure modes: which patient profiles produce unreliable scores? (3) There must be a documented 'when to override' protocol — specific clinical signals that should trigger human-only judgment regardless of the AI score. Without all three, clinicians cannot exercise meaningful oversight — they can only accept or reject a number.\"\n", "antipattern": "Deploying a clinical AI that produces a risk score without any feature attribution — giving clinicians a number they cannot interpret or challenge, and no guidance on when the number is likely to be wrong.\n" }, "accountability": { "description": "The review establishes who is accountable for the system's clinical outcomes, how incidents are escalated, whether patients have a recourse pathway, and what governance oversight applies after deployment.\n", "example": "AI closes the review: \"Accountability structure for the triage AI: (1) Clinical accountability — the attending physician retains final triage authority; AI score is advisory, not determinative. Document this in the clinical protocol. (2) Governance — AI systems in direct patient care must be reviewed by the ethics committee annually. Add this system to the annual review roster. (3) Patient recourse — patients and families may request human-only triage; this must be documented in the patient rights notice. (4) Incident reporting — any triage outcome where the AI score is later assessed as materially wrong must be logged and reviewed in monthly mortality and morbidity rounds.\"\n", "antipattern": "Deploying a clinical AI with accountability assigned to the vendor — 'the vendor is responsible for the model's outputs.' Clinical accountability cannot be contracted out; the treating institution and clinician remain legally and ethically responsible.\n" } }, "score_hints": { "human-dignity": 0.3, "environment": 0.1, "privacy": 0.25, "transparency": 0.2, "accountability": 0.15 }, "summary": "", "tags": [ "healthcare", "clinical-ai", "ethics-review", "patient-safety", "unesco" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Dignity audit examines disparate outcomes and consent implications → environmental footprint is assessed against clinical efficiency thresholds → privacy due diligence covers data residency, secondary use, and deletion → clinician transparency requirements are specified → clinical accountability and patient recourse are defined before deployment approval is granted.\n", "sequence": [ { "step": 1, "d": "human-dignity", "label": "Assess disparate outcomes, consent, and patient autonomy", "example_prompts": [ { "speaker": "human", "text": "The ethics committee is reviewing a proposed AI triage system. Start with dignity." }, { "speaker": "ai", "text": "Three dignity questions for the committee: (1) Disparate outcomes — has the system been validated on a patient population matching your hospital's demographic mix? Specifically, what are the performance metrics for elderly patients, patients with disabilities, and minority ethnic groups? (2) Consent — are patients informed that an AI score may influence their triage priority? If not, that is a consent gap. (3) Autonomy — is there a protocol for patients or families to request human-only triage? If the system provides no opt-out, it overrides patient autonomy by default. The committee should not approve deployment until all three are addressed." }, { "speaker": "human", "text": "Validation data shows lower accuracy for patients over 80. Consent notice is absent. No opt-out protocol exists." } ], "triggers_next": "Dignity gaps identified: three items require remediation before approval." }, { "step": 2, "d": "environment", "label": "Assess computational footprint against clinical necessity", "example_prompts": [ { "speaker": "human", "text": "The vendor is offering two model versions — a large high-accuracy model and a distilled model with 2% lower accuracy. Which do we choose?" }, { "speaker": "ai", "text": "This is an ethical decision, not just a performance one: (1) Is the 2% accuracy difference clinically significant for triage? If the distilled model's error rate remains within the clinically acceptable range, the larger model's marginal accuracy gain does not justify the environmental cost. (2) Estimate the energy difference at your inference volume — for continuous inference on 300 patients per day, a 10x model size difference can translate to thousands of kWh per year. (3) Does the vendor's compute run on renewable energy? Request their data center energy disclosure. Unless the larger model is clinically necessary, the distilled model is the responsible choice." }, { "speaker": "human", "text": "Clinical team confirms distilled model meets the accuracy threshold. Distilled model selected." } ], "triggers_next": "Environmental assessment complete; model selection documented with rationale." }, { "step": 3, "d": "privacy", "label": "Conduct privacy due diligence on patient data handling", "example_prompts": [ { "speaker": "human", "text": "The vendor processes patient data in the US and we are an EU hospital. What do we need?" }, { "speaker": "ai", "text": "Four written confirmations required from the vendor before contracting: (1) Data residency — patient data must not leave the EU without a valid transfer mechanism (Standard Contractual Clauses or adequacy decision). Get the specific legal basis in writing. (2) Secondary use prohibition — patient data must not be used to train or improve the model without patient consent. Require a contractual prohibition on secondary use. (3) Data deletion — at contract termination, patient data is deleted within 30 days with a deletion certificate. (4) Breach notification — vendor must notify the hospital within 24 hours of any data incident involving patient records. Without all four in the DPA, do not sign." }, { "speaker": "human", "text": "Vendor confirmed EU-based processing and secondary use prohibition. DPA under legal review." } ], "triggers_next": "Privacy due diligence complete; DPA under legal review with four required clauses." }, { "step": 4, "d": "transparency", "label": "Define clinician explainability and override protocol", "example_prompts": [ { "speaker": "human", "text": "What transparency requirements should we impose on the vendor for clinical use?" }, { "speaker": "ai", "text": "Three transparency requirements for the clinical deployment: (1) Feature attribution — the system must display the top three factors driving each patient's triage score, in clinical language accessible to the triage nurse. (2) Failure mode training — before go-live, all triage staff must complete a 90-minute training on the system's known failure modes: which patient profiles (elderly, high comorbidity, atypical presentation) produce unreliable scores. (3) Override protocol — a documented clinical decision rule specifying which situations require the triage nurse to apply human-only judgment regardless of the AI score. This protocol must be approved by the chief of emergency medicine." }, { "speaker": "human", "text": "Vendor confirms feature attribution is available. Training program designed. Override protocol drafted for clinical review." } ], "triggers_next": "Clinician transparency requirements specified and vendor-confirmed.", "loop_back": { "to": "human-dignity", "condition": "Override protocol design reveals that the system cannot produce reliable scores for patients over 80, requiring a dignity re-assessment.", "reason": "A system with known unreliable outputs for a demographic group requires a new dignity assessment before approval." } }, { "step": 5, "d": "accountability", "label": "Define clinical accountability and patient recourse", "example_prompts": [ { "speaker": "human", "text": "Who is accountable when the AI triage score contributes to an adverse patient outcome?" }, { "speaker": "ai", "text": "Accountability structure: (1) Clinical — the attending physician retains final triage authority. The AI score is documented as advisory in the clinical protocol; the physician's override is the authoritative clinical decision. This must be stated in writing in the clinical governance documents. (2) Ethics committee oversight — this system is added to the annual ethics review roster; the first review is 6 months post-deployment. (3) Patient rights — add to the patient rights notice: 'Our triage process may use AI decision support. You may request information about how AI is used or request human-only triage.' (4) M&M integration — any triage outcome where the AI score was later assessed as materially wrong is presented at the monthly mortality and morbidity round." }, { "speaker": "human", "text": "Clinical protocol updated. Patient rights notice amended. M&M integration confirmed." } ], "triggers_next": "Accountability structure defined; deployment approved by ethics committee.", "can_restart": true } ], "transitions": [ { "from": "human-dignity", "to": "environment", "trigger": "Dignity gaps identified and remediation requirements documented." }, { "from": "environment", "to": "privacy", "trigger": "Environmental assessment complete and model selection documented." }, { "from": "privacy", "to": "transparency", "trigger": "Privacy due diligence complete; DPA under legal review." }, { "from": "transparency", "to": "human-dignity", "trigger": "Override protocol reveals reliability gap for specific population — re-assess dignity.", "is_loop_back": true }, { "from": "transparency", "to": "accountability", "trigger": "Clinician transparency requirements specified." }, { "from": "accountability", "to": "human-dignity", "trigger": "Annual ethics review cycle — begin next assessment.", "is_cycle_restart": true } ] } }, { "id": "clinical-documentation", "framework_id": "4d-framework", "title": "AI-Assisted Clinical Documentation", "domain": "healthcare", "file": "healthcare-clinical-documentation.yaml", "dimensions": { "delegation": { "description": "AI can assist clinicians with drafting clinical notes from voice transcription, generating patient education material drafts, summarizing prior visit records, and producing structured documentation templates. All clinical judgment is non-delegable — diagnosis, treatment decisions, medication orders, and assessment of patient status require a licensed clinician's direct judgment and cannot be transferred to AI under any circumstances.", "example": "An internist uses an AI ambient documentation tool to generate a draft SOAP note from a recorded patient encounter. She reviews the full draft before it enters the EHR, corrects the AI's mischaracterization of the patient's symptom onset timeline, and signs only after verifying that the assessment and plan reflect her actual clinical reasoning.", "antipattern": "Allowing an AI documentation tool to finalize clinical notes without clinician review, or using AI-generated differential diagnoses as the actual clinical assessment without independent clinical evaluation — abdicating the professional judgment that defines clinical practice." }, "description": { "description": "Provide AI with precise clinical context: the documentation type required (SOAP note, discharge summary, referral letter, patient education handout), the patient's relevant clinical background, the format required by your institution or EHR, and any clinical standards the document must meet. Vague inputs produce vague outputs that require more revision than starting from scratch.", "example": "Prompt: 'Draft a patient education handout for a 65-year-old patient with newly diagnosed Type 2 diabetes who speaks English as a second language. Reading level: 6th grade. Cover: what Type 2 diabetes is in plain language, the importance of blood sugar monitoring, dietary basics (Mediterranean diet pattern), and when to call the care team. Avoid medical jargon. Format: bullet points with short headers.'", "antipattern": "Prompting: 'Write patient instructions for diabetes.' This produces generic clinical text at an inappropriate reading level with medical terminology, requiring complete rewriting — no faster than drafting from scratch, and risking use of a generic template that doesn't match the specific patient's situation." }, "discernment": { "description": "Scrutinize every AI-generated clinical document for medical accuracy before it enters the record or reaches a patient. Check for hallucinated medication names, incorrect dosages, fabricated lab values, inappropriate diagnostic language, or clinical claims that don't match the actual encounter. Patient safety depends on the clinician catching AI errors before they propagate into care decisions.", "example": "A hospitalist reviews an AI-generated discharge summary and catches that the AI has listed a drug at twice the prescribed dose and omitted a critical allergy from the medication list. She corrects both errors before the summary is sent to the receiving primary care physician — preventing a potential adverse drug event.", "antipattern": "Co-signing AI-generated discharge summaries, referral letters, or medication reconciliation documents without reading them in full — allowing a hallucinated dosage, an omitted