reg-gap-analysis
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
Chinese/reg-gap-analysis
/reg-gap-analysis
- Read . Confirm regulatory footprint and use case registry are populated.
~/.claude/plugins/config/claude-for-legal/ai-governance-legal/CLAUDE.md - Use the framework below.
- Scope: does this regulation apply? (Jurisdiction, threshold, builder/deployer, sector.) If not, one line and done.
- Extract requirements. Diff against current state in .
~/.claude/plugins/config/claude-for-legal/ai-governance-legal/CLAUDE.md - Prioritize gaps. Output: remediation plan with must-do / should-do / already compliant / accepted gaps.
- Save as dated markdown doc for the file.
/ai-governance-legal:reg-gap-analysis "EU AI Act high-risk provisions"- 读取文件,确认监管覆盖范围和用例注册表已填充完整。
~/.claude/plugins/config/claude-for-legal/ai-governance-legal/CLAUDE.md - 使用以下框架开展分析。
- 范围判定:该法规是否适用?(涉及司法管辖范围、阈值、构建方/部署方、行业领域)若不适用,仅需一句话说明即可。
- 提取法规要求,与中记录的当前状态进行对比。
~/.claude/plugins/config/claude-for-legal/ai-governance-legal/CLAUDE.md - 对差距进行优先级排序,输出包含“必须整改/建议整改/已合规/已接受风险差距”的整改计划。
- 将结果保存为带日期的Markdown文档。
/ai-governance-legal:reg-gap-analysis "EU AI Act high-risk provisions"Purpose
目的
The EU AI Act goes live. Colorado passes an AI law. The CFPB issues model risk
guidance. The FTC publishes an AI enforcement policy. Something moves — and now
you need to know what, if anything, you have to change.
This skill diffs the new requirement against your current AI governance posture
(per — use case registry, vendor positions, impact assessment practices,
and AI policy commitments) and produces a gap list with a remediation plan.
~/.claude/plugins/config/claude-for-legal/ai-governance-legal/CLAUDE.mdThe AI regulatory landscape is moving faster than any other area of law right now.
When a regulation is genuinely ambiguous, say so. Don't paper over uncertainty —
legal teams need to know when they're on solid ground versus when they're making a
judgment call.
欧盟AI法案正式生效,科罗拉多州通过AI相关法律,美国消费者金融保护局(CFPB)发布模型风险指南,联邦贸易委员会(FTC)公布AI执法政策。每当监管政策发生变动时,您需要了解自身需做出哪些调整(若有)。
本技能将新的监管要求与您当前的AI治理态势(依据中的用例注册表、供应商立场、影响评估实践及AI政策承诺)进行对比,生成差距清单及配套整改计划。
~/.claude/plugins/config/claude-for-legal/ai-governance-legal/CLAUDE.md当前AI监管领域的变化速度远超其他法律领域。当法规存在明确歧义时,请直接说明,不要掩盖不确定性——法律团队需要清楚哪些情况有明确依据,哪些情况需主观判断。
Load current state
加载当前状态
Read :
~/.claude/plugins/config/claude-for-legal/ai-governance-legal/CLAUDE.md- — what already applies
## Regulatory footprint - — what AI you're actually running, and under what conditions
## Use case registry - — what you've publicly or contractually committed to
## AI policy commitments - — what vendor positions are in place
## Vendor AI governance - — what assessment practices exist
## Impact assessment house style
If the regulation clearly doesn't apply (wrong jurisdiction, below threshold,
wrong sector, builder/deployer distinction eliminates you from scope), say so
directly: "Doesn't apply. Here's why: [reason]. No action needed."
读取文件中的以下内容:
~/.claude/plugins/config/claude-for-legal/ai-governance-legal/CLAUDE.md- — 已适用的监管要求
## Regulatory footprint - — 实际运行的AI系统及运行条件
## Use case registry - — 公开或合同约定的AI政策承诺
## AI policy commitments - — 已确立的供应商治理立场
## Vendor AI governance - — 现有的影响评估实践
## Impact assessment house style
若法规明确不适用(如司法管辖不符、未达阈值、行业领域排除、构建方/部署方身份排除),请直接说明:“不适用,原因:[具体理由],无需采取行动。”
Research first, then workflow
先调研,再执行流程
Before running the gap analysis, research the currently operative AI regulatory regimes for the jurisdictions in the user's footprint. For each regime identify:
- Scope — who's covered (provider/builder vs. deployer vs. distributor vs. user; sectoral carve-outs).
- Applicability thresholds — revenue, user count, headcount, compute, model category, affected-population size.
