Comprehensive Rules for building, deploying, and operating AI systems that comply with modern governance, risk-management, and regulatory standards (NIST AI RMF, ISO/IEC 42001, EU AI Act).
Your AI system might be brilliant, but if it fails a regulatory audit, none of that matters. One compliance violation can shut down your entire AI operation, trigger massive fines, and destroy years of development work. The stakes have never been higher.
You're building cutting-edge AI systems, but regulatory frameworks like the EU AI Act, NIST AI RMF, and ISO/IEC 42001 are moving faster than your development cycle. Traditional compliance approaches—bolted-on audits, manual documentation, reactive risk assessments—simply don't work for modern AI systems.
The problems are real and expensive:
One failed audit can cost millions and force you to rebuild from scratch.
These Cursor Rules transform compliance from a bottleneck into a competitive advantage. Instead of retrofitting compliance, you build AI systems that are compliant by design—every commit either preserves or improves your regulatory alignment.
The framework enforces:
# Before: Manual compliance checking
def deploy_model(model_path: str):
# Hope someone remembered to check compliance
load_model(model_path)
deploy_to_production()
# After: Compliance-native deployment
@require_risk_level("medium")
async def deploy_model(model_id: str, assessment_id: str):
compliance_gate = ComplianceGatekeeperOperator()
await compliance_gate.verify_deployment_approval(model_id, assessment_id)
bias_score = await evaluate_bias_metrics(model_id)
if bias_score > BIAS_THRESHOLD:
raise BiasDetectionError(f"Bias score {bias_score} exceeds threshold")
deploy_with_audit_trail(model_id, assessment_id)
Stop spending weeks preparing for audits. Every model automatically gets a complete compliance dossier—model cards, impact assessments, bias reports, and data lineage—all generated from your development workflow.
# Model registration automatically creates audit trail
mlflow.log_model(
model,
"fraud_detector",
metadata={
"risk_level": "high",
"training_data_version": "v2.1.3",
"bias_score": 0.032,
"impact_assessment_id": "DPIA-2024-003"
}
)
Catch compliance violations before they become incidents. Automated checks run on every commit, deployment, and model prediction—with sub-200ms latency that doesn't slow down your systems.
Instead of discovering bias months after deployment, adversarial testing runs automatically on every model version. Failed bias tests block production deployment completely.
# Automated bias testing in your CI pipeline
@pytest.mark.bias
def test_model_fairness():
bias_metrics = aif360.evaluate_fairness(model, test_data)
assert bias_metrics.demographic_parity() < 0.05
assert bias_metrics.equal_opportunity() > 0.95
Built-in PII detection and anonymization that runs as part of your data pipeline—not as an afterthought. Synthetic attack testing ensures your privacy controls actually work.
Your data scientists don't need to become compliance experts. The framework handles governance automatically while they focus on model performance.
# Development workflow with automatic compliance
class ComplianceModel(BaseModel):
model_id: str
risk_assessment: RiskLevel
training_data: DataContract
bias_metrics: BiasReport
@validator('training_data')
def validate_data_approval(cls, v):
if not v.has_valid_approval():
raise ComplianceValidationError("Training data not approved")
return v
High-risk models require explicit approval workflows. Medium-risk models pass through automated compliance checks. Low-risk models deploy freely—all handled by policy-as-code.
# OPA policy enforcement
package ai.deployment
deny[msg] {
input.risk_level == "high"
not input.approved_by_compliance_officer
msg := "High-risk models require compliance officer approval"
}
When something goes wrong, you have instant access to complete provenance data—from raw training data through model deployment to individual predictions.
# Add to your project
pip install mlflow great-expectations aif360 fairlearn structlog
pip install fastapi pydantic sqlalchemy
# compliance/config.py
RISK_LEVELS = {
"low": {"approval_required": False, "bias_threshold": 0.1},
"medium": {"approval_required": True, "bias_threshold": 0.05},
"high": {"approval_required": True, "bias_threshold": 0.02}
}
# .github/workflows/compliance.yml
name: AI Compliance
on: [push, pull_request]
jobs:
compliance:
runs-on: ubuntu-latest
steps:
- name: Bias Testing
run: pytest tests/bias/ --cov --cov-fail-under=90
- name: Privacy Testing
run: python scripts/privacy_attack_simulation.py
- name: Policy Validation
run: opa test policies/
# monitoring/compliance_monitor.py
async def monitor_model_predictions():
"""Continuous compliance monitoring in production"""
predictions = await get_recent_predictions()
for prediction in predictions:
if detect_bias_drift(prediction):
await trigger_compliance_alert(prediction.model_id)
if detect_privacy_leak(prediction):
await emergency_model_rollback(prediction.model_id)
Immediate Impact:
Strategic Benefits:
Team Productivity:
Stop treating compliance as technical debt. Make it your competitive advantage. Your AI systems can be both innovative and bulletproof—these Cursor Rules show you exactly how to build them.
The regulatory landscape isn't slowing down. The question is: will your AI systems be ready?
You are an expert in Python 3.11, FastAPI, Pydantic, SQLAlchemy, MLflow, DVC, Great Expectations, GitHub Actions, Docker, Kubernetes, Terraform, AWS, and Open Policy Agent.
Key Principles
- Treat compliance as a first-class feature: every commit must either preserve or improve regulatory alignment.
- Adopt an AI-governance framework (NIST AI RMF + ISO/IEC 42001) to drive policies, roles, and lifecycle documentation.
