[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"pack-detail-ai-legal-compliance-audit-zh":3,"seo:pack:ai-legal-compliance-audit:zh":97},{"code":4,"message":5,"data":6},200,"操作成功",{"pack":7},{"slug":8,"icon":9,"tone":10,"status":11,"status_label":12,"title":13,"description":14,"items":15,"install_cmd":96},"ai-legal-compliance-audit","🛡️","#1E3A8A","stable","稳定","AI 法务合规审计工具包","面向公司合规官、SOC2 准备负责人、隐私官的企业审计周期工具包。文档收件 → 政策差距分析 → 风险登记册 → 控制映射 → 证据日志 → 出报告。是工程脚手架不是法律意见，机密草稿先脱敏、审计链路保持不可篡改、AI 不替你判断 materiality。",[16,28,36,44,52,60,67,74,80,89],{"id":17,"uuid":18,"slug":19,"title":20,"description":21,"author_name":22,"view_count":23,"vote_count":24,"lang_type":25,"type":26,"type_label":27},4276,"7134a63a-436b-48b9-84df-c7fa20ca26e7","claude-code-agent-compliance-auditor-7134a63a","Claude Code Agent: Compliance Auditor","Use this agent when you need to achieve regulatory compliance, implement compliance controls, or prepare for audits across frameworks like GDPR, HIPAA, PCI DSS, SOC 2, and ISO stan","TokRepo精选",106,0,"en","skill","Skill",{"id":29,"uuid":30,"slug":31,"title":32,"description":33,"author_name":34,"view_count":35,"vote_count":24,"lang_type":25,"type":26,"type_label":27},57,"c01fc4a7-c031-4e5f-847e-3a490426eb39","claude-code-agent-compliance-auditor-regulatory-checks-c01fc4a7","Claude Code Agent: Compliance Auditor — Regulatory Checks","Claude Code agent for compliance auditing. GDPR, SOC 2, HIPAA checks on code, data handling, logging, and access controls.","Skill Factory",307,{"id":37,"uuid":38,"slug":39,"title":40,"description":41,"author_name":42,"view_count":43,"vote_count":24,"lang_type":25,"type":26,"type_label":27},3489,"bfd4f4dc-d93b-558a-850f-6e3c49c99cb7","agent-governance-toolkit-policy-guardrails-for-agents","Agent Governance Toolkit — Policy Guardrails for Agents","Microsoft's Agent Governance Toolkit adds policy checks, red-team scans, evidence verification, and runtime guardrails to autonomous agents.","Agent Toolkit",221,{"id":45,"uuid":46,"slug":47,"title":48,"description":49,"author_name":50,"view_count":51,"vote_count":24,"lang_type":25,"type":26,"type_label":27},1428,"4153bc1e-3900-11f1-9bc6-00163e2b0d79","open-policy-agent-opa-unified-policy-engine-cloud-native-4153bc1e","Open Policy Agent (OPA) — Unified Policy Engine for Cloud Native","CNCF graduated policy engine that decouples authorization and admission rules from your services. Write policies once in Rego, evaluate them anywhere.","AI Open Source",261,{"id":53,"uuid":54,"slug":55,"title":56,"description":57,"author_name":58,"view_count":59,"vote_count":24,"lang_type":25,"type":26,"type_label":27},1589,"a36fe8b8-3987-11f1-9bc6-00163e2b0d79","cloudquery-sync-cloud-infrastructure-sql-security-compliance-a36fe8b8","CloudQuery — Sync Cloud Infrastructure to SQL for Security and Compliance","CloudQuery is an open-source ELT framework that extracts configuration data from cloud APIs, SaaS platforms, and databases into PostgreSQL or data lakes for security, compliance, and asset visibility.","Script Depot",316,{"id":61,"uuid":62,"slug":63,"title":64,"description":65,"author_name":58,"view_count":66,"vote_count":24,"lang_type":25,"type":26,"type_label":27},3106,"d4d3e9a3-9494-4b05-bf05-74368b2ff338","presidio-detect-and-anonymize-pii","Presidio — Detect and Anonymize PII","Detect and anonymize PII in text with Microsoft Presidio, then feed sanitized inputs to LLMs to reduce leakage risk. Works via pip or Docker deployments.",134,{"id":68,"uuid":69,"slug":70,"title":71,"description":72,"author_name":50,"view_count":73,"vote_count":24,"lang_type":25,"type":26,"type_label":27},1382,"c2ce4716-38ce-11f1-9bc6-00163e2b0d79","wazuh-open-source-xdr-siem-security-platform-c2ce4716","Wazuh — Open Source XDR & SIEM Security Platform","Wazuh is a unified open-source security platform that combines SIEM, XDR, and cloud-security posture management, powered by a lightweight agent on every endpoint.",237,{"id":75,"uuid":76,"slug":77,"title":78,"description":79,"author_name":58,"view_count":23,"vote_count":24,"lang_type":25,"type":26,"type_label":27},1880,"69ecfc3a-3d3a-11f1-9bc6-00163e2b0d79","immudb-immutable-database-cryptographic-verification-69ecfc3a","Immudb — Immutable Database with Cryptographic Verification","Tamper-proof database built on a Merkle tree that provides cryptographic proof of data integrity for audit logs, financial records, and compliance workflows.",{"id":81,"uuid":82,"slug":83,"title":84,"description":85,"author_name":42,"view_count":86,"vote_count":24,"lang_type":25,"type":87,"type_label":88},3488,"4c5d8b93-08ae-5a4b-bda3-2d5d5db42d12","bernstein-audit-grade-orchestrator-for-cli-agents","Bernstein — Audit-Grade Orchestrator for CLI Agents","Bernstein coordinates CLI coding agents in parallel worktrees with signed audit chains, deterministic scheduling, and evidence trails.",203,"agent","Agent",{"id":90,"uuid":91,"slug":92,"title":93,"description":94,"author_name":42,"view_count":95,"vote_count":24,"lang_type":25,"type":26,"type_label":27},773,"ffbad589-cd32-4eca-9518-fdcf9167ca21","guardrails-ai-validate-llm-outputs-production-ffbad589","Guardrails AI — Validate LLM Outputs in Production","Add validation and guardrails to any LLM output. Guardrails AI checks for hallucination, toxicity, PII leakage, and format compliance with 50+ built-in validators.",396,"tokrepo install