- Risk-tier definitions — how the regime distinguishes tiers (prohibited / high-risk / limited-risk / minimal), what's in each.
- Substantive obligations — transparency, documentation, human oversight, bias testing, registration, incident reporting, vendor flow-down.
- Enforcement mechanism — which regulator, what penalties, any private right of action.
- Effective dates — many AI laws phase in obligations over 2-4 years; note which obligations are live vs. upcoming.
Cite the regulatory text with pinpoint references. Flag provisions subject to ongoing interpretation, delegated acts, or pending rulemaking. The AI regulatory landscape changes quickly — verify currency before advising.
Build the gap analysis from the researched requirements, not from hardcoded reference tables.
开展差距分析前,需调研用户覆盖司法辖区内当前生效的AI监管体系,针对每个体系明确:
- 适用范围 — 覆盖对象(提供者/构建方 vs 部署方 vs 分销商 vs 用户;行业排除条款)
- 适用阈值 — 营收、用户数量、员工规模、算力、模型类别、受影响人群规模
- 风险层级定义 — 体系如何划分风险层级(禁止类/高风险/有限风险/低风险)及各层级包含内容
- 实质性义务 — 透明度要求、文档记录、人工监督、偏见测试、注册要求、事件报告、供应商传导义务
- 执行机制 — 监管机构、处罚措施、是否存在私人诉讼权
- 生效日期 — 许多AI法律会分2-4年逐步落实义务,需注明哪些义务已生效、哪些即将生效
需精准引用法规文本,标记存在持续解读空间、需授权法案或待制定规则的条款。AI监管环境变化迅速,提供建议前需确认信息时效性。
基于调研得出的要求构建差距分析,而非依赖硬编码参考表。
Workflow
工作流程
Step 1: Scope the regulation
步骤1:判定法规适用范围
Before diffing, answer:
-
Does it apply? Jurisdiction, threshold, sector carve-outs, builder vs. deployer distinction. Research the specific scoping rules in the regulation — don't assume.Builder/deployer matters a lot here. Many AI regimes impose different obligations on the entity that develops/provides the AI system versus the entity that deploys/uses it. Research which role the company occupies under each regime's definitions. Scope first; don't gap-analyze a law that doesn't apply.
-
When? Effective date. Enforcement date (often different). Phase-in periods for specific provisions. Verify currency.
-
What's actually new? Some "new" AI laws largely restate existing legal principles (consumer protection, anti-discrimination, sectoral risk management) applied to AI. Others are genuinely new obligations. Identify the delta from what you already do, not the full text of the law.
对比分析前,需回答以下问题:
-
是否适用? 需调研法规中的具体适用规则,不要主观假设(涉及司法管辖、阈值、行业排除条款、构建方与部署方的区别)。构建方/部署方身份至关重要:许多AI监管体系对AI系统的开发/提供方与部署/使用方施加不同义务。需调研公司在各监管体系下的身份定位。先明确适用范围,不要对不适用的法律开展差距分析。
-
何时生效? 生效日期、执行日期(通常与生效日期不同)、具体条款的过渡期。需确认信息时效性。
-
新增内容是什么? 部分“新”AI法律主要是将现有法律原则(消费者保护、反歧视、行业风险管理)应用于AI领域,其他则是真正新增的义务。需明确与现有做法的差异,而非罗列法律全文。
Step 2: Extract requirements
步骤2:提取法规要求
Read the regulation, guidance, or summary. List every substantive requirement:
| # | Requirement | Citation | Category |
|---|---|---|---|
| 1 | [requirement] | [section] | [see categories below] |
Categories:
- Transparency — disclosures to users, employees, or affected parties about AI use
- Impact assessment — required documentation before deployment
- Human oversight — mandatory human review, override, or appeals mechanisms
- Accuracy / testing — bias testing, accuracy documentation, validation
- Governance — registration, record-keeping, designated responsible persons
- Vendor flow-down — obligations to pass down to AI vendors or pass up from AI vendors
- Prohibited practices — outright bans on specific AI capabilities or uses
- Rights — what affected parties can request or invoke
通读法规、指南或摘要,列出所有实质性要求:
| 序号 | 要求内容 | 引用来源 | 类别 |
|---|---|---|---|
| 1 | [具体要求] | [条款章节] | [见下方类别] |
类别说明:
- Transparency(透明度) — 向用户、员工或受影响方披露AI使用情况
- Impact assessment(影响评估) — 部署前需完成的文档记录要求
- Human oversight(人工监督) — 强制人工审核、干预或申诉机制
- Accuracy / testing(准确性/测试) — 偏见测试、准确性文档记录、验证要求
