Compliance Tool - Multi-Agent System for EU AI Act, GDPR, and BSI Compliance

A comprehensive command-line tool for automated compliance assessments of AI systems according to the EU AI Act, General Data Protection Regulation (GDPR), and guidelines from the Federal Office for Information Security (BSI).

Overview

The Compliance Tool implements a multi-agent system with three specialized agents:

• Legal-Analyst: Evaluates high-risk classification, provider and deployer obligations according to the EU AI Act
• Privacy-Agent: Analyzes data protection compliance, legal bases, and processing obligations according to GDPR
• BSI-Security-Agent: Verifies technical security measures and IT baseline protection requirements

The system supports Human-in-the-Loop (HITL) interventions for clarification requests and maintains a persistent memory of learned facts.

Requirements

• Python 3.12 or higher
• uv (Python package manager)
• OpenAI-compatible API or local LLM (e.g., Ollama with Gemma model)
• At least 8 GB RAM for vector search and PDF processing
• SQLite3 (included by default in Python)

Installation

1. Basic Setup

cd comptool
uv sync

2. Initialize Database

uv run python main.py db init
uv run python main.py db seed

This creates the SQLite database with the required tables for applications, assessments, and logging.

3. Legal Documents (Optional)

Place the following PDF documents in data/docs/:

• EU AI Act PDF
• GDPR/DSGVO PDF
• BSI Guidelines PDF

Then load them into the vector search database:

uv run python main.py pdf load

4. Configuration

Copy .env.example to .env and configure your API settings:

cp .env.example .env

Edit .env with your settings:

OPENAI_MODEL=gemma4:e2b
OPENAI_BASE_URL=http://localhost:11434/v1
OPENAI_API_KEY=
OPENAI_EMBEDDING_MODEL=nomic-embed-text-v2-moe:latest
VECTOR_DB_PATH=tmp/lancedb

Usage

Command Line Interface

The CLI provides comprehensive control over all system functions:

uv run python main.py <command> [options]

Available Commands

Command	Description
status	Show system status
db init	Initialize database
db seed	Seed default data
db info	Show database information
db reset	Reset database
pdf load	Load PDF documents
pdf status	Check PDF status
pdf list	List available PDFs
pdf search "query"	Search knowledge base
app list	List applications
app create -n "name" -d "description"	Create application
app show <id>	Show application details
app delete <id>	Delete application
app update <id>	Update application
assess list	List assessments
assess create <app_id>	Create assessment
assess show <id>	Show assessment details
assess export <id> --format md	Export assessment
agent test	Test agent system
agent query "query"	Query agents
config show	Show configuration
config check	Check configuration
log list	List log entries
log export	Export logs
export report <id>	Export compliance report
health	Run health checks
clean	Clean temporary files
reset	Reset system

Quick Start

1. Initialize the database:

   uv run python main.py db init
   uv run python main.py db seed

2. Load PDF documents (optional):

   uv run python main.py pdf load

3. Create an application:

   uv run python main.py app create \
     -n "AI Chatbot for Customer Support" \
     -d "AI-powered chatbot for handling customer inquiries" \
     --department "IT" \
     --user-role "Provider" \
     --data-sources "Kundendaten"

4. Create compliance assessment:

   uv run python main.py assess create <app_id>

5. List assessments:

   uv run python main.py assess list

6. Export assessment report:

   uv run python main.py assess export <assessment_id> --format md

Application Creation Examples

Example 1: Internal HR Tool

uv run python main.py app create \
  -n "AI Employee Screening Tool" \
  -d "Automated CV screening system for HR department" \
  --department "HR" \
  --user-role "Provider" \
  --data-sources "Mitarbeiterdaten"

Example 2: Public-Facing Marketing AI

uv run python main.py app create \
  -n "AI Marketing Content Generator" \
  -d "Automated content generation for social media campaigns" \
  --department "Marketing" \
  --user-role "Provider" \
  --data-sources "Verhaltensdaten" \
  --status "review"

Example 3: Medical Diagnosis Support

uv run python main.py app create \
  -n "AI Medical Image Analysis" \
  -d "Assistive system for radiologist image interpretation" \
  --department "Forschung" \
  --user-role "Provider" \
  --data-sources "Gesundheitsdaten" \
  --status "draft"

Example 4: Financial Risk Assessment

uv run python main.py app create \
  -n "AI Credit Scoring System" \
  -d "Automated creditworthiness evaluation" \
  --department "Legal" \
  --user-role "Deployer" \
  --data-sources "Finanzdaten" \
  --status "review"

Assessment Workflow

Step-by-Step Process

1. Create Application

   uv run python main.py app create \
     -n "AI Hiring Platform" \
     -d "Automated candidate selection and interview scheduling" \
     --department "HR" \
     --user-role "Provider" \
     --data-sources "Mitarbeiterdaten" \
     --status "draft"