allergy, or an incorrect diagnosis code to enter the medical record and influence downstream care decisions." }, "diligence": { "description": "The clinician who signs a clinical document is fully accountable for its contents regardless of how it was drafted. Disclose AI use in documentation per your institution's policy and applicable regulatory requirements. Uphold patient safety as the absolute priority — when in doubt, rewrite rather than rely on AI output. Maintain the clinical judgment and interpersonal presence that AI documentation tools must never replace.", "example": "A health system requires all clinicians using AI documentation tools to complete a verified review checklist (patient identity, diagnoses, medications, allergies, follow-up instructions) before signing any AI-assisted note, and discloses the use of AI documentation assistance in its patient-facing privacy notice.", "antipattern": "Signing AI-generated clinical notes at volume without individual review because the ambient tool 'usually gets it right' — creating systematic documentation errors that accumulate in the medical record, affect quality metrics, and in serious cases contribute to patient harm through propagated incorrect information." } }, "score_hints": { "delegation": 0.2, "description": 0.2, "discernment": 0.3, "diligence": 0.3 }, "summary": "AI can assist clinicians with drafting clinical notes from voice transcription, generating patient education material drafts, summarizing prior visit records, and producing structured documentation te", "tags": [ "healthcare", "clinical-documentation", "patient-safety", "EHR" ], "contributor": "Rick Dakan & Joseph Feller / Anthropic", "reference": "https://aifluencyframework.org", "version": "1.0.0", "collaboration": { "pattern": "linear", "description": "Clinician delegates note drafting, provides encounter details, reviews AI draft for clinical accuracy, then signs — strictly linear with no shortcuts due to patient safety requirements.", "sequence": [ { "step": 1, "d": "delegation", "label": "Define AI's documentation role", "example_prompts": [ { "speaker": "human", "text": "Draft the SOAP note for this encounter. You structure the note — I'll verify all clinical content." }, { "speaker": "ai", "text": "Should I include medication reconciliation in the plan section or keep that separate?" }, { "speaker": "human", "text": "Include it in the plan — I'll verify it against the pharmacy record." } ], "triggers_next": "AI's documentation scope and human verification commitment agreed." }, { "step": 2, "d": "description", "label": "Provide encounter details and patient context", "example_prompts": [ { "speaker": "human", "text": "Chief complaint: chest pain, 2-day duration. Vitals and exam findings attached. History of hypertension." }, { "speaker": "ai", "text": "Should I flag any discrepancies I notice between the stated history and the exam findings?" }, { "speaker": "human", "text": "Yes — flag anything that seems inconsistent for my review." } ], "triggers_next": "AI has full encounter context and flag-on-inconsistency rule." }, { "step": 3, "d": "discernment", "label": "Review AI draft for clinical accuracy", "example_prompts": [ { "speaker": "human", "text": "The assessment lists 'rule out MI' — change to 'elevated troponin, workup in progress'." }, { "speaker": "ai", "text": "Corrected. The plan section uses 'may consider' — do you want more definitive language?" }, { "speaker": "human", "text": "Yes — change to 'initiate' for the aspirin order, pending cardiology consult." } ], "triggers_next": "Every clinical claim verified by the clinician — no AI-only assertions remain." }, { "step": 4, "d": "diligence", "label": "Sign and lock the note", "example_prompts": [ { "speaker": "human", "text": "Note reviewed in full. Signing and locking in the EHR." }, { "speaker": "human", "text": "AI-assisted draft flagged in the note metadata per compliance policy." } ], "triggers_next": "Note locked. Next encounter requires a fresh cycle." } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Documentation scope and verification commitment agreed." }, { "from": "description", "to": "discernment", "trigger": "AI delivers draft note." }, { "from": "discernment", "to": "diligence", "trigger": "Every clinical claim verified." }, { "from": "diligence", "to": "delegation", "trigger": "Next encounter — fresh cycle.", "is_cycle_restart": true } ] } } ], "legal": [ { "id": "legal-ai-research-drafting", "framework_id": "4d-framework", "title": "AI-Assisted Legal Research and Document Drafting", "domain": "legal", "file": "legal-ai-research-drafting.yaml", "dimensions": { "delegation": { "description": "AI can assist with initial legal research sweeps, summarizing case law, generating first-draft document structures, and flagging potentially relevant statutes. All legal judgment remains with the licensed attorney — case strategy, legal conclusions, advice to clients, and all court filings are non-delegable professional responsibilities. AI is a research and drafting accelerant, never a substitute for attorney analysis.", "example": "An attorney preparing a breach of contract motion asks AI to identify relevant California appellate cases on implied covenant of good faith and generate a draft argument outline. She uses this as a research starting point, independently verifies every citation via Westlaw, and rewrites the argument section from scratch using the verified cases.", "antipattern": "Filing AI-generated legal briefs with unverified citations, or allowing AI to make legal strategy recommendations that the attorney adopts without independent analysis — the equivalent of filing research you haven't read, which creates professional responsibility violations and potential sanctions." }, "description": { "description": "Provide AI with precise legal context: jurisdiction, court or regulatory body, matter type, applicable legal standard, client's factual situation, and the desired document format and purpose. Legal AI output quality depends heavily on the specificity of jurisdictional and doctrinal framing. Generic legal prompts produce generic legal text that may be wrong for your jurisdiction.", "example": "Prompt: 'Summarize the current standard for personal jurisdiction over foreign defendants in federal courts in the Ninth Circuit, focusing on cases decided after 2019 that address the specific vs. general jurisdiction distinction post-Bristol-Myers Squibb. Our client is a California-based plaintiff suing a German manufacturer. Identify the strongest and weakest points in our jurisdictional argument.'", "antipattern": "Prompting: 'Explain personal jurisdiction.' This produces a textbook overview applicable to no particular jurisdiction or procedural posture — unusable for actual legal work without the jurisdictional specificity, relevant time frame, and case-specific framing that makes the output actionable." }, "discernment": { "description": "Every AI-generated legal citation must be independently verified in a primary legal database before use. AI models hallucinate case citations with high confidence — inventing plausible-sounding but nonexistent cases, misquoting holdings, or attributing dicta as holdings. Verify that each case exists, says what AI claims, is still good law, and applies in your jurisdiction.", "example": "An attorney receives an AI-generated brief draft citing eight cases. She runs each citation in Westlaw before reviewing the draft's argument. Two citations are for real cases that don't say what the AI claimed. One citation is for a case that was overruled. She treats the AI draft as a structural scaffold only and rebuilds the argument on verified authority.", "antipattern": "Submitting a brief with AI-generated citations after only spot-checking one or two, then receiving a sanctions motion when opposing counsel discovers that three cited cases either don't exist or don't stand for the propositions cited — a career-threatening outcome that has already occurred to real attorneys." }, "diligence": { "description": "The licensed attorney remains fully and personally responsible for every document filed and every piece of advice given, regardless of how it was drafted. Disclose AI assistance in accordance with applicable bar rules and court standing orders (several federal courts now require this). Maintain professional standards of competence, including understanding AI's limitations in legal contexts.", "example": "An attorney follows her state bar's guidance on AI use in legal practice by disclosing in engagement letters that AI tools assist with research and drafting, maintaining a verification protocol for all AI-generated citations, and staying current with her court's local rules on AI disclosure in filings.", "antipattern": "Treating AI legal research as equivalent to Westlaw research without verification, failing to disclose AI assistance in jurisdictions where disclosure is required, or allowing junior associates to file AI-drafted documents without supervising attorney review — creating professional responsibility exposure and potential harm to clients." } }, "score_hints": { "delegation": 0.2, "description": 0.2, "discernment": 0.3, "diligence": 0.3 }, "summary": "AI can assist with initial legal research sweeps, summarizing case law, generating first-draft document structures, and flagging potentially relevant statutes. All legal judgment remains with the lice", "tags": [ "legal", "research", "document-drafting", "professional-responsibility" ], "contributor": "Rick Dakan & Joseph Feller / Anthropic", "reference": "https://aifluencyframework.org", "version": "1.0.0", "collaboration": { "pattern": "linear", "description": "Attorney delegates legal research, provides matter context and jurisdiction, verifies AI findings against authoritative sources, then uses the work product — strictly linear due to professional liability.", "sequence": [ { "step": 1, "d": "delegation", "label": "Define AI's research role and limits", "example_prompts": [ { "speaker": "human", "text": "Research current case law on non-compete enforceability in California. Surface the key cases — I'll do final legal analysis." }, { "speaker": "ai", "text": "Should I include federal circuit decisions or only California state courts?" }, { "speaker": "human", "text": "Both — but flag circuit splits if they exist." } ], "triggers_next": "Research scope, jurisdiction, and attorney analysis responsibility agreed." }, { "step": 2, "d": "description", "label": "Provide matter context and legal question", "example_prompts": [ { "speaker": "human", "text": "Client is a software company seeking to enforce a 2-year non-compete against a departed engineer. Employment ended 6 months ago." }, { "speaker": "ai", "text": "Should I focus on enforceability standards or also include remedy options?" }, { "speaker": "human", "text": "Enforceability first — remedies are a separate memo." } ], "triggers_next": "AI has matter facts and specific legal question." }, { "step": 3, "d": "discernment", "label": "Verify AI research against authoritative sources", "example_prompts": [ { "speaker": "human", "text": "Citation 3 — I need to verify that holding directly. Pull the full opinion." }, { "speaker": "ai", "text": "Here is the full text of Edwards v. Arthur Andersen. The holding is on page 12." }, { "speaker": "human", "text": "Confirmed. Citation 4 has been superseded — remove it and note why." } ], "triggers_next": "Every citation verified against primary sources. No unverified AI assertions remain." }, { "step": 4, "d": "diligence", "label": "Review, sign off, and document", "example_prompts": [ { "speaker": "human", "text": "Partner reviews research memo before it goes to client." }, { "speaker": "human", "text": "Noting AI-assisted research in the matter file per firm policy." } ], "triggers_next": "Memo approved and filed. Next matter question requires a fresh cycle." } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Research scope and liability boundaries agreed." }, { "from": "description", "to": "discernment", "trigger": "AI delivers research findings." }, { "from": "discernment", "to": "diligence", "trigger": "Every citation independently verified." }, { "from": "diligence", "to": "delegation", "trigger": "Next legal question — fresh cycle.", "is_cycle_restart": true } ] } }, { "id": "eu-ai-risk-classification", "framework_id": "eu-ai-act", "title": "EU AI Act Risk Classification", "domain": "legal", "file": "legal-eu-ai-risk-classification.yaml", "dimensions": { "risk-classification": { "description": "The team systematically determines whether the AI system falls into the prohibited, high-risk, limited-risk, or minimal-risk category by applying the Act's annexes and the system's actual intended purpose and deployment context — not its marketing description.\n", "example": "Legal counsel: \"Our AI system suggests interview questions to hiring managers. Marketing calls it a 'decision support tool.' Is it high-risk?\" AI: \"Yes — under Annex III of the EU AI Act, AI systems used in employment and recruitment decisions are classified as high-risk regardless of how they are marketed. 