- Governance(治理) — 注册、记录保存、指定负责人
- Vendor flow-down(供应商传导) — 向AI供应商传导或从AI供应商承接的义务
- Prohibited practices(禁止行为) — 明确禁止的特定AI功能或使用场景
- Rights(权利) — 受影响方可提出的请求或主张
Step 3: Diff against current state
步骤3:与当前状态对比
For each requirement:
markdown
undefined针对每项要求,按以下格式记录:
markdown
undefined[Requirement #N]: [short name]
[要求编号N]:[简短名称]
Regulation says: [requirement, quoted or paraphrased]
We currently: [what / AI policy / use case registry / assessment
practice shows]
~/.claude/plugins/config/claude-for-legal/ai-governance-legal/CLAUDE.mdGap: [None | Partial | Full]
If partial/full — what's missing: [specific — not "more documentation" but
"no human review step is documented for [use case category]"]
Effort to close: [Policy update only | Process change | Product/system change |
New assessment required | Vendor renegotiation | Registration / filing]
Risk of non-compliance: [penalty range, enforcement likelihood, reputational]
undefined法规要求: [引用或转述的要求内容]
当前状态: [来自、AI政策、用例注册表或评估实践的内容]
~/.claude/plugins/config/claude-for-legal/ai-governance-legal/CLAUDE.md差距: [无/部分/完全]
若为部分/完全差距——缺失内容: [具体描述,例如“未记录[用例类别]的人工审核步骤”,而非“需更多文档”]
整改难度: [仅需更新政策/流程变更/产品/系统变更/需开展新评估/需重新协商供应商条款/注册/申报]
不合规风险: [处罚范围、执行可能性、声誉影响]
undefinedStep 4: Prioritize
步骤4:优先级排序
Not every gap is equal. Sort by:
- Hard deadline with teeth — effective date + active enforcement + real penalties
- Prohibited practice — if the gap is a prohibition, not a process requirement, that's the first priority regardless of enforcement date
- Effort-to-impact ratio — updating policy language is cheap; adding human oversight to a deployed system is not
- Use case overlap — gaps that affect multiple use cases in the registry are higher priority than single-use-case gaps
并非所有差距的重要性都相同,按以下顺序排序:
- 有明确约束力的截止日期 — 生效日期+主动执行+实际处罚
- 禁止行为 — 若差距涉及禁止行为,无论执行日期如何,均为最高优先级
- 投入产出比 — 更新政策语言成本低,而在已部署系统中添加人工监督成本高
- 用例覆盖范围 — 影响注册表中多个用例的优先级高于仅影响单个用例的差距
Step 5: Remediation plan
步骤5:制定整改计划
markdown
[WORK-PRODUCT HEADER — per plugin config ## Outputs — differs by role; see `## Who's using this`]markdown
[工作成果标题 — 依据插件配置中的## Outputs,因角色而异;详见`## Who's using this`]Remediation Plan: [Regulation name]
整改计划:[法规名称]
Effective date: [date]
Enforcement begins: [date if different]
Applies to us as: [Builder / Deployer / Both]
生效日期: [日期]
执行开始日期: [若与生效日期不同则填写]
对我们的适用身份: [构建方/部署方/两者皆是]
Must-do before enforcement
执行前必须完成的事项
| Gap | Fix | Owner | Due | Status |
|---|---|---|---|---|
| [gap] | [specific fix] | [name] | [date] | [ ] |
| 差距 | 整改措施 | 负责人 | 截止日期 | 状态 |
|---|---|---|---|---|
| [差距内容] | [具体整改措施] | [姓名] | [日期] | [ ] |
Should-do (important but not blocking enforcement)
建议完成的事项(重要但不影响执行)
[same table]
[同上表格]
Already compliant
已合规事项
[list of requirements where gap = None — useful context for the legal/executive
summary of where you actually stand]
[列出所有差距为“无”的要求——可为法律/高管总结当前合规状态提供参考]
Accepted gaps (risk accepted, not fixing)
已接受风险的差距(不整改,已接受风险)
[if any — with documented rationale and who accepted the risk. Documenting accepted
risk is better governance than leaving it unaddressed silently.]
---[若有——需记录理由及风险接受人。记录已接受的风险比隐瞒风险更符合治理要求。]
---Research the regulation before building the gap analysis
开展差距分析前先调研法规
Do not rely on hardcoded reference tables for specific regimes. For each regulation in scope, research the currently operative text:
- Which obligations apply to the company's role (provider/builder, deployer, importer, distributor)?
- Which tier does the system fall into under the regime's own classification (prohibited / high-risk / limited-risk / minimal, or the regime's equivalent)?
