- System assessed
- Guardia AI
- FRIA legally required?
- No โ performed voluntarily
A FRIA under Article 27 applies to high-risk AI systems (Annex III). 'Guardia AI' is classified as limited, so no FRIA is required โ but documenting impacts remains good governance.
Deployer processes using the AI system
Art. 27(1)(a)
Guardia AI is used by software teams to inventory AI usage in their codebases and prepare EU AI Act compliance documentation. Components: (1) a deterministic repository scanner (pattern matching, no ML); (2) a rule-based risk classification engine citing AI Act articles; (3) a statistical fairness-metrics module (fairlearn/scikit-learn) run on customer-provided model outputs; (4) an LLM-assisted chat and documentation drafting aid (Groq-hosted Llama models). Every output is an advisory report addressed to a human reviewer. Guardia AI never makes or automates a decision about a natural person.
Period of time and frequency of use
Art. 27(1)(b)
Period of use: ongoing, from public launch in 2026. Frequency: user-initiated โ per repository scan, per chat message, per document generation. No continuous or autonomous operation; the system only acts when a user requests it.
Categories of natural persons and groups likely to be affected
Art. 27(1)(c)
Directly affected: platform users (developers, compliance officers, founders) who read Guardia's reports and chat responses. No other categories of natural persons are affected: the system analyses source code and configuration files, not people. It does not process biometric data, does not evaluate, score, rank, or profile any natural person, and produces no output about identifiable individuals. No vulnerable groups are within the system's scope of effect.
Specific risks of harm to affected persons
Art. 27(1)(d)
The material risks are informational, not rights-based: (1) a false negative in scanning could lead a customer to under-estimate their own compliance obligations; (2) LLM-generated chat or draft text could contain errors (hallucination); (3) a false positive could cause unnecessary compliance work. Because Guardia makes no decisions about natural persons, the classic fundamental-rights harms (discrimination, exclusion from services, financial scoring harm) are structurally out of scope. Mitigations: deterministic core scanner with published signature lists; LLM used only for assistive text clearly separated from rule-based results; every report carries a 'not legal advice โ human review required' notice.
Human oversight measures
Art. 27(1)(e)
Human oversight is structural: Guardia AI has no actuation path โ it cannot merge code, block deployments (CI gating is opt-in and configured by the customer), file notifications, or take any action toward third parties. Every output is a report or chat message that a human reads and decides on. LLM-assisted text is labelled as AI-generated and editable before use. The chat assistant discloses it is an AI system and recommends consulting a legal professional for binding questions.
Measures when risks materialise
Art. 27(1)(f)
If a material error is identified: (1) internal incident procedure per Guardia's quality management system (Art. 17-aligned) and post-market monitoring plan (Art. 72-aligned) โ triage, root-cause analysis, corrective release; (2) affected customers are notified with a correction; (3) detection-signature and rule updates are published in the changelog; (4) users can report issues via the in-app support/contact channel, which is monitored by a human. Complaints are answered by a person, not an automated system.
Outcome
- โ Findings requiring action: none
- โ Notification to authorities required: no
- If a GDPR Article 35 DPIA is required for this system, perform the FRIA in conjunction with it (Article 27(4)).