'Decision support' does not reduce the classification if the system materially influences the outcome. The relevant question is: does a human hiring manager typically follow the system's suggestions? If yes, the system is used in a manner that determines or influences the recruitment decision — high-risk classification applies.\"\n", "antipattern": "Accepting a vendor's classification of their own system as 'minimal-risk' without independently applying the Act's annexes to the actual use case and deployment context.\n" }, "transparency": { "description": "The team identifies the full set of transparency and documentation obligations applicable to the classified risk tier — technical file, instructions for use, logging, and user notification — and creates a compliance documentation plan.\n", "example": "AI: \"For a high-risk hiring AI, the transparency obligations are: (1) Technical file (Article 11) — detailed system documentation including design specifications, training data description, performance metrics, and risk management records. Must be maintained for 10 years post-market. (2) Instructions for use (Article 13) — plain-language guidance for deployers including the system's purpose, performance limitations, and oversight requirements. (3) Logging (Article 12) — the system must automatically log its inputs and outputs to the extent technically feasible. (4) Notification — affected candidates must be informed that AI is used in the recruitment process. Which of these does your current system documentation cover?\"\n", "antipattern": "Treating technical file preparation as a one-time pre-certification task rather than a continuous documentation obligation — allowing the file to diverge from the deployed system within months of certification.\n" }, "human-oversight": { "description": "The team designs human oversight mechanisms that comply with Article 14 — ensuring deployers can meaningfully monitor, intervene in, and override the AI system's outputs under real operational conditions.\n", "example": "Human: \"We have a human review step before a hiring decision is made. Is that sufficient for Article 14?\" AI: \"It depends on the quality of the review, not its existence. Article 14 requires that human oversight is 'effective' — the reviewer must understand the system's outputs and limitations, have the ability and authority to override the system, and not be under time pressure that makes real review impossible. If your hiring managers are reviewing AI recommendations for 30 seconds before approving, that is nominal oversight, not effective oversight. I recommend documenting: the time allocated for review, the training provided to reviewers on the system's limitations, and the rate at which reviewers actually override the AI — as evidence of effective oversight.\"\n", "antipattern": "Satisfying Article 14 with a checkbox in the interface that confirms 'human reviewed this decision' without any mechanism to verify that the review was substantive or effective.\n" }, "robustness": { "description": "The team validates that the AI system meets technical standards for accuracy, cybersecurity, and resilience — and documents testing evidence that supports the conformity assessment.\n", "example": "AI: \"For robustness documentation of a high-risk hiring AI, you need: (1) Accuracy metrics — overall and disaggregated by protected group. 'Accuracy' for a hiring AI should include candidate quality outcomes, not just model prediction metrics. (2) Bias testing — third-party disparity audit across gender, age, and ethnicity for the roles in scope. (3) Cybersecurity — evidence that candidate data is protected against unauthorized access; penetration test results. (4) Resilience — how does the system behave when input data is missing, corrupted, or anomalous? All four evidence types are needed for the technical file.\"\n", "antipattern": "Documenting only aggregate model accuracy without disaggregated performance metrics by demographic group — leaving a material compliance gap in the technical file for a high-risk system.\n" }, "governance": { "description": "The team plans the full conformity pathway — notified body involvement if required, EU AI database registration, post-market monitoring system, and incident reporting obligations — before the system is deployed to market.\n", "example": "AI closes the cycle: \"Governance compliance plan for the high-risk hiring AI: (1) Conformity assessment — high-risk AI in employment requires either a third-party notified body assessment or a manufacturer's own conformity assessment depending on whether harmonized standards are applied. Confirm which pathway with legal. (2) EU AI database registration — required before deployment under Article 71. Register at the Commission's AI Office portal. (3) Post-market monitoring — implement quarterly performance reviews including bias audits and incident log review. Name a post-market monitoring officer. (4) Incident reporting — serious incidents must be reported to the national market surveillance authority within the timeframe specified in Article 73. Name the reporting responsible. Target: all four items complete before first deployment.\"\n", "antipattern": "Treating post-market monitoring as a future compliance task to be designed after the system launches — leaving a gap between deployment and active monitoring that creates legal exposure under Article 72.\n" } }, "score_hints": { "risk-classification": 0.25, "transparency": 0.2, "human-oversight": 0.25, "robustness": 0.15, "governance": 0.15 }, "summary": "", "tags": [ "eu-ai-act", "risk-classification", "legal", "compliance", "hiring-ai" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Risk tier is determined using the Act's annexes applied to actual use → full transparency and documentation obligations are mapped → human oversight mechanism is designed for real operational conditions → technical validation evidence is compiled → conformity assessment and post-market monitoring plan are completed before deployment.\n", "sequence": [ { "step": 1, "d": "risk-classification", "label": "Classify the AI system using Act annexes and actual use context", "example_prompts": [ { "speaker": "human", "text": "We're deploying an AI that screens job applications and ranks candidates. What's our EU AI Act classification?" }, { "speaker": "ai", "text": "Applying Annex III: AI systems used in employment and recruitment — specifically for 'screening or filtering applications, evaluating candidates in the course of interviews or tests, or making decisions about promotion or termination' — are classified as high-risk. Your system ranks candidates, which directly influences shortlisting decisions. Classification: High-Risk. This triggers the full compliance requirements under Articles 8-15. Note: if the vendor classifies this as 'minimal risk,' they are misclassifying it — you as the deployer are legally responsible for correct classification and compliance." }, { "speaker": "human", "text": "High-risk classification confirmed. We'll update the project documentation and notify the vendor." } ], "triggers_next": "Risk tier confirmed as High-Risk with Article and Annex citations documented." }, { "step": 2, "d": "transparency", "label": "Map documentation and disclosure obligations", "example_prompts": [ { "speaker": "human", "text": "What documentation do we need for a high-risk hiring AI?" }, { "speaker": "ai", "text": "Four documentation streams: (1) Technical file — design specifications, training data description, performance metrics, risk management records, and post-market monitoring plan. Must be maintained for 10 years from market placement. (2) Instructions for use — plain-language deployer guide: system purpose, performance limits, oversight requirements, and prohibited uses. (3) Automatic logging — log inputs and outputs to the extent technically feasible; retain logs per your data retention policy minimum. (4) Candidate notification — inform applicants in the job posting or application process that AI is used in candidate screening. Which of these is not yet in place?" }, { "speaker": "human", "text": "Candidate notification is missing from our job postings. Technical file is incomplete — no performance metrics for protected groups." } ], "triggers_next": "Documentation gaps identified and prioritized for remediation." }, { "step": 3, "d": "human-oversight", "label": "Design effective human oversight for Article 14", "example_prompts": [ { "speaker": "human", "text": "Our HR managers review AI rankings before shortlisting. Is that Article 14 compliant?" }, { "speaker": "ai", "text": "Three things to check: (1) Understanding — do HR managers understand what the system ranks on and what its known limitations are? If not, training is required before oversight is meaningful. (2) Authority — do they have explicit authority to override the ranking, and is there a documented process for doing so? (3) Time — how long do managers spend reviewing each ranking? If it is under 2 minutes for a ranking of 20 candidates, the review is likely nominal. Recommendation: document the oversight process, train reviewers on system limitations, log override rates, and set a minimum review time guideline. Override rate below 5% is a red flag — it suggests reviewers are rubber-stamping the AI." }, { "speaker": "human", "text": "Reviewer training scheduled. Override rate will be logged from launch." } ], "triggers_next": "Human oversight mechanism designed, documented, and training scheduled.", "loop_back": { "to": "risk-classification", "condition": "Oversight design reveals the system is being used beyond the classified use case.", "reason": "Extended use cases may trigger additional Annex III categories — classification must be reviewed." } }, { "step": 4, "d": "robustness", "label": "Compile technical validation evidence for the technical file", "example_prompts": [ { "speaker": "human", "text": "What technical evidence do we need for the conformity assessment?" }, { "speaker": "ai", "text": "Four evidence packages: (1) Performance metrics — overall and disaggregated by gender, age, ethnicity for each role type. Include both precision/recall and business outcome metrics (quality of hire). (2) Bias audit — third-party disparity analysis; I recommend contracting this independently of the vendor. (3) Cybersecurity — penetration test report not older than 12 months; data encryption documentation. (4) Resilience testing — what happens when the model receives incomplete CVs, names in non-Western scripts, or unusual formatting? Document the degradation boundary. Which of these four does the vendor currently provide, and which requires your own testing?" }, { "speaker": "human", "text": "Vendor provides packages 1 and 3. We need to commission a third-party bias audit and run our own resilience tests." } ], "triggers_next": "Technical validation evidence compiled or commissioned; gaps documented." }, { "step": 5, "d": "governance", "label": "Complete conformity assessment and post-market monitoring plan", "example_prompts": [ { "speaker": "human", "text": "What is our path to lawful market deployment?" }, { "speaker": "ai", "text": "Deployment governance checklist: (1) Conformity assessment — for hiring AI, you can use the internal conformity assessment route if your technical file is complete and you apply harmonized standards. If no harmonized standard exists for your specific use case, a notified body assessment is safer. Confirm with legal. (2) EU AI database registration — required under Article 71 before first use; register via the Commission's AI Act portal. (3) Post-market monitoring plan — quarterly bias audits, monthly incident log review, annual technical file update. Name a post-market monitoring responsible person now, before deployment. (4) Incident reporting — serious incidents (significant impact on health, safety, or fundamental rights) reported to the national market surveillance authority within the Article 73 timeframe. Legal must confirm the reporting pathway for your jurisdiction." }, { "speaker": "human", "text": "Conformity assessment in progress. Database registration submitted. Post-market monitoring officer named." } ], "triggers_next": "Conformity assessment complete; database registered; post-market monitoring operational.", "can_restart": true } ], "transitions": [ { "from": "risk-classification", "to": "transparency", "trigger": "Risk tier confirmed with Annex citations." }, { "from": "transparency", "to": "human-oversight", "trigger": "Documentation obligations mapped and gaps identified." }, { "from": "human-oversight", "to": "risk-classification", "trigger": "Oversight design reveals use beyond classified scope.", "is_loop_back": true }, { "from": "human-oversight", "to": "robustness", "trigger": "Human oversight mechanism designed and documented." }, { "from": "robustness", "to": "governance", "trigger": "Technical validation evidence compiled or commissioned." }, { "from": "governance", "to": "risk-classification", "trigger": "System update or new use case triggers re-classification review.", "is_cycle_restart": true } ] } }, { "id": "eu-high-risk-documentation", "framework_id": "eu-ai-act", "title": "EU AI Act High-Risk System Documentation", "domain": "legal", "file": "legal-eu-high-risk-documentation.yaml", "dimensions": { "risk-classification": { "description": "The team confirms the high-risk classification in writing, citing the specific Annex III entry, the intended purpose, the deployment context, and any use-case changes that could affect the classification — creating the foundational document for the entire compliance package.