ACF
acfstandard.io
Developer docs
EN
REASON

acf.identify-governance-gaps

Analyse d’écarts de gouvernance ACF® sur les six dimensions de maturité — un inventaire + une liste de processus en entrée, un score de maturité par dimension, une liste de gaps priorisés par sévérité, des quick wins et des actions de remédiation en sortie.

!Attention
Analyse préliminaire. Le score de maturité repose sur une baseline non pondérée par secteur — un cabinet de gestion d’actifs et une mairie obtiennent la même calibration. requires_human_review vaut toujours true. Les gaps non déclarés explicitement par l’inventaire sont inférés — confirmez la distinction inféré / déclaré avant d’agir.

Quand l’utiliser

Utilisez cet outil quand vous devez répondre à la question board-level : « qu’est-ce qu’ACF® dit qu’on devrait avoir, et qu’on n’a pas ? ». Il prend un inventaire IA (nombre de systèmes, high-risk, GPAI, shadow AI connue) et une liste de processus de gouvernance avec leur statut (existe / documenté), il rend un score de maturité par dimension D1-D6 et la liste priorisée des trous à combler.

C’est l’outil d’audit. Il sert à cadrer une feuille de route, à prioriser un budget de gouvernance IA, ou à préparer une revue de comité IA. Les premiers résultats sont conçus pour entrer dans une fiche ACF-10 (Plan de Mise en Conformité).

Paramètres d’entrée

Deux blocs obligatoires (inventaire + processus), deux champs contextuels optionnels.

current_inventory{ ai_systems_count, high_risk_count?, gpai_used?, shadow_ai_known? }required
Photo de l’inventaire IA : nombre total de systèmes, nombre marqué high-risk, présence de GPAI, présence connue de shadow AI. Tout sauf ai_systems_count est optionnel — l’outil distingue absent vs déclaré.
current_processes{ process: string, exists: boolean, documented?: boolean }[]required
Liste des processus de gouvernance évalués. Processus reconnus : ai_committee, executive_sponsor, ai_inventory, doctrine_published, kill_switch_drill, observability, ddao_appointed, raci, dpia, article_49_register, ai_act_qualification, annual_audit, incident_review.
sectorstring (≤80)
Secteur de l’organisation. Stocké pour traçabilité, pas encore utilisé pour pondérer le score (cf. assumptions).
locale"en" | "fr"default: "en"
Langue de la sortie textuelle.

Schéma de sortie

Score de maturité (global + par dimension), liste des gaps, ordre de priorité, quick wins, pied-de-page signé.

maturity_score{ overall: number, by_dimension: Record<string, number> }
Score global 0-100 et score par dimension ACF® (D1 à D6).
gaps{ dimension, severity: "low"|"medium"|"high"|"critical", description, remediation, fiches, estimated_effort_days }[]
Liste détaillée des écarts identifiés, chacun avec sa dimension, sa sévérité, sa remédiation, les fiches associées et l’effort estimé en jours.
priority_orderstring[]
Description des gaps triée par sévérité (critical → low) — directement utilisable comme ordre du jour de comité.
quick_winsstring[]
Gaps remédiables en ≤ 3 jours d’effort — utiles pour démarrer un sprint de gouvernance.
confidence"low" | "medium" | "high"
Confiance globale de l’analyse.
assumptionsstring[]
Hypothèses explicites — notamment la non-pondération sectorielle.
gaps_to_validatestring[]
Points à confirmer en revue humaine, dont la distinction inféré / déclaré et le sous-ensemble high-risk.
rationale_per_rule{ rule_id, rule_version, fired, evidence }[]
Trace de la règle déclenchée avec le nombre de processus évalués.
requires_human_reviewtrue
Constant. Aucun appel ne le retourne false.

