A compliance tool should survive its own audit. Below is our EU AI Act self-scan, a voluntary Fundamental Rights Impact Assessment, and a category-by-category Annex III self-assessment — generated with our own product, reviewed by a human, published in full.
EU AI Act risk level
Limited
Transparency tier (Article 50). Not high-risk, not prohibited.
Compliance gaps found
0
By our own rule-based classifier, run with truthful inputs.
Annex III categories that apply
0 of 8
Guardia analyses code, not people. Full table below.
FRIA (Article 27)
Voluntary
Not legally required at our risk level — completed and published anyway.
✅ Guardia AI makes no decisions about natural persons.
It analyses source code and configuration files. It does not evaluate, score, rank, or profile any person, and it has no actuation path — every output is a report a human reads and decides on.
✅ The core scanner is deterministic.
Repository scanning and risk classification are pattern matching and rules against published signature lists — no ML model. Identical input produces identical output, every run.
✅ AI-generated content is always labelled.
The chat assistant discloses it is an AI system (Article 50). LLM-drafted documentation is marked as AI-generated and must be reviewed and edited by a human before use.
✅ You can reproduce our results.
The self-scan below was produced by the same detection engine we ship in our GitHub Action and GitLab component, run against our own repository.
🚫 "Guardia AI is unbiased."
Nobody can prove a negative, and we won’t pretend to. What we can show is structural: bias harms regulated by the AI Act travel through decisions about people, and Guardia makes none.
🚫 "Guardia AI is AI Act certified."
No official EU AI Act certification scheme exists yet. Anyone claiming one is misleading you. What you see here is a self-assessment, published in full so you can check our reasoning.
🚫 "Our reports are legal advice."
They are engineering-grade compliance documentation. Every report says so, and for binding questions we tell users to consult a legal professional.
Run on 2026-07-05 with the same detection engine we ship in our GitHub Action and GitLab CI/CD component, against our own repository. Result: limited risk — AI is used, none of it biometric, safety-critical, or in an Annex III area.
| Detected | Category | Where | What it actually is |
|---|---|---|---|
| openai (npm SDK) | LLM API | frontend/app/api/ai/* | The OpenAI-compatible SDK pointed at Groq. Powers the chat assistant (Llama 3.1 8B) and documentation drafting (Llama 3.3 70B) — assistive text only, human-reviewed. |
| scikit-learn | ML Framework | backend/requirements.txt | Used with fairlearn to compute fairness metrics (demographic parity, equalized odds) on customer-uploaded model outputs. Measurement, not inference — no model is trained or deployed. |
| GROQ_API_KEY | Credential (config scan) | netlify.toml, .env example | Deployment credential for the Groq features above. Consistent with declared usage — no undeclared AI providers configured. |
The scan found a real issue — here is what we did about it
The config-detection layer flagged stale OPENAI_API_KEY references in our deployment configuration and health check, left over from before we switched to Groq-hosted models. We removed them and fixed the health check the same day (2026-07-05). It stays in the published report's remediation log — that is how the tool is supposed to work.
What the scan correctly did not flag as our AI: the core scanner and risk classifier themselves. They are deterministic pattern matching and rules — no ML model — which is exactly why our scan results are reproducible.
"Not high-risk" is only credible if you show your work. Here is every Annex III high-risk category and why it does not apply. We also checked all eight Article 5 prohibited practices: none apply — Guardia processes code, not biometric or behavioural data about people.
| Annex III | Category | Applies? | Because |
|---|---|---|---|
| §1 | Biometrics | No | Guardia processes no biometric data of any kind. Inputs are source code, dependency manifests, and configuration files. |
| §2 | Critical infrastructure | No | Guardia is not a safety component of anything. Its output is a report; it has no control path to any physical or digital infrastructure. |
| §3 | Education & vocational training | No | Guardia does not evaluate, admit, grade, or monitor students or learners. |
| §4 | Employment & workers’ management | No | Guardia makes no assessment of any employee or candidate. It analyses codebases, not people. |
| §5 | Essential services (credit, insurance, benefits) | No | Guardia performs no scoring of natural persons and gates no one’s access to any service. |
| §6 | Law enforcement | No | Not designed for, marketed to, or usable as a law-enforcement assessment tool. |
| §7 | Migration, asylum & border control | No | Out of scope entirely; no such functionality exists. |
| §8 | Justice & democratic processes | No | Reports are compliance documentation for the customer’s own use — not binding legal interpretation, and every report says it is not legal advice. |
What does apply: Article 50 transparency
Our chat assistant interacts with people, so the AI Act requires exactly one thing of it: tell people it's AI. It is labelled as an AI assistant, its answers carry a "general guidance, not legal advice" notice, and LLM-drafted documentation is marked as AI-generated. Obligation met — and that is the entire extent of our obligations under the Act at this risk level.
Article 27 requires a Fundamental Rights Impact Assessment only for certain deployers of high-risk systems — so legally, we owe nobody this document. We completed it anyway, with our own FRIA module, because asking customers to fill out an assessment we never applied to ourselves would be hollow. All six required sections:
Software teams use Guardia to inventory AI usage in their codebases and prepare EU AI Act documentation. Components: a deterministic repository scanner (no ML), a rule-based risk classifier citing AI Act articles, a statistical fairness-metrics module (fairlearn/scikit-learn), and an LLM-assisted chat and drafting aid (Groq-hosted Llama). Every output is an advisory report addressed to a human reviewer.
Ongoing from public launch in 2026. Strictly user-initiated — per scan, per chat message, per document generation. No continuous or autonomous operation.
Directly affected: platform users (developers, compliance officers, founders) who read the reports. No other natural persons are affected — the system analyses code, not people. It does not evaluate, score, rank, or profile anyone, and no vulnerable groups are within its scope of effect.
The material risks are informational: a false negative could lead a customer to under-estimate their obligations; LLM-drafted text could contain errors; a false positive could cause unnecessary work. Because Guardia makes no decisions about persons, discriminatory-outcome harms are structurally out of scope. Mitigations: deterministic core, LLM output clearly separated and labelled, "not legal advice" notice on every report.
Oversight is structural: Guardia has no actuation path. It cannot merge code, block deployments (CI gating is opt-in and customer-configured), or act toward third parties. Every output is read and decided on by a human; LLM-assisted text is labelled and editable.
Internal incident procedure per our quality management system (Art. 17-aligned) and post-market monitoring plan (Art. 72-aligned): triage, root-cause analysis, corrective release, customer notification, changelog entry. Users report issues via the support channel — answered by a person, not an automated system.
Don't take the summary's word for it — read each document in full (printable), or grab the raw machine-readable source:
Full output: detections, classification, remediation log, methodology.
Read the document →Raw JSON ↓Everything on this page is a self-assessment prepared with Guardia AI's own tooling and reviewed by a human. It is our good-faith analysis under Regulation (EU) 2024/1689 — not legal advice and not a certification (no official EU AI Act certification scheme exists yet). If Guardia's functionality changes materially, we redo and re-publish these documents. Questions or challenges to our reasoning: we want to hear them.