Skip to main content
Glama
eucomplyhub

mcp-eu-ai-act

by eucomplyhub
OverviewSchemaRelated ServersScoreDiscussions
JavaScript
Local

quick_risk_class

Classify AI risk across EU AI Act, NIST, ISO, and sector-specific regulations in 30 seconds. Deterministic, no LLM calls, same inputs always produce same outputs.

Instructions

30-second deterministic multi-jurisdiction AI risk classification across EU AI Act, NIST AI RMF, ISO/IEC 42001, OECD, Singapore Model AI Governance, GDPR, and sector-specific overlays (HIPAA, NYC AEDT, Colorado SB 24-205). No LLM call. Same inputs always produce same outputs. Use this for quick orientation before deeper analysis.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
industryYesIndustry vertical. Use 'other' for fintech/banking/insurance.
archetypeYesWhat the AI primarily does: decisioning (approve/deny, score, allocate), generation (draft, summarise), classification (label, route, triage), recommendation (rank, suggest), automation (multi-step actions), forecasting (predict outcomes).
impactYesWho is affected: internal (employee-only), b2b (business customers), consumer (end users), regulated (healthcare, finance, public sector).

Implementation Reference

  • src/index.ts:65-201 (handler)
    The classifyRisk() function is the core deterministic handler for the quick_risk_class tool. It computes risk scores across 5 axes (decisionalImpact, dataSensitivity, biasRisk, hallucinationCost, regulatoryLoad) by averaging industry, archetype, and impact weights, then maps the max score to a risk class (Critical/High/Limited/Minimal) and returns multi-jurisdiction framework verdicts plus sector overlays.
    function classifyRisk(industry: string, archetype: string, impact: string) {
  const i = INDUSTRY_W[industry];
  const a = ARCHETYPE_W[archetype];
  const p = IMPACT_W[impact];

  if (!i || !a || !p) {
    throw new Error(`Invalid input. industry must be one of: ${Object.keys(INDUSTRY_W).join(", ")}. archetype: ${Object.keys(ARCHETYPE_W).join(", ")}. impact: ${Object.keys(IMPACT_W).join(", ")}.`);
  }

  const scores: Record<string, number> = {};
  for (let k = 0; k < 5; k++) {
    scores[AXES[k]] = r1((i[k] + a[k] + p[k]) / 3);
  }

  const m = Math.max(scores.decisionalImpact, scores.biasRisk, scores.regulatoryLoad);
  let cls: string, summary: string;
  if (m >= 9) {
    cls = "Critical";
    summary = "Re-scope before any build. Conformity assessment, fundamental-rights review and sector-specific approvals are mandatory before deployment.";
  } else if (m >= 7) {
    cls = "High";
    summary = "Engineer for conformity assessment, fairness evaluation and tamper-evident audit trail from day one. Annex III obligations apply.";
  } else if (m >= 5) {
    cls = "Limited";
    summary = "Ship with transparency disclosures, output grounding and a documented incident-response plan. Article 50 transparency applies.";
  } else {
    cls = "Minimal";
    summary = "Move fast — but maintain an audit trail and basic ISO/IEC 42001 hygiene. Re-classify when scope changes.";
  }

  const di = scores.decisionalImpact, br = scores.biasRisk, rl = scores.regulatoryLoad, hc = scores.hallucinationCost, ds = scores.dataSensitivity;

  const frameworks = [
    {
      id: "eu_ai_act",
      label: "EU AI Act",
      region: "EU",
      verdict:
        di >= 9
          ? "Review for Art. 5 prohibited practices before any deployment."
          : (di >= 7 || impact === "regulated")
            ? "High-risk system — full Annex III obligations apply (Articles 9–15, 26, 27)."
            : di >= 5
              ? "Limited risk — Article 50 transparency duties apply (user notification + content labelling)."
              : "Minimal risk — voluntary best-practice + ISO/IEC 42001 alignment.",
    },
    {
      id: "nist_ai_rmf",
      label: "NIST AI RMF",
      region: "US / global",
      verdict:
        br >= 8
          ? "Govern + Measure priority — fairness, validity and reliability controls."
          : hc >= 7
            ? "Measure + Manage — robustness and reliability emphasis."
            : "Map + Govern — full functional alignment across all four functions.",
    },
    {
      id: "iso_42001",
      label: "ISO/IEC 42001",
      region: "Global",
      verdict:
        rl >= 8
          ? "Full AIMS implementation with sector annex controls (Clauses 4–10)."
          : rl >= 6
            ? "Core AIMS implementation with documented risk treatment plan."
            : "Lightweight AIMS aligned with existing ISO 27001 program.",
    },
    {
      id: "oecd",
      label: "OECD AI Principles",
      region: "50+ countries",
      verdict: (br >= 7 || di >= 7)
        ? "Human-centred values, transparency and accountability obligations."
        : "Standard accountability + transparency posture sufficient.",
    },
    {
      id: "singapore",
      label: "Singapore Model AI Governance",
      region: "Singapore",
      verdict: (impact === "consumer" || impact === "regulated")
        ? "Apply AI Verify testing toolkit before deployment."
        : "Internal governance committee + risk impact assessment.",
    },
    {
      id: "gdpr",
      label: "GDPR · UK GDPR · DPDP · CCPA · LGPD · PIPEDA",
      region: "Global privacy",
      verdict: ds >= 7
        ? "Strong: DPA(s), DPIA, DPO consultation, Article 22 / DPDP §11 automated-decision review."
        : "Standard: lawful basis, transparency notices, data subject rights operationalised.",
    },
  ];