Exemple d’appel

Une banque avec 14 systèmes IA dont 2 high-risk, GPAI utilisé, shadow AI connue :

identify-governance-gaps.tstypescript
import { Client } from "@modelcontextprotocol/sdk/client/index.js";
import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";

const transport = new StdioClientTransport({
  command: "npx",
  args: ["-y", "acf-mcp"],
});
const client = new Client({ name: "demo", version: "1.0" }, {});
await client.connect(transport);

const result = await client.callTool({
  name: "acf.identify-governance-gaps",
  arguments: {
    current_inventory: {
      ai_systems_count: 14,
      high_risk_count: 2,
      gpai_used: true,
      shadow_ai_known: true,
    },
    current_processes: [
      { process: "ai_committee", exists: true, documented: true },
      { process: "executive_sponsor", exists: true, documented: true },
      { process: "ai_inventory", exists: true, documented: false },
      { process: "doctrine_published", exists: false },
      { process: "kill_switch_drill", exists: false },
      { process: "observability", exists: true, documented: false },
      { process: "ddao_appointed", exists: false },
      { process: "raci", exists: false },
      { process: "dpia", exists: false },
      { process: "article_49_register", exists: false },
      { process: "ai_act_qualification", exists: false },
      { process: "annual_audit", exists: true, documented: true },
      { process: "incident_review", exists: false },
    ],
    sector: "banking",
    locale: "en",
  },
});

console.log(JSON.stringify(result.content, null, 2));