- What are the live vs. phase-in dates for each obligation?
- Are there delegated acts, implementing acts, or regulator guidance that affect interpretation?
- For builder contexts: are there model-level obligations (technical documentation, training data transparency, copyright compliance, systemic-risk testing)?
- For prohibited-practice categories: check any use case in the registry that might touch them and flag as critical regardless of enforcement date.
Cite primary sources with pinpoint references. Flag ambiguity for attorney judgment.
No silent supplement. If a research query to the configured legal research tool (Westlaw, EUR-Lex, regulator sites, or firm platform) returns few or no results for a regime's text, delegated act, or guidance, report what was found and stop. Do NOT fill the gap from web search or model knowledge without asking. Say: "The search returned [N] results from [tool]. Coverage appears thin for [regime / topic]. Options: (1) broaden the search query, (2) try a different research tool, (3) search the web — results will be taggedand should be checked against the issuing authority before relying, or (4) flag as unverified and stop. Which would you like?" A lawyer decides whether to accept lower-confidence sources.[web search — verify]Source attribution tiering. Tag every citation in the gap analysis with its source. For model-knowledge citations, use one of three tiers rather than a single blanket "verify" tag:
[settled][verify][verify-pinpoint]Tool-retrieved citations keep their source tag (,[Westlaw],[EUR-Lex], or the MCP tool name); web-search citations remain[regulator site]; user-supplied citations remain[web search — verify]. The tiering surfaces the real verification work — a reader who verifies everything verifies nothing. Never strip or collapse the tags.[user provided]For non-lawyer users, uncertain dates, thresholds, and phase-in provisions go in a confirm-list, not inline. Atag on "effective February 1, 2026" reads as "effective February 1, 2026" to a non-lawyer who doesn't know what the tag means. Read[verify]in## Who's using this. If Role is Non-lawyer and a date, deadline, phase-in, threshold, or effective-date assertion is uncertain (would carry~/.claude/plugins/config/claude-for-legal/ai-governance-legal/CLAUDE.mdor[verify]if inline), replace the inline assertion with "effective date: confirm with counsel" (or "threshold: confirm with counsel") and collect all uncertain items in a final gap-analysis section titled: "Things I'm not certain about — ask your attorney to confirm before relying on this:" with each item listed (what I said, what's uncertain, why it matters to the gap). Lawyer-role users keep the inline[verify-pinpoint]treatment.[verify]
不要依赖针对特定体系的硬编码参考表。针对每个适用的法规,调研当前生效的文本:
- 哪些义务适用于公司的角色(提供者/构建方、部署方、进口商、分销商)?
- 系统在该体系下属于哪个风险层级(禁止类/高风险/有限风险/低风险或同等分类)?
- 每项义务的生效日期与过渡期分别是什么?
- 是否存在影响解读的授权法案、实施法案或监管指南?
- 针对构建方场景:是否存在模型层面的义务(技术文档、训练数据透明度、版权合规、系统性风险测试)?
- 针对禁止行为类别:检查注册表中可能涉及的用例,无论执行日期如何,均标记为关键事项。
精准引用原始来源,标记需律师判断的歧义内容。
不得自行补充信息:若向配置的法律研究工具(Westlaw、EUR-Lex、监管机构网站或律所平台)发起的调研查询返回的法规文本、授权法案或指南结果很少或没有,需报告已发现的内容并停止分析。不得未经询问就通过网络搜索或模型知识填补空白。应说明:“从[工具]检索到[N]条结果,[体系/主题]的覆盖内容较少。可选方案:(1) 扩大搜索范围;(2) 更换研究工具;(3) 网络搜索——结果将标记为,需先与发布机构核实后方可依赖;(4) 标记为未验证并停止分析。请问您选择哪种方案?” 由律师决定是否接受可信度较低的来源。[web search — verify]来源归因分级:为差距分析中的每个引用标记来源。对于模型生成的引用,使用以下三个等级而非统一的“verify”标签:
[settled][verify][verify-pinpoint]工具检索的引用保留其来源标签(、[Westlaw]、[EUR-Lex]或MCP工具名称);网络搜索的引用保留[regulator site]标签;用户提供的引用保留[web search — verify]标签。分级可明确实际需核实的内容——若要求全部核实,等于没有重点核实。不得删除或合并标签。[user provided]针对非律师用户,不确定的日期、阈值和过渡期条款需放入确认清单,而非直接写入正文:非律师用户可能不理解标签的含义,看到“2026年2月1日生效”会直接视为确定信息。请阅读[verify]中的~/.claude/plugins/config/claude-for-legal/ai-governance-legal/CLAUDE.md。若用户角色为非律师,且日期、截止日期、过渡期、阈值或生效日期的表述不确定(若写入正文需标记## Who's using this或[verify]),请将正文表述替换为“生效日期:请咨询律师确认”(或“阈值:请咨询律师确认”),并将所有不确定内容汇总到差距分析的最后一节:“我无法确定的事项——依赖前请咨询律师确认:”,列出每个事项(我表述的内容、不确定点、对差距分析的影响)。律师角色用户保留正文的[verify-pinpoint]标记方式。[verify]
Integration with other skills
与其他技能的集成
From aia-generation: AIAs flag regulatory obligations for specific
systems → those feed here when a regulation is new or coverage is uncertain.