\n", "example": "Legal counsel: \"We need a written classification rationale for the technical file. What does it need to contain?\" AI: \"The classification rationale document should contain: (1) System identification — name, version, and intended purpose in the deployer's own words. (2) Annex III mapping — the specific Annex III entry that applies, with a one-paragraph explanation of why the system's actual use matches that entry. (3) Deployment context — who deploys it, in which jurisdictions, in what operational setting. (4) Scope boundaries — what uses are out of scope and how the system prevents out-of-scope use. (5) Review trigger — what changes to the system or its deployment context would require a new classification review. This document is a living record, not a one-time declaration.\"\n", "antipattern": "Writing the classification rationale as a summary of the marketing description rather than an analysis of the actual use against Annex III — producing a document that fails regulatory scrutiny.\n" }, "transparency": { "description": "The team produces the complete transparency documentation package: the technical file under Article 11, instructions for use under Article 13, the logging specification under Article 12, and the candidate/user notification mechanism.\n", "example": "AI: \"Technical file (Article 11) must contain: (1) General description — system purpose, intended use, and technical specifications. (2) Design and development process — how the system was built, including training data description, data governance, and testing methodology. (3) Performance metrics — accuracy, precision, recall, and fairness metrics disaggregated by relevant subgroups. (4) Risk management — the risk management system applied during development. (5) Changes — documentation of all versions and material changes. (6) Post-market monitoring plan — how the system will be monitored after deployment. The file must be maintained for 10 years. Assign a document owner now.\"\n", "antipattern": "Preparing the technical file as a one-time document for the conformity assessment without assigning an owner responsible for keeping it current — allowing the file to diverge from the deployed system within months.\n" }, "human-oversight": { "description": "The team documents the human oversight mechanism in a format that satisfies Article 14 — including the oversight design, the reviewer training program, the override capability, and evidence that oversight is effective rather than nominal.\n", "example": "Human: \"How do we document human oversight in a way that satisfies Article 14 for a regulator?\" AI: \"Article 14 documentation package: (1) Oversight design document — describes the oversight mechanism: who reviews, at what stage, with what information, and with what authority to override. (2) Reviewer training program — syllabus, duration, completion tracking, and assessment results. Regulators will ask whether reviewers understand the system's limitations. (3) Override capability specification — technical documentation showing that the override function exists, is accessible, and has been tested. (4) Effectiveness evidence — override rate data (what percentage of AI outputs are overridden?) and a sample of documented override decisions. A 0% override rate is a red flag — it suggests nominal rather than effective oversight.\"\n", "antipattern": "Documenting human oversight as a process description ('the reviewer checks the output before the decision is made') without providing evidence that the oversight mechanism is technically implemented, that reviewers are trained, and that overrides actually occur.\n" }, "robustness": { "description": "The team compiles the technical validation evidence for the technical file — accuracy testing, bias audits, cybersecurity assessment, and resilience testing — in a format that supports the conformity assessment.\n", "example": "AI: \"Robustness evidence package for the technical file: (1) Performance testing report — aggregate and disaggregated accuracy metrics. For high-risk systems with individual impact, disaggregation by protected group is required — overall accuracy without subgroup analysis is insufficient. (2) Bias audit report — third-party preferred; document methodology, metrics used, and findings. If a disparity was found, document the remediation and re-test results. (3) Cybersecurity assessment — penetration test report not older than 12 months; data encryption documentation. (4) Resilience testing — what happens at the system's performance boundaries? Document the degradation profile: what inputs produce unreliable outputs and how does the system signal this to the user?\"\n", "antipattern": "Submitting a conformity assessment with only aggregate performance metrics and no subgroup analysis — producing a documentation package that fails regulatory review for fairness-sensitive applications.\n" }, "governance": { "description": "The team produces the Declaration of Conformity, registers the system in the EU AI database, and documents the post-market monitoring system — completing the governance documentation required before first deployment.\n", "example": "AI closes the documentation cycle: \"Final governance documentation: (1) Declaration of Conformity — signed by the provider (not the deployer) under Article 47; contains: system identification, conformity assessment route taken, applied standards, and the provider's name and address. (2) EU AI database registration — register via the Commission's AI Act portal before deployment; retain the registration number. (3) Post-market monitoring plan — document: who monitors, what metrics, at what frequency, what triggers a review or incident report, and what the escalation path is for serious incidents under Article 73. (4) Technical file index — a table of contents listing every document in the technical file with its version and last-updated date. This index is what a notified body auditor will review first.\"\n", "antipattern": "Treating the Declaration of Conformity as the end of the compliance process — missing the EU AI database registration and post-market monitoring obligations that are legally required before and after market deployment.\n" } }, "score_hints": { "risk-classification": 0.15, "transparency": 0.3, "human-oversight": 0.25, "robustness": 0.2, "governance": 0.1 }, "summary": "", "tags": [ "eu-ai-act", "documentation", "legal", "high-risk", "technical-file" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Classification rationale is confirmed in writing → technical file and transparency documentation package is built out → human oversight mechanism is documented with effectiveness evidence → robustness evidence is compiled with subgroup analysis → Declaration of Conformity and database registration complete the governance package.\n", "sequence": [ { "step": 1, "d": "risk-classification", "label": "Confirm and document classification rationale", "example_prompts": [ { "speaker": "human", "text": "We've classified our AI as high-risk. What's the first documentation step?" }, { "speaker": "ai", "text": "Write the classification rationale document before any other documentation work. Five sections: (1) System identification — name, version, purpose. (2) Annex III mapping — cite the specific entry and explain why your system's actual use matches it. Quote the Annex text directly. (3) Deployment context — jurisdictions, operator type, user type, and operational setting. (4) Scope boundaries — what uses are explicitly out of scope and what technical controls enforce that boundary? (5) Review trigger — what changes to the system or its use would require a new classification review? Have legal counsel approve this document before the technical file is assembled — it is the foundation for everything that follows." }, { "speaker": "human", "text": "Classification rationale drafted, citing Annex III paragraph 4 (employment screening). Legal approved." } ], "triggers_next": "Classification rationale documented and legally approved." }, { "step": 2, "d": "transparency", "label": "Build the technical file and transparency documentation", "example_prompts": [ { "speaker": "human", "text": "What does the technical file need to contain and who owns each section?" }, { "speaker": "ai", "text": "Technical file sections with owners: (1) General description — Product owner; due: 2 weeks. (2) Design and development — ML engineering; includes: training data description, data governance, model architecture, training methodology. Due: 3 weeks. (3) Performance metrics — Data science; includes: aggregate and disaggregated accuracy, fairness metrics. Due: 3 weeks. (4) Risk management — Risk/legal; the risk management process applied during development. Due: 2 weeks. (5) Changes log — Technical writer; tracks all versions. Ongoing. (6) Post-market monitoring plan — Risk/compliance; Due: 4 weeks. Instructions for use (Article 13) — Technical writer; plain-language deployer guide. Due: 3 weeks. Assign owners and due dates now; the technical file cannot be assembled retroactively." }, { "speaker": "human", "text": "All section owners assigned. Three-week documentation sprint started." } ], "triggers_next": "Technical file section ownership assigned; documentation sprint started." }, { "step": 3, "d": "human-oversight", "label": "Document oversight mechanism with effectiveness evidence", "example_prompts": [ { "speaker": "human", "text": "How do we document human oversight in a way that will satisfy a notified body auditor?" }, { "speaker": "ai", "text": "Four-document oversight package: (1) Oversight design specification — describes the oversight mechanism in technical detail: who has access to the override function, at what point in the process, with what information visible to the reviewer. Include a process flow diagram. (2) Training program documentation — course outline, delivery method, duration, and assessment. Include completion records for all current reviewers. (3) Override capability test evidence — screenshot or screen recording showing the override function in the production UI; test log showing override testing in QA. (4) Override rate data — pull the past 3 months of production data: what percentage of AI outputs were overridden? If 0%, investigate — this suggests the override function is not being used, which is an oversight effectiveness finding." }, { "speaker": "human", "text": "Override rate: 8% — reviewers are actively overriding. All four documents compiled." } ], "triggers_next": "Human oversight documentation package complete with effectiveness evidence.", "loop_back": { "to": "risk-classification", "condition": "Oversight documentation reveals the system is used in ways beyond the classification rationale scope.", "reason": "Extended use scope requires classification rationale update before the technical file is finalized." } }, { "step": 4, "d": "robustness", "label": "Compile technical validation evidence", "example_prompts": [ { "speaker": "human", "text": "What robustness evidence do we need for the technical file?" }, { "speaker": "ai", "text": "Four evidence packages: (1) Performance testing report — format: table with accuracy, precision, recall by: overall population, and each protected characteristic (gender, age band, ethnicity) for the employment screening use case. Any subgroup with accuracy more than 5 percentage points below overall must be flagged and explained. (2) Third-party bias audit — commissioned independently of the development team; include methodology, disparity metrics, findings, and any remediation and re-test results. (3) Cybersecurity — penetration test report (not older than 12 months) and data encryption documentation for applicant data at rest and in transit. (4) Resilience — document the system's behavior at edge cases: incomplete CVs, non-standard formats, languages outside the training set. Include the system's warning or degradation signal for out-of-distribution inputs." }, { "speaker": "human", "text": "All four packages compiled. Third-party bias audit complete — one finding remediated and re-tested." } ], "triggers_next": "Robustness evidence package complete with subgroup analysis." }, { "step": 5, "d": "governance", "label": "Produce Declaration of Conformity and register in EU database", "example_prompts": [ { "speaker": "human", "text": "What are the final governance steps before we can deploy?" }, { "speaker": "ai", "text": "Three pre-deployment governance actions: (1) Declaration of