Réponse

response.jsonjson
{
  "maturity_score": {
    "overall": 38,
    "by_dimension": {
      "D1": 100,
      "D2": 50,
      "D3": 50,
      "D4": 0,
      "D5": 0,
      "D6": 50
    }
  },
  "gaps": [
    {
      "dimension": "D5",
      "severity": "critical",
      "description": "Process 'dpia' is missing for D5.",
      "remediation": "Stand up the DPIA workflow with ACF-11 as the template.",
      "fiches": ["ACF-11"],
      "estimated_effort_days": 10
    },
    {
      "dimension": "D5",
      "severity": "critical",
      "description": "High-risk systems present but no DPIA process.",
      "remediation": "Stand up the DPIA workflow before any new high-risk go-live.",
      "fiches": ["ACF-11"],
      "estimated_effort_days": 5
    },
    {
      "dimension": "D5",
      "severity": "critical",
      "description": "Process 'article_49_register' is missing for D5.",
      "remediation": "Prepare the Article 49 register for any high-risk system before go-live.",
      "fiches": ["ACF-05", "ACF-11"],
      "estimated_effort_days": 5
    },
    {
      "dimension": "D5",
      "severity": "critical",
      "description": "Process 'ai_act_qualification' is missing for D5.",
      "remediation": "Run acf.classify-agent on each system to qualify under the AI Act.",
      "fiches": [],
      "estimated_effort_days": 5
    },
    {
      "dimension": "D3",
      "severity": "high",
      "description": "Process 'kill_switch_drill' is missing for D3.",
      "remediation": "Run a quarterly kill-switch drill per ACF-14.",
      "fiches": ["ACF-07", "ACF-14"],
      "estimated_effort_days": 3
    },
    {
      "dimension": "D4",
      "severity": "high",
      "description": "Process 'ddao_appointed' is missing for D4.",
      "remediation": "Appoint a DDAO per N2+ agent with documented mandate.",
      "fiches": ["ACF-12"],
      "estimated_effort_days": 5
    },
    {
      "dimension": "D4",
      "severity": "high",
      "description": "Process 'raci' is missing for D4.",
      "remediation": "Publish a RACI for agentic decisions including DDAO + DPO + CISO + sponsor.",
      "fiches": [],
      "estimated_effort_days": 5
    },
    {
      "dimension": "D1",
      "severity": "high",
      "description": "Shadow AI exists in the organisation.",
      "remediation": "Run a discovery campaign + classify each shadow agent via acf.classify-agent.",
      "fiches": ["ACF-01"],
      "estimated_effort_days": 10
    },
    {
      "dimension": "D2",
      "severity": "medium",
      "description": "Process 'doctrine_published' is missing for D2.",
      "remediation": "Publish a doctrine note grounded in ACF® v1.0 to the relevant teams.",
      "fiches": [],
      "estimated_effort_days": 5
    },
    {
      "dimension": "D2",
      "severity": "medium",
      "description": "Process 'ai_inventory' exists but is undocumented.",
      "remediation": "Document 'ai_inventory' with the relevant ACF® card.",
      "fiches": ["ACF-01"],
      "estimated_effort_days": 2
    },
    {
      "dimension": "D3",
      "severity": "medium",
      "description": "Process 'observability' exists but is undocumented.",
      "remediation": "Document 'observability' with the relevant ACF® card.",
      "fiches": ["ACF-08"],
      "estimated_effort_days": 2
    },
    {
      "dimension": "D6",
      "severity": "medium",
      "description": "Process 'incident_review' is missing for D6.",
      "remediation": "Open a quarterly incident review forum with the AI committee.",
      "fiches": [],
      "estimated_effort_days": 5
    }
  ],
  "priority_order": [
    "D5: Process 'dpia' is missing for D5.",
    "D5: High-risk systems present but no DPIA process.",
    "D5: Process 'article_49_register' is missing for D5.",
    "D5: Process 'ai_act_qualification' is missing for D5.",
    "D3: Process 'kill_switch_drill' is missing for D3.",
    "D4: Process 'ddao_appointed' is missing for D4.",
    "D4: Process 'raci' is missing for D4.",
    "D1: Shadow AI exists in the organisation.",
    "D2: Process 'doctrine_published' is missing for D2.",
    "D2: Process 'ai_inventory' exists but is undocumented.",
    "D3: Process 'observability' exists but is undocumented.",
    "D6: Process 'incident_review' is missing for D6."
  ],
  "quick_wins": [
    "Process 'kill_switch_drill' is missing for D3.",
    "Process 'ai_inventory' exists but is undocumented.",
    "Process 'observability' exists but is undocumented."
  ],
  "confidence": "medium",
  "assumptions": [
    "Maturity baseline is unweighted across dimensions; sector-specific weights not yet calibrated."
  ],
  "gaps_to_validate": [
    "Confirm which gaps were inferred vs explicitly declared by your inventory.",
    "Run acf.classify-agent on the high-risk subset to consolidate the qualification."
  ],
  "requires_human_review": true,
  "rationale_per_rule": [
    {
      "rule_id": "identify-gaps.dimension-checklist",
      "rule_version": "2026-06",
      "fired": true,
      "evidence": "13 processes evaluated"
    }
  ],
  "doctrine_version": "ACF framework v1.0 / rules 2026-06",
  "doctrine_hash": "sha256:bf0b6d8e4731ebdc58f6d6338702c5b74af47874cf0ad3dc958cde5c5b30b9dc",
  "doctrine_signature": "ed25519:…",
  "doctrine_archive_url": "https://acfstandard.io/doctrine/v1.0/archive.json",
  "regulatory_snapshot": "EU AI Act (Reg. 2024/1689, incl. Digital Omnibus deferral) + GDPR (Reg. 2016/679) + DORA (Reg. 2022/2554) + NIS2 (Dir. 2022/2555) + ISO 42001:2023 — as of 2026-06-07",
  "generated_at": "2026-06-14T11:47:22.318Z",
  "disclaimer": "Preliminary qualification only — not legal advice. Human review required."
}

Erreurs courantes

  • InvalidNumber ai_systems_count ou high_risk_count est négatif ou non entier. Tous les compteurs doivent être des entiers ≥ 0.
  • InvalidProcessShape un élément de current_processes ne respecte pas la forme { process, exists, documented? }. Vérifiez les booléens et la présence de la clé process.
  • DoctrineSnapshotMismatch le doctrine_hash demandé n’est pas chargé. Mettez acf-mcp à jour ou pointez vers la version archivée.
  • acf.classify-agent qualifier chaque système identifié comme high-risk pour consolider le panorama de gouvernance.
  • acf.advisor redescendre du score de maturité organisationnel à un cas unitaire quand un gap mérite focus.
  • acf.map-ai-act-obligations obtenir les obligations exhaustives à inscrire dans le plan de remédiation pour les systèmes high-risk.