pack\u002Fai-legal-compliance-audit",{"pageType":98,"pageKey":8,"locale":99,"title":100,"metaDescription":101,"h1":102,"tldr":103,"bodyMarkdown":104,"faq":105,"schema":121,"internalLinks":127,"citations":140,"wordCount":153,"generatedAt":154},"pack","zh","AI 法务合规审计工具包 — 10 件套，给 SOC2\u002FGDPR\u002F企业风控项目","面向公司合规官、SOC2 准备负责人、隐私官的企业级栈：Claude Compliance Auditor 双 agent \u002F Agent Governance Toolkit \u002F OPA \u002F CloudQuery \u002F Presidio \u002F Wazuh \u002F Immudb \u002F Bernstein \u002F Guardrails AI。按顺序装 — 收件 → 政策差距 → 风险登记 → 控制映射 → 证据日志 → 出报告。","AI 法务合规审计工具包 — 企业级栈","十件套围绕一个审计周期排，不是审一份合同。把政策和证据收进来 → 对着选定框架跑结构化的差距分析 → 生成 agent 能持续更新的风险登记册 → 把每条控制映射到产证据的系统 → 用不可篡改的日志记录每次 AI 决策 → 最后人类签字的草案报告。是给合规团队的工程脚手架 — 不是法律意见、也不替代审计师的专业判断。","## 这个 pack 包含什么\n\n这是给公司合规官、SOC2 准备负责人、隐私官在跑企业审计周期时搭的栈 — 跟一位律师审一份 MSA 的问题**完全不一样**。这里的受众负责的是一个反复跑的项目：每季度更新的风险登记册、能撑过审计师 walkthrough 的控制映射、既能采集又得防篡改的证据、以及一套工程一上线就开始漂移的政策库。\n\n整套栈围绕三条合规工作里必需、但消费级 AI 工具基本不给的原则建：\n\n1. **AI 在审计里的作用要写下来，不要藏起来**。审计师越来越会问 AI 在证据采集或控制测试里是怎么用的。这里每个工具都能产出审计师能读的记录。\n2. **敏感材料绝不往 vendor 漏**。内部政策、风险评估草案、客户 PII 要么走脱敏、要么留在你控制的基础设施上。\n3. **AI 提议，人决定**。Materiality、风险接受、任何会落进意见书里的判断，永远是人的责任。工具负责草拟、抽取、映射 — 不替你签字。\n\n本 kit 里没有任何东西是法律意见，也不能替代合格的合规专员、外部审计师或法律顾问。这些是合规工作里**机械性那一层**的基础设施，让人类把工时留给判断。\n\n## 推荐安装顺序（收件 → 政策差距 → 风险登记 → 控制映射 → 审计日志 → 出报告）\n\n1. **Claude Code Agent: Compliance Auditor** — 编排器。一个针对合规任务的子 agent profile，懂 GDPR、HIPAA、PCI DSS、SOC 2、ISO 27001 系列控制的术语。作为入口用：它会问你对的是什么框架、要测什么 scope、已经采集了什么证据。把它的输出当 senior analyst 的第一稿，不是最终立场。\n2. **Claude Code Agent: Compliance Auditor — Regulatory Checks** — 偏**法规检查**的姐妹 agent，跟上一个互补。两个一起跑：第一个圈范围、第二个压测特定的法规暴露（跨境数据、行业规则、违规通报时限）。两个 agent 抓得到一个 agent 漏的东西。\n3. **Agent Governance Toolkit — Policy Guardrails for Agents** — 政策差距分析层。合规团队现在越来越要管全公司的 AI 使用；这个 toolkit 让你把护栏（哪些模型、哪类数据、哪些区域）写一次，在 agent 层面执行。补的是 2026 年问得最多的 SOC2 CC 类差距：组织内 AI 是怎么治理的。\n4. **Open Policy Agent (OPA)** — 控制即代码。政策决策用大白话写下来之后，可以自动化的那部分编成 Rego 策略。OPA 让你用一种语言表达「生产数据不准流到模型 X」「没工单不许 SSH」并在所有服务上执行。审计证据就是 Rego 文件加决策日志。\n5. **CloudQuery — Sync Cloud Infrastructure to SQL for Security and Compliance** — 控制映射的证据引擎。CloudQuery 把 AWS、Azure、GCP、Okta、GitHub 等几十个系统的清单和配置状态拉进 SQL 数据库。然后「S3 桶必须私有」这条控制就是一条你下次审计能重跑的查询。审计师喜欢 SQL 证据；截图他们勉强接受。\n6. **Presidio — Detect and Anonymize PII** — 敏感内容和任何 AI 工作流之间的 DLP 层。微软开源的 PII 检测和脱敏库。把风险评估叙述、客服记录、证据摘要送进云端模型之前，先过 Presidio。把「vendor 出事变成你出事」这个面积压小。\n7. **Wazuh — Open Source XDR & SIEM Security Platform** — 持续监控（SOC 2 CC7）加事件检测，一个开源平台搞定。合规团队一般不直接操作 Wazuh，但你需要一个 SIEM、它的审计证据（告警处置、日志保留、文件完整性记录）你在审计时拉得出来。Wazuh 是你能自托管的开源选项，证据语料留在你手里。\n8. **Immudb — Immutable Database with Cryptographic Verification** — 防篡改的审计日志。合规体制越来越要求审计日志是 append-only 且可加密验证的。Immudb 用 Merkle 树证明写每一条；审计师问起，你能精确证明什么时候记了什么、之后没被悄悄改过。\n9. **Bernstein — Audit-Grade Orchestrator for CLI Agents** — 把临时性的 agent 运行包成可审计证据的 wrapper。