Conformity — drafted by legal, signed by the provider's authorized representative. Must contain: system identification, conformity assessment route (internal assessment or notified body), list of applied harmonized standards or common specifications, and provider details. One copy retained for 10 years. (2) EU AI database registration — register at the Commission's AI Act portal. Required before first deployment. Retain the registration number and screenshot confirmation. (3) Post-market monitoring — confirm the monitoring plan is operational: monitoring owner named, first monthly review scheduled, incident reporting escalation path documented and tested. Once all three are complete, deployment is legally authorized. Document the deployment authorization date." }, { "speaker": "human", "text": "Declaration signed. EU database registration confirmed. Monitoring plan operational. Deployment authorized." } ], "triggers_next": "Full compliance documentation package complete; deployment legally authorized.", "can_restart": true } ], "transitions": [ { "from": "risk-classification", "to": "transparency", "trigger": "Classification rationale legally approved." }, { "from": "transparency", "to": "human-oversight", "trigger": "Technical file sections assigned and documentation sprint started." }, { "from": "human-oversight", "to": "risk-classification", "trigger": "Oversight documentation reveals use beyond classification scope.", "is_loop_back": true }, { "from": "human-oversight", "to": "robustness", "trigger": "Oversight documentation package complete." }, { "from": "robustness", "to": "governance", "trigger": "Robustness evidence package complete." }, { "from": "governance", "to": "risk-classification", "trigger": "Material system change triggers classification review and documentation update.", "is_cycle_restart": true } ] } } ], "policy": [ { "id": "national-ai-policy-design", "framework_id": "oecd-ai-principles", "title": "National AI Policy Design", "domain": "policy", "file": "policy-national-ai-policy-design.yaml", "dimensions": { "inclusive-growth": { "description": "The policy is designed to distribute AI benefits across the full population — not just technologically advanced sectors — with explicit provisions for communities at risk of being left behind by AI-driven economic change.\n", "example": "Policy analyst: \"Our national AI strategy focuses on economic competitiveness. The OECD Principles require we also address distributional impact. Can you help identify which population groups are most at risk of exclusion from AI benefits in our context?\" AI: \"Based on the OECD AI Policy Observatory data, the three groups most consistently at risk are: workers in routine-task occupations (displacement risk), rural communities with limited digital infrastructure, and populations with low AI literacy. I recommend the policy include specific measures for each — not just a general 'digital inclusion' clause.\"\n", "antipattern": "Writing an AI policy that focuses entirely on innovation promotion and competitiveness without any provisions for equitable distribution of benefits or mitigation of AI-related economic displacement.\n" }, "human-centred": { "description": "The policy enshrines human rights protections and democratic values as constraints on AI use — not optional considerations. It identifies which rights are most at risk from AI and prescribes protections.\n", "example": "AI: \"For human-centred value provisions, I recommend mapping three rights categories: (1) Procedural rights — the right to explanation and challenge for consequential automated decisions. (2) Substantive rights — non-discrimination protections applied to AI outputs. (3) Collective rights — protection of democratic processes from AI manipulation (deepfakes, synthetic influence). Which are already covered in your existing legal framework and which require new policy provisions?\"\n", "antipattern": "Treating human rights compliance as a legal reference in the policy preamble rather than a design constraint that shapes what AI applications the policy permits, restricts, or prohibits.\n" }, "transparency": { "description": "The policy requires disclosure standards for AI systems deployed in public services and high-impact private sector applications — including when citizens are subject to AI decisions and what recourse they have.\n", "example": "Human: \"Should the policy require explainability for all AI systems or only specific categories?\" AI: \"The OECD framework supports a risk-proportionate approach: require full explainability for consequential decisions (benefits, justice, employment, credit) and AI-interaction disclosure for customer-facing systems. A blanket requirement for all AI would be unenforceable and technically impossible for all model types. I recommend three tiers: decision explainability, interaction disclosure, and general transparency reporting.\"\n", "antipattern": "Setting a transparency requirement so broad it is unenforceable, or so narrow it only covers government AI while leaving high-impact private sector AI unaddressed.\n" }, "robustness": { "description": "The policy establishes minimum technical and operational standards for AI safety and security in critical sectors, and assigns responsibility for defining and updating these standards over time.\n", "example": "AI: \"For robustness provisions, the policy should address three levels: (1) Sectoral standards — what safety requirements apply to AI in healthcare, transport, critical infrastructure? (2) Incident reporting — mandatory reporting of significant AI failures to a national authority. (3) Standards body — which existing body (standards institute, sector regulator) is mandated to define and update technical AI safety standards? Without a named body, the provision has no enforcement mechanism.\"\n", "antipattern": "Listing 'AI safety' as a policy objective without specifying who sets technical standards, what those standards are, and what happens when they are violated.\n" }, "accountability": { "description": "The policy assigns clear accountability for AI outcomes to deployers, developers, and public authorities — and establishes redress mechanisms for individuals harmed by AI decisions.\n", "example": "AI: \"Accountability provisions should distinguish three roles: (1) Developers — liable for fundamental safety properties of models they release. (2) Deployers — liable for how those models are applied to specific use cases. (3) Public authorities — accountable for AI in public services with an appeals pathway for citizens. Without this role distinction, enforcement is impossible — every actor will point to another when harm occurs.\"\n", "antipattern": "Writing accountability provisions that name no specific roles, reference only 'AI actors' generally, and provide no redress mechanism for individuals harmed by AI decisions.\n" } }, "score_hints": { "inclusive-growth": 0.2, "human-centred": 0.2, "transparency": 0.2, "robustness": 0.2, "accountability": 0.2 }, "summary": "", "tags": [ "policy", "government", "national-ai-strategy", "oecd" ], "contributor": "Fluently Community", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Inclusive growth analysis identifies who benefits and who is at risk → human rights mapping determines which rights require new policy protections → transparency provisions are scoped to risk proportionality → robustness standards are assigned to named bodies → accountability roles are distinguished and redress mechanisms defined. Loops back to human-centred if transparency provisions conflict with existing rights frameworks.\n", "sequence": [ { "step": 1, "d": "inclusive-growth", "label": "Map AI benefit distribution and inclusion risks", "example_prompts": [ { "speaker": "human", "text": "We're drafting a national AI policy. Start with inclusive growth — who benefits and who doesn't in our current context?" }, { "speaker": "ai", "text": "To map distribution risks for your context, I need: (1) Your country's current AI adoption profile — which sectors are leading? (2) Labor market data — which occupations are most exposed to AI displacement? (3) Infrastructure gaps — which regions lack digital access? Once I have these, I can identify the three to five population groups that need explicit policy provisions, and draft inclusion-specific measures beyond a general 'digital access' clause." }, { "speaker": "human", "text": "Leading sectors: finance and logistics. Displacement exposure: truck drivers and data-entry clerks. Infrastructure gaps: rural northern regions." } ], "triggers_next": "At-risk groups identified with sector and regional specificity." }, { "step": 2, "d": "human-centred", "label": "Map rights at risk and design protective provisions", "example_prompts": [ { "speaker": "human", "text": "Which human rights are most at risk from AI in our context?" }, { "speaker": "ai", "text": "For your context (finance and logistics AI leaders, displacement risks, rural gaps): (1) Right to work — AI displacement in logistics without retraining provisions violates substantive economic rights. (2) Right to non-discrimination — AI in financial services without fairness requirements risks entrenching lending discrimination. (3) Right to an effective remedy — if AI makes a credit or benefits decision, citizens need an appeal pathway. Which of these is already covered in existing law and which requires new policy provisions?" }, { "speaker": "human", "text": "Right to remedy is a gap — no current AI-specific appeals mechanism exists." } ], "triggers_next": "Rights gaps identified; new policy provisions scoped.", "loop_back": { "to": "human-centred", "condition": "Transparency provisions in step 3 conflict with existing data protection rights.", "reason": "Rights conflicts must be resolved before transparency requirements are finalized." } }, { "step": 3, "d": "transparency", "label": "Define proportionate transparency requirements by risk tier", "example_prompts": [ { "speaker": "human", "text": "How should our transparency requirements be structured?" }, { "speaker": "ai", "text": "Risk-proportionate three-tier model: Tier 1 (High-risk consequential decisions — credit, benefits, justice): full explainability required, citizen notification mandatory. Tier 2 (Customer-facing AI interaction): disclosure that AI is being used, opt-out right for sensitive services. Tier 3 (Back-office AI): general transparency reporting to a designated authority annually. This avoids both unenforceable blanket requirements and the opposite — no requirements at all." }, { "speaker": "human", "text": "We'll adopt the three-tier model with the designated authority being our existing data protection regulator." } ], "triggers_next": "Transparency tiers defined with enforcement body named." }, { "step": 4, "d": "robustness", "label": "Assign standards bodies and define sector safety requirements", "example_prompts": [ { "speaker": "human", "text": "Who should set AI safety standards in our country?" }, { "speaker": "ai", "text": "Three options: (1) Mandate an existing standards body (e.g., national metrology institute) to adopt international standards (ISO 42001, NIST AI RMF) with a national supplement. (2) Create a new AI technical committee under your standards body with industry and civil society representation. (3) Delegate to sector regulators — transport safety for autonomous vehicles, health authority for medical AI. Option 3 is fastest but risks inconsistency across sectors. I recommend option 1 with sector supplements." }, { "speaker": "human", "text": "We'll mandate the national standards institute with a 12-month timeline to produce the first national AI safety standard." } ], "triggers_next": "Standards body named, timeline set, sector requirements scoped." }, { "step": 5, "d": "accountability", "label": "Assign accountability roles and define citizen redress", "example_prompts": [ { "speaker": "human", "text": "How do we structure accountability in the policy without it being unenforceable?" }, { "speaker": "ai", "text": "Three-role accountability structure: (1) AI developers — register high-risk AI systems with the national authority, provide technical documentation. (2) AI deployers — responsible for use-case compliance, must have a named AI risk officer for high-risk deployments. (3) Public authorities — use of AI in public services requires an impact assessment and a citizen appeals mechanism with a 30-day resolution SLA. Enforcement: existing sector regulators are the primary enforcers, with a cross-sector AI oversight body as the national coordinator. This maps directly to the OECD accountability principle without requiring a new regulatory body from scratch." }, { "speaker": "human", "text": "Agreed. We'll designate the data protection authority as the cross-sector AI coordinator." } ], "triggers_next": "Accountability roles, enforcement bodies, and redress mechanisms defined.", "can_restart": true } ], "transitions": [ { "from": "inclusive-growth", "to": "human-centred", "trigger": "At-risk groups and inclusion gaps