  // PRC GenAI overlay
  if (archetype === "generation") {
    frameworks.push({
      id: "prc_genai",
      label: "PRC GenAI Interim Measures",
      region: "China",
      verdict: "Pre-launch security assessment + watermarking obligations apply for PRC users.",
    });
  }

  // Sector overlays
  if (industry === "healthcare") {
    frameworks.push({
      id: "hipaa_fda_samd",
      label: "HIPAA / FDA SaMD / EU MDR-AI",
      region: "Health",
      verdict: "PHI minimisation, BAAs, and software-as-medical-device classification check required.",
    });
  } else if (industry === "hr") {
    frameworks.push({
      id: "us_employment",
      label: "EEOC + NYC AEDT + Colorado SB 24-205",
      region: "US employment",
      verdict: "Pre-deployment bias audit + candidate notice + annual disparate-impact testing.",
    });
  } else if (industry === "publicSector") {
    frameworks.push({
      id: "us_public_sector",
      label: "OMB M-24-10 + CoE AI Convention",
      region: "Public sector",
      verdict: "Rights-impact assessment + public AI use case inventory + human rights safeguards.",
    });
  }

  return {
    class: cls,
    summary,
    scores,
    frameworks,
    methodology: "Deterministic, rule-based classification. Same inputs always produce the same outputs. Logic adapted from @clustral/risk-compass (MIT). Triple-framework methodology by eucomplyhub.com.",
    disclaimer: "This is a high-level orientation tool, not legal advice. For binding compliance mapping, consult an expert. See https://eucomplyhub.com/risk-class for the interactive web version.",
  };
}
  • src/index.ts:285-320 (handler)
    The CallToolRequestSchema handler dispatches 'quick_risk_class' requests to classifyRisk(). It extracts industry/archetype/impact arguments, calls classifyRisk(), and returns the JSON-stringified result or an error message.
    server.setRequestHandler(CallToolRequestSchema, async (request) => {
  const { name, arguments: args } = request.params;

  if (!args) {
    throw new Error("Missing arguments");
  }

  if (name === "quick_risk_class") {
    const { industry, archetype, impact } = args as {
      industry: string;
      archetype: string;
      impact: string;
    };