From use case triage: Newly triaged use cases that hit regulatory triggers →
gap analysis runs on the specific requirement for that use case type.
To regulatory-legal plugin, if the plugin is installed: This skill is the manual
version. The monitor plugin watches feeds and triggers this analysis automatically
when something relevant changes.
来自aia-generation: AI影响评估(AIA)标记特定系统的监管义务→当法规更新或覆盖范围不确定时,这些内容将传入本技能。
来自use case triage: 新分类的触发监管要求的用例→针对该用例类型的特定要求开展差距分析。
若已安装regulatory-legal插件: 本技能是手动版本。监控插件会关注监管动态,当相关内容发生变化时自动触发本分析。
Output
输出结果
Save as a dated markdown doc. The remediation plan table becomes a tracker — update
status as items close.
If the gap analysis concludes "no gaps, we're compliant," still write the doc. It's
useful evidence that you looked, and useful baseline when the regulation is amended.
Cite check before relying on this. Citations here were generated by an AI model and have not been verified against primary sources. Before relying on any citation — statute, regulation, delegated act, guidance, or case — run a verification pass against a legal research tool (Westlaw, CourtListener, or your firm's platform) for accuracy, currency, and subsequent history. Fabricated or misquoted citations in filed materials have resulted in sanctions. Source tags on each citation (e.g., , ) show where it came from; tags carry higher fabrication risk and should be checked first.
[EUR-Lex][web search — verify]verify保存为带日期的Markdown文档。整改计划表格可作为跟踪工具——随着事项完成更新状态。
若差距分析结论为“无差距,已合规”,仍需撰写文档。这可作为已开展合规检查的证据,也可作为法规修订时的基准。
依赖前请核实引用内容:此处的引用由AI模型生成,未与原始来源核实。依赖任何引用(法规、条例、授权法案、指南或判例)前,需通过法律研究工具(Westlaw、CourtListener或您所在律所的平台)核实其准确性、时效性及后续变动情况。归档材料中存在伪造或错误引用可能导致处罚。每个引用的来源标签(如、)表明其来源;标签的伪造风险较高,需优先核实。
[EUR-Lex][web search — verify]verifyClose with the next-steps decision tree
以下一步决策树收尾
End with the next-steps decision tree per CLAUDE.md . Customize the options to what this skill just produced — the five default branches (draft the X, escalate, get more facts, watch and wait, something else) are a starting point, not a lock-in. The tree is the output; the lawyer picks.
## Outputs依据CLAUDE.md中的下一步决策树收尾。根据本技能生成的内容自定义选项——五个默认分支(起草X、升级处理、获取更多事实、观望等待、其他)仅为起点,并非固定选项。决策树为输出内容,由律师选择下一步行动。
## OutputsWhat this skill does not do
本技能不具备的功能
- It doesn't interpret ambiguous regulatory language authoritatively. The EU AI Act in particular has significant interpretive questions that aren't resolved yet. When the reg is genuinely ambiguous: say so, state the conservative read, and flag for outside counsel if the issue is material.
- It doesn't track regulatory changes proactively. It runs when you point it at a
change. For proactive monitoring, see the plugin, if the plugin is installed.
regulatory-legal - It doesn't implement fixes. It plans them.
- It doesn't substitute for sector-specific legal counsel where specialized knowledge is required (healthcare AI, financial services model risk management, etc.).
- 不会对模糊的监管语言做出权威解读。尤其是欧盟AI法案存在大量尚未解决的解读问题。当法规存在明确歧义时,请直接说明,给出保守解读,若问题重大则标记需咨询外部律师。
- 不会主动跟踪监管变化。仅当您指向某一变化时才运行分析。如需主动监控,请查看已安装的插件(若已安装)。
regulatory-legal - 不会实施整改措施,仅制定整改计划。
- 在需要专业知识的领域(医疗AI、金融服务模型风险管理等),无法替代行业专属法律顾问。