identified." }, { "from": "human-centred", "to": "transparency", "trigger": "Rights gaps mapped and new policy provisions scoped." }, { "from": "transparency", "to": "human-centred", "trigger": "Transparency provisions conflict with existing rights framework.", "is_loop_back": true }, { "from": "transparency", "to": "robustness", "trigger": "Transparency tiers defined with enforcement body." }, { "from": "robustness", "to": "accountability", "trigger": "Standards body named and sector safety requirements scoped." }, { "from": "accountability", "to": "inclusive-growth", "trigger": "Policy review cycle — restart at next annual assessment.", "is_cycle_restart": true } ] } } ], "research": [ { "id": "research-data-analysis", "framework_id": "4d-framework", "title": "Research Paper Data Analysis with AI", "domain": "research", "file": "research-data-analysis.yaml", "dimensions": { "delegation": { "description": "Divide analytical work deliberately between human scholarly judgment and AI computation. AI handles pattern recognition in large datasets, running descriptive statistics, flagging outliers, generating visualization suggestions, and summarizing distributions. The researcher formulates hypotheses, interprets findings in disciplinary context, makes causal claims, and draws conclusions — these require domain expertise that AI cannot reliably supply.", "example": "A social scientist delegates to AI the task of computing correlation matrices across 47 variables in a survey dataset and generating a ranked list of significant correlations. She then applies her theoretical knowledge to determine which correlations are substantively meaningful versus statistically coincidental.", "antipattern": "Asking AI to not only run analysis but to formulate the research hypotheses, interpret what findings mean for the field, and draw conclusions — treating the model as a substitute for the researcher's own disciplinary expertise and scholarly judgment." }, "description": { "description": "Give AI precise methodological context — your research question, the dataset structure, units of measurement, required statistical methods, software environment, and any domain-specific constraints. Ambiguous instructions produce analysis that may be technically correct but methodologically wrong for your research design.", "example": "Prompt: 'Analyze this CSV of longitudinal student performance data (n=312, 4 time points). Variables: test_score (0-100), SES_quartile (1-4), intervention_group (binary), school_id (cluster variable). Run a mixed-effects linear regression predicting test_score from intervention_group, controlling for SES_quartile, with school_id as a random effect. Report coefficients, standard errors, and interpret the intervention effect size.'", "antipattern": "Prompting: 'Analyze my research data and tell me what's significant.' Without specifying the research question, the correct statistical model, variable types, or analytical constraints, AI may apply an inappropriate method (e.g., OLS on clustered data) that produces misleading results." }, "discernment": { "description": "Rigorously verify AI-produced analysis before incorporating it into research. Check that statistical methods are appropriate for your data structure, that calculations are correct, that effect sizes are interpreted accurately, and that the AI has not made assumptions that violate your study design. AI can produce plausible-looking but methodologically flawed analysis.", "example": "A researcher notices that AI-generated regression output reports a significant p-value but has failed to account for the clustered sampling structure, inflating the precision of estimates. She reruns the analysis herself with correct standard errors and finds the effect is no longer significant at her threshold.", "antipattern": "Inserting AI-generated statistical tables and interpretive text directly into a manuscript without independently verifying the calculations, checking model assumptions, or confirming that the chosen method is appropriate for the study design — risking publication of flawed findings." }, "diligence": { "description": "Be transparent about AI's role in your analytical workflow per your institution's and journal's policies. Ensure all claims in the final paper reflect your own validated analysis. Maintain full methodological accountability — if AI analysis is used, you must understand it well enough to defend every number in peer review.", "example": "A research team documents in their methods section that AI-assisted tools were used for initial descriptive analysis and outlier detection, while all inferential statistics were conducted and verified by the authors using R. They retain full analytical scripts for reproducibility review.", "antipattern": "Publishing a paper that includes AI-generated statistical analysis without independent verification, failing to disclose AI assistance in violation of journal policy, or being unable to explain or reproduce the reported numbers during peer review." } }, "score_hints": { "delegation": 0.2, "description": 0.25, "discernment": 0.35, "diligence": 0.2 }, "summary": "Divide analytical work deliberately between human scholarly judgment and AI computation. AI handles pattern recognition in large datasets, running descriptive statistics, flagging outliers, generating", "tags": [ "research", "data-analysis", "statistics", "academic" ], "contributor": "Rick Dakan & Joseph Feller / Anthropic", "reference": "https://aifluencyframework.org", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Researcher delegates analysis scope, provides dataset and hypotheses, evaluates AI findings for statistical validity, then reports — looping back to description if data quality issues emerge.", "sequence": [ { "step": 1, "d": "delegation", "label": "Agree on analysis scope and AI autonomy", "example_prompts": [ { "speaker": "human", "text": "Analyze this survey dataset for correlations between feature usage and retention. Can you decide which statistical tests to run?" }, { "speaker": "ai", "text": "I can select appropriate tests given the distribution. Should I flag non-significant results or only report significant ones?" }, { "speaker": "human", "text": "Flag all results — I want the full picture, not just the highlights." } ], "triggers_next": "Analysis scope and reporting rule agreed." }, { "step": 2, "d": "description", "label": "Provide dataset and hypotheses", "example_prompts": [ { "speaker": "human", "text": "Here's the dataset. Hypothesis: users who use feature X in the first week have higher 90-day retention." }, { "speaker": "ai", "text": "The dataset has 12% missing values in the retention column — how should I handle them?" }, { "speaker": "human", "text": "Exclude records with missing retention data and note the exclusion count." } ], "triggers_next": "AI has clean dataset, hypotheses, and data handling rules." }, { "step": 3, "d": "discernment", "label": "Evaluate analysis findings", "example_prompts": [ { "speaker": "human", "text": "The correlation coefficient looks high — is this sample size large enough for that claim?" }, { "speaker": "ai", "text": "N=340 gives 80% power for this effect size. The result is statistically robust." }, { "speaker": "human", "text": "Good. Flag finding 3 as exploratory — the sample for that subgroup is only N=28." } ], "triggers_next": "Findings validated for statistical robustness and appropriate caveats added.", "loop_back": { "to": "description", "condition": "Data quality issues (e.g., sampling bias, large missing data) undermine the analysis.", "reason": "Dataset needs cleaning or re-scoping before analysis is meaningful." } }, { "step": 4, "d": "diligence", "label": "Review, document, and report", "example_prompts": [ { "speaker": "human", "text": "Senior analyst peer-reviews the methodology section before publication." }, { "speaker": "human", "text": "Documenting which tests were AI-selected and which were human-specified in the methods section." } ], "triggers_next": "Report approved and methodology documented. Cycle restarts for next analysis.", "can_restart": true } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Analysis scope and reporting rules agreed." }, { "from": "description", "to": "discernment", "trigger": "AI delivers analysis results." }, { "from": "discernment", "to": "diligence", "trigger": "Findings validated." }, { "from": "discernment", "to": "description", "trigger": "Data quality issues require dataset revision.", "is_loop_back": true }, { "from": "diligence", "to": "delegation", "trigger": "Next research question — restart.", "is_cycle_restart": true } ] } }, { "id": "literature-review", "framework_id": "4d-framework", "title": "AI-Supported Academic Literature Review", "domain": "research", "file": "research-literature-review.yaml", "dimensions": { "delegation": { "description": "AI can accelerate the literature review process by synthesizing themes across papers you have already identified, generating structured summaries of provided texts, suggesting search terms for database queries, and proposing a gap analysis framework. Researchers retain responsibility for: executing the systematic search in academic databases, verifying that all cited sources exist and are accurately represented, forming scholarly interpretations, and drawing conclusions about the field's state.", "example": "A PhD student compiles 60 papers from her PubMed and Scopus searches on microbiome-mental health connections. She feeds the abstracts to AI in batches, asking it to identify recurring themes, contradictions between studies, and underexplored angles. She then uses this thematic map as a scaffold for her own reading and synthesis, reading every paper herself before citing it.", "antipattern": "Asking AI to conduct the literature review from scratch — generating the reading list, summarizing papers AI has not actually read, and producing a synthesis the researcher then submits — creating a review full of hallucinated citations and misrepresented findings that the researcher cannot defend." }, "description": { "description": "Specify your literature review's scope with precision: the exact research question, the academic field and subfield, the time range, inclusion and exclusion criteria, the required depth of analysis, and the review type (narrative, systematic, scoping). Imprecise framing leads to AI output that spans the wrong literature or treats your question at the wrong level of specificity.", "example": "Prompt: 'I have provided 45 abstracts from papers on cognitive behavioral therapy outcomes for adolescent depression, published 2015-2024, RCTs only. Identify: (1) the most common outcome measures used across studies, (2) the patient subgroups most frequently underrepresented, (3) the three most-cited methodological limitations across papers, and (4) any emerging treatment modifications mentioned in multiple papers. Do not add any studies I haven't provided.'", "antipattern": "Prompting: 'Write a literature review on therapy and depression.' Without scope constraints, AI generates a sweeping narrative that mixes study types, time periods, populations, and therapy modalities — producing a superficial overview that satisfies no specific research question and cannot withstand peer review scrutiny." }, "discernment": { "description": "Verify every citation in an AI-assisted literature review independently in an academic database before including it in your work. AI confidently generates plausible-sounding but fabricated citations — author names, journal titles, and publication years that look real but aren't. Additionally, verify that real papers are accurately characterized: check that AI summaries correctly represent each paper's methodology, findings, and limitations.", "example": "A researcher asks AI to synthesize themes from a set of provided papers and flag potentially relevant additional sources. She treats every additional source AI suggests as unverified until she has confirmed it in Google Scholar. Of eight AI-suggested additional references, two do not exist and one exists but reaches the opposite conclusion from what AI claimed.", "antipattern": "Submitting a literature review with AI-generated citations that were never individually verified in an academic database — discovering during peer review that three cited articles are fabrications, resulting in rejection and reputational damage that follows the researcher's professional record." }, "diligence": { "description": "The researcher is fully responsible for every claim and citation in the final review. Disclose AI assistance per your target journal's author guidelines and your institution's research integrity policy (requirements vary significantly across disciplines and publishers). Validate all sources independently regardless of AI confidence. Understand that your scholarly reputation is built on the accuracy and integrity of your literature representation.", "example": "A research team submits a systematic review that includes in the methods section a transparent account of how AI tools were used for thematic synthesis of author-identified