    try {
      const result = classifyRisk(industry, archetype, impact);
      return {
        content: [
          {
            type: "text",
            text: JSON.stringify(result, null, 2),
          },
        ],
      };
    } catch (err: any) {
      return {
        content: [
          {
            type: "text",
            text: `Error: ${err.message}`,
          },
        ],
        isError: true,
      };
    }
  }
  • src/index.ts:226-245 (schema)
    Input schema for quick_risk_class tool: three required string parameters (industry with 8 enum values, archetype with 6 enum values, impact with 4 enum values).
      type: "object",
  properties: {
    industry: {
      type: "string",
      enum: ["healthcare", "publicSector", "education", "hr", "retail", "industrial", "media", "other"],
      description: "Industry vertical. Use 'other' for fintech/banking/insurance.",
    },
    archetype: {
      type: "string",
      enum: ["decisioning", "generation", "classification", "recommendation", "automation", "forecasting"],
      description: "What the AI primarily does: decisioning (approve/deny, score, allocate), generation (draft, summarise), classification (label, route, triage), recommendation (rank, suggest), automation (multi-step actions), forecasting (predict outcomes).",
    },
    impact: {
      type: "string",
      enum: ["internal", "b2b", "consumer", "regulated"],
      description: "Who is affected: internal (employee-only), b2b (business customers), consumer (end users), regulated (healthcare, finance, public sector).",
    },
  },
  required: ["industry", "archetype", "impact"],
},
  • src/index.ts:218-281 (registration)
    Tool registration via ListToolsRequestSchema, defining the tool's name 'quick_risk_class', description, and input schema for the MCP server.
    server.setRequestHandler(ListToolsRequestSchema, async () => {
  return {
    tools: [
      {
        name: "quick_risk_class",
        description:
          "30-second deterministic multi-jurisdiction AI risk classification across EU AI Act, NIST AI RMF, ISO/IEC 42001, OECD, Singapore Model AI Governance, GDPR, and sector-specific overlays (HIPAA, NYC AEDT, Colorado SB 24-205). No LLM call. Same inputs always produce same outputs. Use this for quick orientation before deeper analysis.",
        inputSchema: {
          type: "object",
          properties: {
            industry: {
              type: "string",
              enum: ["healthcare", "publicSector", "education", "hr", "retail", "industrial", "media", "other"],
              description: "Industry vertical. Use 'other' for fintech/banking/insurance.",
            },
            archetype: {
              type: "string",
              enum: ["decisioning", "generation", "classification", "recommendation", "automation", "forecasting"],
              description: "What the AI primarily does: decisioning (approve/deny, score, allocate), generation (draft, summarise), classification (label, route, triage), recommendation (rank, suggest), automation (multi-step actions), forecasting (predict outcomes).",
            },
            impact: {
              type: "string",
              enum: ["internal", "b2b", "consumer", "regulated"],
              description: "Who is affected: internal (employee-only), b2b (business customers), consumer (end users), regulated (healthcare, finance, public sector).",
            },
          },
          required: ["industry", "archetype", "impact"],
        },
      },
      {
        name: "classify_annex3",
        description:
          "Deep Annex III classification using Claude (Anthropic) with full EU AI Act regulatory context. Maps your product against all 8 Annex III high-risk categories + Article 50 transparency + GPAI Article 53 + GPAI provider/deployer reasoning. Returns 5 priority remediation actions tailored to your stack. ~60 seconds (LLM-powered).",
        inputSchema: {
          type: "object",
          properties: {
            company: {
              type: "string",
              description: "Company name being classified.",
            },
            industry: {
              type: "string",
              description: "Industry/vertical (e.g., 'HR-tech', 'fintech', 'healthtech', 'productivity', 'voice-AI').",
            },
            features: {
              type: "array",
              items: { type: "string" },
              description: "AI features in the product. Examples: 'content-generation', 'scoring', 'decision-making', 'api-consumer', 'own-model', 'recommendation', 'classification'.",
            },
            useCase: {
              type: "string",
              description: "Plain-English description of what the AI does and who it serves. Min 20 chars.",
            },
            euExposure: {
              type: "string",
              enum: ["eu-customers-output", "eu-employees-only", "no-eu", "considering-eu"],
              description: "EU exposure level. 'eu-customers-output' = serves EU customers with AI-influenced outputs. 'eu-employees-only' = internal tools used by EU employees only. 'no-eu' = no EU footprint. 'considering-eu' = planning EU expansion.",
            },
          },
          required: ["company", "industry", "features", "useCase", "euExposure"],
        },
      },
    ],
  };
  • src/index.ts:61-63 (helper)
    Helper function r1() rounds a number to one decimal place, used in score computation.
    function r1(x: number): number {
  return Math.round(x * 10) / 10;
}

Tool Definition Quality

A4.5/5.0
Behavior4/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

Despite no annotations, the description discloses key behavioral traits: deterministic (no LLM call, same inputs produce same outputs). This adds crucial transparency beyond the schema, though it doesn't mention error handling or permission requirements.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

Two sentences with no wasted words. The first sentence front-loads the core purpose and key feature (deterministic), and the second provides usage guidance. Highly efficient.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness5/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's simplicity (3 enum parameters, no output schema), the description fully covers what an agent needs: purpose, frameworks, determinism, and when to use. No gaps identified.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 100% with clear enum descriptions for each parameter. The tool description reinforces the multi-jurisdiction context but doesn't add new semantic detail beyond the schema. Baseline 3 is appropriate.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's function: '30-second deterministic multi-jurisdiction AI risk classification' across specific frameworks. It distinguishes itself from sibling tool 'classify_annex3' by emphasizing quick orientation over deeper analysis.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines5/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

Explicit instruction: 'Use this for quick orientation before deeper analysis.' This tells the agent when to invoke this tool and implies that other tools (like classify_annex3) are for deeper analysis, providing clear usage boundaries.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/eucomplyhub/mcp-eu-ai-act'

If you have feedback or need assistance with the MCP directory API, please join our Discord server