RiskForge

Article 9Flagship

Guided 8-dimension risk assessment CLI with 50+ questions drawn from EU AI Act Article 9 requirements, Annex III pattern matching, and SHA-256 hash-chained audit trail. Produces a legally-defensible Risk Management File (JSON + PDF) that satisfies Annex IV documentation requirements, in approximately 30 minutes instead of weeks of consulting work.

View on GitHubv0.1.4PyPI ↗

Quick Start

bashpip install riskforge
python# 1. Register your AI system
riskforge init \
  --name "Loan Scoring Model" \
  --sys-version "2.1" \
  --purpose "Automated credit scoring for retail loan applications." \
  --provider "Acme Financial Services" \
  --category essential_services

# 2. Run the guided 8-dimension risk assessment
riskforge assess <system-id> \
  --assessor-name "Alice Chen" \
  --assessor-role "AI Governance Lead"

# 3. Check completeness before export (8 validation gates)
riskforge validate <system-id>

# 4. Export your Article 9 Risk Management File
riskforge export <system-id> --format pdf --output rmf.pdf
riskforge export <system-id> --format json --output rmf.json

Features

  • 8 risk dimensions mapped to Article 9 obligations with 50+ guided questions
  • Annex III pattern matching — pre-populates risk items for known high-risk scenarios (credit scoring, hiring, facial recognition, medical diagnosis)
  • 5×5 likelihood × severity scoring matrix with automatic risk band classification
  • 8 pre-export validation gates (dimension coverage, vulnerable groups, vague mitigation detection)
  • SHA-256 hash-chained audit trail — tamper-evident, verifiable with `riskforge verify` (exits code 2 on corruption)
  • JSON, PDF (WeasyPrint), and Markdown export formats
  • Integration adapters for rag-benchmarking and TraceForge — import evidence directly
  • Cross-framework mapping: NIST AI RMF, ISO/IEC 42001, Colorado AI Act, Texas HB 1709
  • Zero outbound network calls in CLI mode — enforced by pytest-socket CI gate

EU AI Act Context

Article 9Risk Management

Produces audit-ready Article 9 risk management files for high-risk AI systems. Covers all 8 EU AI Act risk dimensions — health & safety, fundamental rights, discrimination, privacy, transparency, human oversight, robustness, and data governance — with cross-maps to NIST AI RMF and ISO/IEC 42001.

Known Limitations

  • Produces documented evidence for Article 9 compliance — does not substitute for qualified legal counsel or notified body conformity assessment.
  • Question bank covers 50+ questions across 8 risk dimensions; specialised sector questions (e.g. medical devices) may require custom additions.
  • Interactive assessment requires a terminal — CI/CD integration uses the engine layer directly.
  • PDF export via WeasyPrint — some complex layouts may require HTML/CSS customisation.
  • Apache 2.0 licensed; no warranty of legal compliance.

For the most current status, see GitHub issues.

Contributing

Contributions are welcome — Apache 2.0 licensed. See the contributing guide and open issues.

License

Licensed under the Apache License 2.0.

The Compound Moat

One tool is a start. The chain is the moat.

Each AiExponent tool produces structured evidence the next tool consumes. Browse the full toolchain — from Article 5 screening through Article 72 post-market monitoring.

See all tools →