papers, notes that all citations were independently verified in Cochrane Library and PubMed, and confirms compliance with the journal's AI transparency policy — meeting both disclosure and integrity standards.", "antipattern": "Relying on AI to identify and summarize literature without reading the papers yourself, submitting a review that misrepresents study findings because you trusted AI's characterizations over the original texts, or failing to disclose AI assistance to a journal that requires transparency — compromising academic integrity and potentially contributing false knowledge to the scholarly record." } }, "score_hints": { "delegation": 0.2, "description": 0.3, "discernment": 0.3, "diligence": 0.2 }, "summary": "AI can accelerate the literature review process by synthesizing themes across papers you have already identified, generating structured summaries of provided texts, suggesting search terms for databas", "tags": [ "literature-review", "academic-research", "citation-verification", "research-integrity" ], "contributor": "Rick Dakan & Joseph Feller / Anthropic", "reference": "https://aifluencyframework.org", "version": "1.0.0", "collaboration": { "pattern": "iterative", "description": "Researcher and AI iterate through literature in passes — each pass scopes the search, provides query context, evaluates source quality, and commits the accepted sources before the next domain.", "sequence": [ { "step": 1, "d": "delegation", "label": "Define search scope and AI autonomy", "example_prompts": [ { "speaker": "human", "text": "Search for papers on transformer attention mechanisms published 2020–2024. Can you decide which databases to query?" }, { "speaker": "ai", "text": "I'd suggest Semantic Scholar, arXiv, and ACL Anthology. Should I include pre-prints or only peer-reviewed?" }, { "speaker": "human", "text": "Include pre-prints but flag them separately." } ], "triggers_next": "Search scope, databases, and pre-print policy agreed." }, { "step": 2, "d": "description", "label": "Provide query terms and exclusion criteria", "example_prompts": [ { "speaker": "human", "text": "Focus on efficiency improvements to attention. Exclude papers that are purely theoretical with no empirical results." }, { "speaker": "ai", "text": "Should I prioritize highly-cited papers or recent ones?" }, { "speaker": "human", "text": "Recent first — this is a fast-moving area." } ], "triggers_next": "AI has query terms, relevance criteria, and recency bias." }, { "step": 3, "d": "discernment", "label": "Evaluate source quality and relevance", "example_prompts": [ { "speaker": "human", "text": "Paper 7 seems tangentially related — is the methodology actually relevant to our work?" }, { "speaker": "ai", "text": "The dataset they use is different but the attention variant they propose directly addresses your efficiency problem. I'd include it." }, { "speaker": "human", "text": "Agreed — include it with a note on the dataset difference." } ], "triggers_next": "Source list validated for relevance and quality." }, { "step": 4, "d": "diligence", "label": "Curate and document the source list", "example_prompts": [ { "speaker": "human", "text": "PI reviews the final list before it goes into the literature section." }, { "speaker": "human", "text": "Adding search query log and exclusion decisions to the methodology appendix." } ], "triggers_next": "Sources committed. Begin next thematic area.", "can_restart": true } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Search scope and databases agreed." }, { "from": "description", "to": "discernment", "trigger": "AI returns candidate sources." }, { "from": "discernment", "to": "diligence", "trigger": "Sources validated." }, { "from": "diligence", "to": "delegation", "trigger": "Next thematic area — new search pass.", "is_cycle_restart": true } ] } } ], "writing": [ { "id": "content-development", "framework_id": "4d-framework", "title": "Story and Content Development with AI", "domain": "writing", "file": "writing-content-development.yaml", "dimensions": { "delegation": { "description": "Identify which creative elements benefit from AI exploration versus which must remain human-driven. AI excels at generating plot alternatives, brainstorming secondary character names, proposing scene structures, and expanding on prompts. Core voice, thematic meaning, emotional truth, and the author's unique perspective must stay with the human creator.", "example": "A novelist asks AI to generate five possible turning points for chapter 7, then selects and transforms the one that best fits her protagonist's established arc. The AI explores; the human decides and develops.", "antipattern": "Handing the AI a character description and asking it to write entire chapters wholesale, then lightly editing and publishing the result — abdicating the creative authorship that gives the work its distinctive voice and purpose." }, "description": { "description": "Give AI rich, specific creative context — the story world's rules, character backstories, established themes, the emotional arc you are building toward, your narrative voice, and any stylistic constraints. Vague prompts produce generic content; detailed creative briefs produce useful raw material.", "example": "Prompt: 'This is a near-future climate noir story set in drowned New Orleans, 2067. Protagonist Maya Tran is a cynical water-rights detective, dry wit, Creole heritage, distrusts authority. I need three scene openings for chapter 4 where she visits the Floating Market. Tone: melancholy but alive with sensory detail. Echo Toni Morrison's eye for place.'", "antipattern": "Prompting: 'Write a scene for my sci-fi story where the hero goes to a market.' This yields generic content with no connection to the established world, character voice, or thematic purpose — unusable without complete rewriting." }, "discernment": { "description": "Evaluate AI-generated content against your creative vision, not just surface quality. Good AI output that doesn't fit your voice or thematic intent is still the wrong output. Actively reject suggestions that feel generic, that undercut character consistency, or that introduce tropes that conflict with what you are building.", "example": "An author receives three AI-generated chapter openings. Two are competently written but feel tonally flat for her noir voice. The third has an interesting image she adapts, changing the phrasing to match her protagonist's sardonic register. She uses roughly 15% of the AI material, transformed.", "antipattern": "Accepting AI-generated dialogue or scene descriptions because they are grammatically sound and feel 'good enough,' without checking whether they match the character's established voice, advance the story's thematic arc, or reflect the emotional truth the author intended." }, "diligence": { "description": "Be transparent about AI's role in your creative work according to the norms of your publication context. Preserve your human creative intent as the primary force shaping the work. Avoid over-relying on AI to the point where your own creative voice atrophies. Keep records of your creative process for attribution purposes.", "example": "A short story writer notes in her submission cover letter that AI tools were used for brainstorming and structural exploration, per the journal's disclosure policy. The published story reflects her voice, her decisions, and her thematic vision throughout.", "antipattern": "Submitting AI-generated content to publications that prohibit AI-assisted work without disclosure, or losing track of which creative decisions were yours versus the AI's — failing to maintain the human authorship that gives the work its integrity and legal standing." } }, "score_hints": { "delegation": 0.3, "description": 0.35, "discernment": 0.2, "diligence": 0.15 }, "summary": "Identify which creative elements benefit from AI exploration versus which must remain human-driven. AI excels at generating plot alternatives, brainstorming secondary character names, proposing scene ", "tags": [ "creative-writing", "storytelling", "content-development", "authorship" ], "contributor": "Rick Dakan & Joseph Feller / Anthropic", "reference": "https://aifluencyframework.org", "version": "1.0.0", "collaboration": { "pattern": "iterative", "description": "Writer and AI iterate through content passes — each round refines scope, provides richer context, evaluates quality, and commits the accepted draft before the next iteration.", "sequence": [ { "step": 1, "d": "delegation", "label": "Define AI writing role for this pass", "example_prompts": [ { "speaker": "human", "text": "Draft the introduction section. You decide the hook — I'll revise tone and factual claims." }, { "speaker": "ai", "text": "Should I aim for a provocative hook or an informative one given the audience?" }, { "speaker": "human", "text": "Informative — this is a technical audience, not a general one." } ], "triggers_next": "AI's role and creative latitude for this pass agreed." }, { "step": 2, "d": "description", "label": "Provide audience, tone, and source material", "example_prompts": [ { "speaker": "human", "text": "The audience is senior engineers. Tone: direct, no fluff. Here are the three source papers to draw from." }, { "speaker": "ai", "text": "Should I cite sources inline or use footnotes?" }, { "speaker": "human", "text": "Inline citations, short form — author + year." } ], "triggers_next": "AI has audience, tone, and sources." }, { "step": 3, "d": "discernment", "label": "Evaluate draft quality", "example_prompts": [ { "speaker": "human", "text": "The second paragraph overstates the claim — the paper says 'suggests', not 'proves'." }, { "speaker": "ai", "text": "Corrected to 'suggests evidence for'. Should I flag other hedging opportunities?" }, { "speaker": "human", "text": "Yes — flag anything that sounds more certain than the sources warrant." } ], "triggers_next": "Draft quality and factual accuracy validated." }, { "step": 4, "d": "diligence", "label": "Finalize and publish", "example_prompts": [ { "speaker": "human", "text": "Editor sign-off received. Marking AI-drafted sections in the revision history." }, { "speaker": "human", "text": "Posting to the engineering blog." } ], "triggers_next": "Section published. Next section begins new iteration.", "can_restart": true } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Writing role and creative latitude agreed." }, { "from": "description", "to": "discernment", "trigger": "AI delivers draft." }, { "from": "discernment", "to": "diligence", "trigger": "Draft validated." }, { "from": "diligence", "to": "delegation", "trigger": "Next content section — restart.", "is_cycle_restart": true } ] } }, { "id": "creative-ai-collaboration", "framework_id": "4d-framework", "title": "Creative Writing with AI as Co-Creator", "domain": "writing", "file": "writing-creative-ai-collaboration.yaml", "dimensions": { "delegation": { "description": "The human writer sets and holds the creative vision, voice, and thematic intent. AI's role is to explore the possibility space: generating variations, proposing alternative phrasings, suggesting structural options, and expanding on prompts the writer provides. The writer selects, transforms, and integrates — never simply accepting. This asymmetry preserves human creative authorship while genuinely leveraging AI's generative range.", "example": "A short story writer gives AI her protagonist's voice sample and asks for ten possible opening lines for a new story. She finds two that spark something, combines elements from both, and rewrites the result into a line that is distinctly her own — using AI as a creative catalyst, not a ghostwriter.", "antipattern": "Asking AI to generate a complete story with a brief premise, then submitting it to literary publications with minimal editing — claiming authorship of work in which the human's creative contribution was limited to a topic choice and a submit button press." }, "description": { "description": "Give AI the full creative parameters it needs to generate useful material: genre conventions you are working within or against, your protagonist's established voice and psychology, the narrative constraints of the world you've built, the emotional register of the scene, stylistic influences, and what you specifically want to explore in this session. Richer briefs yield richer possibilities.", "example": "Prompt: 'Write three alternative versions of the scene where Lena realizes her sister has been lying to her for years. Lena's voice: quiet, measured, suppresses emotion until it breaks through — think Marilynne Robinson's register. Setting: kitchen, early morning, just them. Her sister doesn't know Lena knows yet. Each version should find a different emotional entry point: one through an object, one through silence, one through an unexpected mundane action.'", "antipattern": "Prompting: 'Write a scene where two sisters have a conflict.' This produces a generic dialogue with stock emotional beats that has no connection to your specific characters, your established voice, or the narrative weight the scene needs to carry