@clustral/risk-compass
May 13, 2026 · View on GitHub
Multi-jurisdiction AI risk classification. Deterministic, rule-based, explainable. Same engine that powers the live Risk Compass on clustralai.com.
Pick a domain, an AI archetype and an impact level — get back a global risk class with side-by-side verdicts under EU AI Act, NIST AI RMF, ISO/IEC 42001, OECD, Singapore Model AI Governance, China's GenAI Measures, the global privacy stack (GDPR · UK GDPR · DPDP · CCPA · LGPD · PIPEDA) and sector overlays (HIPAA · FDA SaMD · EEOC · NYC AEDT · OMB M-24-10 · CoE AI Convention).
No LLM call. No external network. Runs in any JavaScript runtime, on the edge, in CI, or in your CISO's spreadsheet via a one-line wrapper.
Install
npm install @clustral/risk-compass
# or directly from GitHub:
npm install github:king-star-12/risk-compass
Use
import { compass } from "@clustral/risk-compass";
const v = compass({
industry: "healthcare", // "publicSector" · "education" · "hr" · "retail" · "industrial" · "media" · "other"
archetype: "generation", // "decisioning" · "classification" · "recommendation" · "automation" · "forecasting"
impact: "regulated", // "internal" · "b2b" · "consumer" · "regulated"
});
console.log(v.class);
// → "Critical"
console.log(v.summary);
// → "Re-scope before any build. Conformity, fundamental-rights and sector reviews are mandatory."
console.log(v.scores);
// → { decisionalImpact: 9, dataSensitivity: 9.3, biasRisk: 8.7, hallucinationCost: 8.7, regulatoryLoad: 9.3 }
for (const f of v.frameworks) {
console.log(`${f.label} (${f.region}) → ${f.verdict}`);
}
// EU AI Act (EU) → Review for Art. 5 prohibited practices
// NIST AI RMF (US / global) → Govern + Measure priority — fairness & validity controls
// ISO/IEC 42001 (Global) → Full AIMS implementation with sector annex controls
// OECD AI Principles (50+ countries) → Human-centred values, transparency & accountability obligations
// Singapore Model AI Governance (Singapore) → Apply AI Verify testing toolkit before deployment
// PRC GenAI Interim Measures (China) → Pre-launch security assessment + watermarking obligations apply for PRC users
// GDPR · UK GDPR · DPDP · CCPA · LGPD · PIPEDA (Global privacy) → Strong: DPA(s), DPIA, DPO consultation, Art. 22 / DPDP §11 review
// HIPAA / FDA SaMD / EU MDR-AI (Health) → PHI minimisation, BAAs, and software-as-medical-device classification check
Why deterministic, not an LLM?
Because if you're going to use a tool to classify whether your own AI is subject to the EU AI Act, you should not use an LLM for that classification. The output needs to be:
- Auditable — the rule that produced the verdict is human-readable.
- Reproducible — the same inputs produce the same outputs forever.
- Inspectable —
matrices.industry,matrices.archetype,matrices.impactare exported so you can see exactly how each axis is weighted. - Fork-able — your organisation's interpretation of "high-risk" may differ from ours. Edit the matrices, ship your own variant.
A 70-billion-parameter model would not give you any of those properties.
Taxonomy
Industry
| value | covers |
|---|---|
healthcare | health, life-sciences, medical devices |
publicSector | government, defence, public administration |
education | schools, edtech, assessment |
hr | recruiting, performance, workforce |
retail | consumer, e-commerce |
industrial | manufacturing, supply chain, energy, logistics |
media | publishing, broadcast, communications, telecom |
other | catch-all — including fintech/banking/insurance, deliberately excluded from our practice |
Archetype
| value | covers |
|---|---|
decisioning | approve / deny, score, allocate |
generation | draft, summarise, synthesise content |
classification | label, route, triage |
recommendation | rank, suggest, personalise |
automation | execute multi-step actions |
forecasting | predict numerical outcomes |
Impact
| value | covers |
|---|---|
internal | internal users only |
b2b | B2B customer-facing |
consumer | consumer-facing |
regulated | decisions about individuals with legal / material consequence |
Outputs
compass() returns:
interface Verdict {
class: "Minimal" | "Limited" | "High" | "Critical";
scores: {
decisionalImpact: number; // 0–10
dataSensitivity: number;
biasRisk: number;
hallucinationCost: number;
regulatoryLoad: number;
};
summary: string; // one-line action posture
frameworks: FrameworkVerdict[];
}
interface FrameworkVerdict {
id: string; // "eu" | "nist" | "iso42001" | "oecd" | "sg" | "cn" | "privacy" | "health" | "hr-laws" | "gov"
label: string;
region: string;
verdict: string; // human-readable, ~1 sentence
url: string; // canonical reference
}
What this is not
This is not legal advice. It is a structured heuristic developed by AI practitioners at Clustral AI Labs, distilled from public regulatory texts and industry consensus. For a formal conformity assessment under the EU AI Act, or a DPIA under GDPR / DPDP, engage qualified counsel and a regulated-AI engineering partner. (We do that, if you're asking — business@clustralai.com.)
Contributing
PRs welcome — particularly to:
- Add new sector overlays (we'd love HIPAA's recent OCR guidance baked in, plus India RBI / SEBI model-risk-management framings).
- Refine the per-jurisdiction verdict copy.
- Add new languages of output.
- Add a CLI (
npx @clustral/risk-compass --industry healthcare --archetype generation --impact regulated).
Open an issue first for anything that changes the scoring matrix — those edits affect downstream interpretations and need a quick review.
License
MIT © 2026 Clustral AI Labs Pvt. Ltd. — see LICENSE.
The taxonomy and risk matrices are released under the same MIT terms. The regulatory references and citation URLs link to the official primary sources; use of those is governed by the respective publishers' terms.
Built and maintained at www.clustralai.com · Questions: business@clustralai.com · Security: security@clustralai.com