- Follow a risk-based approach: apply stricter controls, testing, and approvals for high-risk models and data assets.
- Ensure transparency and traceability by default: every dataset, model, and decision has a verifiable audit trail.
- Embed privacy-by-design and security-by-default; data minimisation and anonymisation are non-negotiable.
- Prefer functional, immutable data transformations; avoid hidden state that complicates audits.
- All code, configs, and infra are version-controlled, peer-reviewed, and linked to corresponding risk assessments.
Python
- Use Python 3.11 syntax with full static typing. The `typing` module is mandatory; enable `mypy --strict` in CI.
- Define data contracts with `pydantic.BaseModel`; validation errors must bubble up as `HTTP_422` (FastAPI) or custom `ComplianceValidationError`.
- Module naming: `snake_case`; avoid acronyms unexplained in `README.md` to keep transparency.
- File order: imports → constants → pydantic models → pure functions → impure functions → CLI/API adapters.
- Disallow wildcard imports and relative imports that jump more than one directory (`from ..something import x`).
- Logging: use the `structlog` wrapper; include `request_id`, `model_version`, `dataset_hash`, and `risk_level` in every log line.
- Secrets: must be injected via environment variables managed by AWS Secrets Manager or Vault; never committed.
Error Handling & Validation
- Create a domain exception tree rooted at `ComplianceError`.
• `ComplianceValidationError` – bad input data or schema mismatch.
• `BiasDetectionError` – bias metrics exceed thresholds.
• `PrivacyBreachError` – PII leak detected.
• `AuditTrailError` – missing or corrupted provenance metadata.
- Guard clauses first; use early returns to avoid deep nesting.
- All exceptions propagate through a single FastAPI exception handler that returns a JSON body `{code, message, remediation, trace_id}`.
- Persist error events to an immutable log store (e.g., S3 + Object Lock) for regulatory audits.
FastAPI (API Layer)
- All endpoints live under `/v1/` with verbs that reflect risk (`/evaluate`, `/assess-compliance`).
- Apply dependency-injected `@require_risk_level("medium")` middleware to gate high-risk operations.
- Use `async def` endpoints and `async SQLAlchemy` sessions for scalability.
- Auto-generate OpenAPI docs; enrich with `x-regulation` metadata (e.g., `{"x-regulation": "EU_AI_Act.HighRisk"}`).
MLflow & MLOps
- Register every model with tags: `risk_level`, `training_data_version`, `bias_score`, `impact_assessment_id`.
- Block promotion to `Production` stage unless automated bias, privacy, and performance checks pass.
- Store model artefacts with checksum and signature (Sigstore) to prevent tampering.
Data Pipelines (Airflow or Prefect)
- Each DAG must start with a `ComplianceGatekeeperOperator` that: (1) verifies data source approval, (2) checks anonymisation status, (3) confirms up-to-date impact assessment.
- Use Great Expectations checkpoints on every dataset; failures halt downstream tasks.
Testing
- Unit tests: 90 % coverage minimum; use `pytest --cov --cov-fail-under=90`.
- Bias tests: implement adversarial testing (`aif360` or `fairlearn`) in `tests/bias/`.
- Privacy tests: use synthetic attack suites to detect potential re-identification.
- Contract tests: validate OpenAPI schema vs. pydantic models using `schemathesis`.
- CI must include a compliance stage running all above plus `opa test policies/`.
Performance & Scalability
- Real-time compliance checks must respond < 200 ms P95. Load-test with `k6`; store scripts under `load_tests/`.
- Flag latency regressions > 10 % as `PerformanceRiskError` and block merge.
Security
- Enable OPA sidecar in Kubernetes for policy enforcement (`deny if risk_level == "high" && !approved`).
- Network policies: only allow egress to whitelisted compliance APIs.
- Enable S3 bucket encryption (AES-256) and versioning.
Documentation & Auditability
- Every repo must include `/docs/compliance/` containing:
• `governance-model.md` – roles, responsibilities.
• `data-inventory.csv` – sources and classifications.
• `model-cards/` – one `*.md` per model (bias, performance, risk level, mitigations).
• `impact-assessments/` – ISO/IEC 42005 forms.
- Use `mkdocs-material` with built-in search; auto-deploy to an internal site via GitHub Pages.
CI/CD (GitHub Actions)
- Workflow order: lint → type-check → unit tests → compliance tests → security scan (Trivy) → build image → deploy to staging.
- Require signed commits (`CODEOWNERS` must include `@compliance-team`).
- Block merges on any compliance check failure; only `compliance-officers` can override.
Tooling & Automation
- Integrate Cyera for data discovery; scan daily and raise alerts for new PII.
- Use Sprinto for automated GRC reporting; export weekly reports to `s3://compliance/reports/`.
- Vanta workflows monitor vendor SaaS; sync exceptions to Jira under the `COMPLIANCE` project.
Common Pitfalls & Mitigations
- Hidden data lineage → enforce data-catalog registration hooks in ETL jobs.
- Model drift causing untracked bias → schedule `mlflow.evaluate()` nightly; bias > 5 % triggers rollback.
- Silent dependency updates → lock versions in `poetry.lock`; renovate PRs require compliance review.
Glossary (keep updated)
- AI RMF: NIST AI Risk Management Framework
- DPIA: Data Protection Impact Assessment
- ICAI: Independent Compliance & Audit Interface