2. Create Assessment

   uv run python main.py assess create 1

3. List Assessments

   uv run python main.py assess list

4. View Assessment Details

   uv run python main.py assess show 1

5. Export Report

   uv run python main.py assess export 1 --format md

6. Export Logs for Audit

   uv run python main.py log export --app-id 1 --format md

Configuration

Environment Variables

Variable	Default	Description
OPENAI_MODEL	gemma4:latest	LLM model name
OPENAI_EMBEDDING_MODEL	bge-m3:latest	Embedding model name
OPENAI_BASE_URL	http://localhost:11434/v1	API endpoint URL
OPENAI_API_KEY	ollama	API key (empty for local)
VECTOR_DB_PATH	tmp/lancedb	Vector database path
KNOWLEDGE_TABLE	compliance_docs	Knowledge table name
MEMORY_DB_FILE	tmp/memory.db	Memory database file

Model Selection

The system has been tested with:

• Local: Ollama with gemma4:e2b (Gemma 4 9B)
• Cloud: OpenAI GPT-4o

Other compatible models should work but may require prompt adjustments.

Assessment Output Structure

A compliance assessment is divided into three sections:

1. EU AI Act & Legal Assessment

• Risk classification (high-risk categorization)
• Applicability of specific articles
• Provider obligations
• Deployer obligations
• Specific requirements for the use case context

2. Data Protection (GDPR)

• Legal bases for data processing
• Data protection principles (lawfulness, processing, storage limitation)
• Data subject rights (access, deletion, objection)
• Need for Data Protection Impact Assessment (DPIA)
• Data security and encryption requirements

3. IT Security & BSI Compliance

• Encryption requirements (at rest and in transit)
• Access controls and authentication
• Network security and segmentation
• Patch and update management
• Incident response planning

Human-in-the-Loop (HITL)

The system uses Agno's UserControlFlowTools for dynamic user input. When the agent needs additional information, it pauses execution and requests user input through structured fields.

How HITL Works

1. Agent identifies missing information during assessment
2. Agent calls get_user_input tool with structured field definitions
3. System pauses and displays fields to user
4. User provides input for each field
5. System continues assessment with user input
6. Agent may request additional input in multiple rounds if needed

User Input Fields

The agent may request information about:

• Application details (purpose, functionality, context)
• Data processing (types of data, volume, sensitivity)
• Regulatory scope (GDPR, BSI, specific industry regulations)
• Technical architecture (if relevant to security assessment)

CLI Commands for HITL

• intervention list - List all pending HITL interventions
• intervention answer <id> <answer> - Answer a specific intervention

Example Workflow

# Create assessment (will pause for user input if needed)
python main.py assess create 1

# List pending interventions
python main.py intervention list

# Answer an intervention
python main.py intervention answer int_20260415120000000 "Application is a web-based HR tool for employee management."

Database Schema

Applications Table

Column	Type	Description
id	INTEGER (PK)	Unique application ID
name	TEXT	Short name
description	TEXT	Detailed description
department	TEXT	Department or context
data_sources	JSON	List of data sources
user_role	TEXT	Role (Provider/Deployer)
status	TEXT	draft/review/completed
created_at	TIMESTAMP	Creation timestamp
updated_at	TIMESTAMP	Last update timestamp

Assessments Table

Column	Type	Description
id	INTEGER (PK)	Assessment ID
application_id	INTEGER (FK)	Reference to application
report_text	TEXT	Structured Markdown report
report_json	JSON	Structured data
risk_level	TEXT	high/medium/low
provider_obligations	JSON	List of obligations
deployer_obligations	JSON	List of obligations
created_at	TIMESTAMP	Creation timestamp

LogEntries Table

Column	Type	Description
id	INTEGER (PK)	Log ID
run_id	TEXT	Unique run ID
application_id	INTEGER (FK)	Application reference
entry_type	TEXT	thought/action/result
message	TEXT	Log message
created_at	TIMESTAMP	Timestamp

Testing

Run the test suite with pytest:

uv run pytest tests/
uv run pytest tests/test_mammalian_xray_compliance.py -v

See tests/README.md for details.

Known Limitations

1. Vector search is limited to PDF documents that must be manually provided
2. Assessment results depend on the LLM's knowledge and provided documents
3. HITL interventions require user interaction and may be time-intensive
4. The system is not designed for productive legal advice - results should be validated by legal professionals

Operational Recommendations

1. Regularly test with sample applications
2. Update PDF documents with the latest guidelines
3. Regularly backup the SQLite database
4. Log all assessments for audit purposes
5. Use results as a foundation, not a substitute for qualified legal advice

License

See LICENSE file.

---

Note: This tool does not generate legally binding advice. For specific legal questions, consult a qualified attorney.