in your story." }, "discernment": { "description": "Evaluate AI-generated creative material against voice consistency, originality, narrative coherence, and emotional truth — not just surface competence. Good writing that doesn't sound like you, that relies on familiar tropes, or that resolves emotional tension too easily is still wrong for your work. Actively seek and reject the generic. What makes AI output valuable is what you do with it, not what it produces on its own.", "example": "A novelist receives five AI-generated dialogue exchanges for a tense confrontation scene. She discards three as tonally flat and relying on predictable beats. One has an image — a character straightening a picture frame mid-argument — that feels true to her story. She uses only that image, embedded in dialogue she writes herself, and the scene becomes one of the book's strongest moments.", "antipattern": "Accepting AI-generated prose because it reads smoothly and competently, without checking whether it sounds like your narrator's voice, advances the scene's specific emotional purpose, or introduces tropes (the dramatic pause before the reveal, the single tear) that undercut the subtlety you are working to achieve." }, "diligence": { "description": "Be honest with your readers, your publishers, and yourself about AI's role in your creative process. Follow your publication venue's disclosure policies. Ensure your creative voice and human intent remain the primary force in the work. Maintain your craft practice — using AI as a crutch that prevents developing your own creative capabilities ultimately diminishes both you and the work.", "example": "A literary fiction writer discloses in her author's note that AI tools were used for brainstorming and exploring structural alternatives during drafting, consistent with her publisher's transparency policy. The novel reflects her voice, her thematic vision, and her years of craft development on every page.", "antipattern": "Using AI to write the bulk of a novel, submitting it under your sole authorship to a publisher who prohibits undisclosed AI content, and publishing work that cannot be defended as primarily yours — creating legal and reputational exposure and undermining the trust relationship between author and reader." } }, "score_hints": { "delegation": 0.3, "description": 0.3, "discernment": 0.2, "diligence": 0.2 }, "summary": "The human writer sets and holds the creative vision, voice, and thematic intent. AI's role is to explore the possibility space: generating variations, proposing alternative phrasings, suggesting struc", "tags": [ "creative-writing", "fiction", "co-creation", "authorship" ], "contributor": "Rick Dakan & Joseph Feller / Anthropic", "reference": "https://aifluencyframework.org", "version": "1.0.0", "collaboration": { "pattern": "cyclic", "description": "Human and AI sustain a continuous creative loop — each creative exchange re-evaluates the direction and can cycle back to re-establish creative constraints at any point.", "sequence": [ { "step": 1, "d": "delegation", "label": "Establish creative autonomy", "example_prompts": [ { "speaker": "human", "text": "Write a short story opening. You pick the genre and voice — I'll redirect if it doesn't feel right." }, { "speaker": "ai", "text": "I'll try a quiet, literary voice set in a near-future city. Should I commit to a POV character?" }, { "speaker": "human", "text": "Yes — first person, present tense." } ], "triggers_next": "Creative latitude, genre, and POV agreed." }, { "step": 2, "d": "description", "label": "Provide creative constraints and inspiration", "example_prompts": [ { "speaker": "human", "text": "The theme is isolation despite connectivity. Draw from Ballard's style — sparse, clinical." }, { "speaker": "ai", "text": "Should I include a specific visual motif or let one emerge?" }, { "speaker": "human", "text": "Let one emerge — I'll tell you if it works." } ], "triggers_next": "AI has thematic and stylistic anchors." }, { "step": 3, "d": "discernment", "label": "Evaluate creative output", "example_prompts": [ { "speaker": "human", "text": "The opening paragraph is strong but the metaphor in line 3 is too on-the-nose." }, { "speaker": "ai", "text": "I can replace it with something more oblique — do you want me to suggest three options?" }, { "speaker": "human", "text": "Just one — go with your best instinct." } ], "triggers_next": "Creative direction validated or refined." }, { "step": 4, "d": "diligence", "label": "Accept and continue or reshape", "example_prompts": [ { "speaker": "human", "text": "This version works. Saving as draft v2. Let's continue from here — next section?" }, { "speaker": "human", "text": "Actually — the voice has drifted. Let's reset the creative constraints before continuing." } ], "triggers_next": "Continues to next creative passage or cycles back to establish new constraints.", "can_restart": true } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Creative autonomy and POV agreed." }, { "from": "description", "to": "discernment", "trigger": "AI delivers creative output." }, { "from": "discernment", "to": "diligence", "trigger": "Output evaluated." }, { "from": "diligence", "to": "delegation", "trigger": "Voice drift or new creative direction needed — reset constraints.", "is_loop_back": true }, { "from": "diligence", "to": "description", "trigger": "Continue from accepted draft — provide next constraints.", "is_cycle_restart": true } ] } }, { "id": "marketing-email-campaign", "framework_id": "4d-framework", "title": "AI-Assisted Marketing Email Campaigns", "domain": "writing", "file": "writing-marketing-email-campaign.yaml", "dimensions": { "delegation": { "description": "The human marketing strategist designs the campaign's core message, audience segmentation logic, and brand voice. AI then executes variation drafting — subject line alternatives, body copy variants for A/B testing, personalization token suggestions, and CTA phrasing options. The human selects, refines, and approves; AI accelerates the variation space.", "example": "A marketing manager defines the campaign goal (re-engage lapsed subscribers with a 20% discount), the audience segment (users inactive for 90+ days), and the brand voice (friendly, direct, never pushy). She then asks AI to draft five subject line options and three body copy variants, which she narrows to one of each after testing against campaign criteria.", "antipattern": "Having AI independently design the campaign messaging strategy, choose the audience, set the offer, and draft the emails — then simply forwarding the AI output to the email platform without human strategic review or brand alignment check." }, "description": { "description": "Provide AI with a complete campaign brief: target audience demographics and psychographics, campaign objective and success metrics, desired brand voice with examples, the specific offer or message, any compliance constraints (CAN-SPAM, GDPR), and the desired call to action. The more precisely you define success, the more useful the AI drafts.", "example": "Prompt: 'Draft three subject line options and two body copy variants for a re-engagement email. Audience: B2B SaaS users, mid-level product managers, inactive 90+ days. Offer: 20% discount on annual plan upgrade. Voice: confident, peer-to-peer, not salesy — like a trusted colleague nudging, not a pushy vendor. CTA: Schedule a 15-min call. Compliance: include unsubscribe link placeholder. Max 150 words body copy.'", "antipattern": "Prompting: 'Write a marketing email for our product.' With no audience definition, no campaign goal, no voice guidance, and no offer details, AI produces a generic promotional template that fits no specific audience and advances no particular business goal." }, "discernment": { "description": "Evaluate each AI-drafted variant against your campaign goals, brand standards, audience fit, and legal requirements before sending. Check that claims are factually accurate, that the tone matches your brand, that the offer details are correct, and that no language could mislead recipients or create compliance issues.", "example": "A campaign manager reviews an AI-drafted email and flags two issues: the subject line 'You''re missing out!' violates the company's brand guideline against FOMO language, and a product claim ('the #1 tool for project managers') is unsubstantiated. She revises both before the email enters the approval workflow.", "antipattern": "Sending AI-drafted campaign emails after only a quick skim for spelling errors — missing off-brand phrasing, unverified product claims, incorrect offer details, or compliance issues that could damage brand trust or trigger regulatory scrutiny." }, "diligence": { "description": "Validate all factual claims, offer details, pricing, and legal disclosures before the email goes out. Consider the ethics of AI use in persuasive marketing communications and whether your audience has any expectation of human-crafted outreach. Maintain a human approval step in the campaign workflow regardless of AI involvement.", "example": "Before deploying a 50,000-recipient campaign, the marketing team runs the AI-drafted email through their compliance checklist (unsubscribe link present, sender identification correct, no deceptive subject lines), has the legal team verify the offer terms, and gets final sign-off from the brand director.", "antipattern": "Auto-deploying AI-drafted emails through an automated campaign platform with no human review step, sending incorrect pricing or expired offers to thousands of recipients, or using AI-generated urgency language ('Act now before midnight!') for a deadline that doesn't actually exist." } }, "score_hints": { "delegation": 0.25, "description": 0.35, "discernment": 0.2, "diligence": 0.2 }, "summary": "The human marketing strategist designs the campaign's core message, audience segmentation logic, and brand voice. AI then executes variation drafting — subject line alternatives, body copy variants fo", "tags": [ "marketing", "email-campaign", "copywriting", "brand-voice" ], "contributor": "Rick Dakan & Joseph Feller / Anthropic", "reference": "https://aifluencyframework.org", "version": "1.0.0", "collaboration": { "pattern": "linear_with_loops", "description": "Marketer delegates copy generation, provides audience and goal context, evaluates AI copy for brand fit, then approves send — looping back to description if messaging misses the mark.", "sequence": [ { "step": 1, "d": "delegation", "label": "Define AI copy role", "example_prompts": [ { "speaker": "human", "text": "Draft 3 subject line variants and the body for a re-engagement campaign. You choose the CTA." }, { "speaker": "ai", "text": "Should I optimize the CTA for clicks or for replies?" }, { "speaker": "human", "text": "Clicks — we want traffic to the new pricing page." } ], "triggers_next": "AI's copy role and optimization goal agreed." }, { "step": 2, "d": "description", "label": "Provide audience segment and brand context", "example_prompts": [ { "speaker": "human", "text": "Audience: lapsed users, last active 90+ days ago. Brand voice: friendly, direct, no urgency language. Goal: bring them back to see the new plan." }, { "speaker": "ai", "text": "Is there a specific pain point from exit surveys I should address?" }, { "speaker": "human", "text": "Yes — 60% cited pricing confusion. Lead with clarity on the new plan." } ], "triggers_next": "AI has audience, brand voice, and specific messaging anchor." }, { "step": 3, "d": "discernment", "label": "Evaluate copy for brand fit and accuracy", "example_prompts": [ { "speaker": "human", "text": "Subject line 2 has urgency language — 'Don't miss out' — remove it." }, { "speaker": "ai", "text": "Replaced with 'See what's new.' Does the body CTA feel too salesy?" }, { "speaker": "human", "text": "Slightly — soften to 'Take a look' from 'Upgrade now'." } ], "triggers_next": "Copy aligns with brand voice and factual accuracy confirmed.", "loop_back": { "to": "description", "condition": "Copy consistently misses tone or misrepresents product features.", "reason": "Messaging anchor or brand constraints need to be re-provided with examples." } }, { "step": 4, "d": "diligence", "label": "Approve and send", "example_prompts": [ { "speaker": "human", "text": "Legal sign-off on claims — approved. Scheduling send for Tuesday 10am." }, { "speaker": "human", "text": "Logging AI-generated copy version and override history for compliance." } ], "triggers_next": "Campaign sent. Cycle restarts for next campaign.", "can_restart": true } ], "transitions": [ { "from": "delegation", "to": "description", "trigger": "Copy role and optimization goal agreed." }, { "from": "description", "to": "discernment", "trigger": "AI delivers copy variants." }, { "from": "discernment", "to": "diligence", "trigger": "Copy validated for brand and accuracy." }, { "from": "discernment", "to": "description", "trigger": "Messaging consistently off — re-provide anchor.", "is_loop_back": true }, { "from": "diligence", "to": "delegation", "trigger": "Next campaign — restart.", "is_cycle_restart": true } ] } } ] } }