Compliance Auditor agent 生成差距分析草稿时，Bernstein 把 prompt、模型、输入、输出和 chain-of-custody 链路一起捕获。这是你回答审计师那个问题「你怎么知道这里 AI 的分析是可复现的」的方式。\n10. **Guardrails AI — Validate LLM Outputs in Production** — 任何要附进证据的 AI 产出的输出校验层。schema 校验 LLM 响应、拦截幻觉出来的控制 ID、拒绝不符合你审计流程要求结构的输出。大多数合规幻觉都在这里被抓住，不是在人工 review。\n\n## 它们怎么协同\n\n```\n  政策文件 \u002F 合同 \u002F 证据 ─► Claude Compliance Auditor\n                                  │\n                                  ▼\n               Regulatory-Checks Compliance Auditor（姐妹）\n                                  │\n                                  ▼\n    ┌────────── Bernstein 外壳（chain-of-custody）──────────┐\n    │                                                       │\n    │  ┌─ Agent Governance Toolkit ──► 政策差距分析          │\n    │  ├─ OPA ──────────────────────► 控制即代码            │\n    │  ├─ CloudQuery ────────────────► 控制映射 + 证据(SQL) │\n    │  ├─ Presidio ──────────────────► 调云前的 PII 脱敏    │\n    │  └─ Wazuh ─────────────────────► 持续监控证据         │\n    │                                                       │\n    └────────────────┬──────────────────────────────────────┘\n                     ▼\n        Guardrails AI（schema 校验每条 AI 输出）\n                     │\n                     ▼\n         Immudb（不可篡改、加密可验证的日志）\n                     │\n                     ▼\n         人类签字的草案报告 → 审计师 walkthrough\n```\n\n## 你会遇到的取舍\n\n- **一个统一合规套件 vs 这套开源栈**。托管 GRC 平台（Vanta、Drata、Secureframe）上手更快、自带预映射的控制库。本 pack 赢在数据主权（证据留在你控制的地方）、不被按席位锁死、能编码 vendor playbook 里没有的控制。大多数成长期企业最后都两个一起跑：托管平台跑标准控制集，本栈跑长尾控制和 AI 治理相关的、托管平台还没跟上的部分。\n- **AI 辅助差距分析 vs 审计师主导**。前沿模型能在几分钟内读完你的政策和某个框架的控制目录，列出貌似合理的差距。它**也会**编出听起来合理的控制 ID。AI 跑第一遍；引用的每一条控制都对着框架原文核对；永远不要把只有 AI 跑过的分析交给审计师。\n- **云端前沿模型 vs 纯本地**。这里有些工具（Presidio、OPA、Wazuh、Immudb、CloudQuery）完全是本地基础设施、不碰 LLM。另一些（Compliance Auditor agent、Bernstein、Guardrails AI）假定有 LLM。涉及 LLM 的那几步，默认姿态是：用 Presidio 脱敏 PII、送到企业合同模型（带 zero-retention 条款）、用 Bernstein 抓 trace。消费级 chatbot 标签页在这个 workflow 里**不应该出现**。\n- **不可篡改审计日志 vs 普通数据库**。Immudb 写得比 Postgres 慢、运维更难。要承担这个代价的理由：审计师问「你证明这条日志事后没被改过」时，普通数据库回答不了这个问题。如果你的体制没要求加密可验证性，普通的 append-only 表也行。\n\n## 常见踩坑\n\n- **把 AI 差距分析当作差距分析本身**。agent 会列出 40 条貌似合理的差距。有些是真的、有些是同一个差距的换说法、有些根本不适用因为有条控制你没告诉它。这个输出是合规团队 triage 的起点，不是交付物。\n- **把原始政策文本塞给消费级 chatbot**。内部政策经常含客户名、vendor 条款、系统拓扑、知识产权。这些都不该出现在免费 chatbot 标签页里。Presidio 加企业合同模型是可辩护的默认。\n- **自动生成证据、没人 review**。「CloudQuery 说所有 S3 桶都是私有的」 — 只有人查过这条 query 和它的 scope，这才算证据。自动跑、自动挂、人完全不在环 — 这就是你不想要的那种审计发现。\n- **把 AI 幻觉当成控制**。模型编出一个不存在的 SOC 2 控制 ID（「CC-9.8.4」），下游文件继承这个虚构。Guardrails AI 加一个对控制引用的严格 schema，能在它进报告之前抓住。\n- **把这个 pack 当审计师的替代品**。外部审计师存在的全部理由是「独立保证」。这套工具 — agent 也算 — 不改变这一点。它们让团队的准备更便宜、更快、记录更全；不产出 attestation。\n- **把审计日志当事后的事**。Immudb 必须在 agent 开始跑**之前**就接进去，不能事后补。如果你的 chain-of-custody 是「事后导出聊天记录」 — 那不叫 chain-of-custody。",[106,109,112,115,118],{"q":107,"a":108},"这个 pack 能不能替代 Vanta \u002F Drata 这种 SOC 2 readiness 平台？","不能一对一替代。Vanta 这类平台自带集成、预映射好的 SOC 2 控制库，以及让首次审计团队几个月就准备好的固定 workflow。本开源栈赢在数据主权、能编码 vendor playbook 不覆盖的自定义控制、以及大规模下按席位收费撑不住的场景。大多数成长期公司落到的实用模式是：托管平台跑标准控制集，本开源栈跑长尾以及 AI 治理控制 — 这部分托管平台目前还没跟上。",{"q":110,"a":111},"对内部政策文档用云端 LLM 到底安不安全？","取决于模型合同、数据分级、你处的体制。可辩护的默认值：假设消费级 chatbot 等级可能留存或训练你的输入，把它当成第三方披露处理，只在**企业合同 + zero-retention 条款**下、并且把敏感实体（客户名、员工名、vendor 标识、内部系统名）用 Presidio 这类工具脱敏之后，才把政策文本送进模型。本 pack 偏这个姿态，就是为了从根上把更难的那个版本绕开。",{"q":113,"a":114},"这跟 TokRepo 上的「Lawyer's AI Contract Review Kit」有什么区别？","受众不同、工作单位不同。Contract Review Kit 是给一位律师审一份 MSA \u002F NDA 用的 — 条款库、本地 LLM 审改、电子签。本 Compliance + Audit pack 是给反复跑的企业审计周期用的：每季度的风险登记册、控制到证据的映射、不可篡改的审计日志、跨框架的政策差距分析。工具选择上有意区隔（这里没有条款库 RAG；律师 pack 里没有 SIEM），因为 workflow 不同。合规官如果偶尔做单合同审查也能用律师 pack；同时跑公司内合规项目的律师两个都能配。",{"q":116,"a":117},"是不是要装齐 10 个，还是能先小规模起步？","从三件套起步：Claude Code Agent Compliance Auditor (4276) 当编排器，Bernstein 当 chain-of-custody 包装，Immudb 当不可篡改日志。这就有了 AI 辅助的差距分析 + 每步可捕获 + 日志能给审计师看。再加 Presidio，敏感内容就不会漏。CloudQuery、OPA、Wazuh 等你想清楚哪些控制最需要自动证据时再上。Guardrails AI 是最后一层，等你信任 workflow 到瓶颈变成输出质量再装。",{"q":119,"a":120},"怎么向审计师证明 AI 本身 — 他们不会反对 agent 产出的分析吗？","他们会，这就是 Bernstein + Immudb + Guardrails AI 这个子集的意义。审计师问的某种版本是「你怎么知道这分析可复现、可归因、不是编的」。可辩护的回答链是：Bernstein 记录了 prompt、模型版本、输入、输出；Guardrails AI 对输出做 schema 校验、幻觉出来的控制 ID 被拒；Immudb 用 Merkle 证明写每一条、没东西被悄悄改过；并且有一个**具名的人**在 AI 输出变成证据**之前**已经 review 过。任何一环缺失，审计师的反对都是对的。",{"@context":122,"@type":123,"name":13,"description":124,"numberOfItems":125,"inLanguage":126},"https:\u002F\u002Fschema.org","ItemList","十件给公司合规官、SOC2 准备负责人、隐私官跑企业审计周期的工具 — 收件 → 政策差距 → 风险登记 → 控制映射 → 不可篡改证据日志。",10,"zh-CN",[128,132,136],{"url":129,"anchor":130,"reason":131},"\u002Fzh\u002Fpacks\u002Flawyer-ai-contract-kit","律师的 AI 合同审查工具包","单律师合同审改的对应版本 — 公司内同时跑两种 workflow 的团队可以两个一起配",{"url":133,"anchor":134,"reason":135},"\u002Fzh\u002Fai-tools-for\u002Fprivacy","隐私优先的 AI 工具","合规工作天然偏隐私姿态；本 pack 之外更大的隐私优先目录里还有更多选择",{"url":137,"anchor":138,"reason":139},"\u002Fzh\u002Ffeatured","TokRepo 精选资产","这十个合规工具是更大的 agent-ready 精选目录的一部分",[141,145,149],{"claim":142,"source_name":143,"source_url":144},"CloudQuery 把云基础设施清单同步进 SQL 供安全合规查询","CloudQuery 官网","https:\u002F\u002Fwww.cloudquery.io\u002F",{"claim":146,"source_name":147,"source_url":148},"Presidio 是微软开源的个人数据检测和脱敏库","Microsoft Presidio GitHub","https:\u002F\u002Fgithub.com\u002Fmicrosoft\u002Fpresidio",{"claim":150,"source_name":151,"source_url":152},"Open Policy Agent 是 CNCF 治理下的开源统一策略引擎","Open Policy Agent 官网","https:\u002F\u002Fwww.openpolicyagent.org\u002F",1750,"2026-05-22T13:00:00Z"]