Result at a glance
AI usage detected; none of it biometric, safety-critical, or in an Annex III high-risk area. The transparency tier (Article 50) applies because Guardia includes an AI chat assistant that interacts with users โ our obligation is to disclose that it is AI, which we do.
What the scan covered
Full Guardia AI monorepo: backend (FastAPI), frontend (Next.js), GitHub Action, GitLab component
AI detected in our own codebase
openai (npm SDK)
LLM APIThe OpenAI-compatible SDK pointed at Groq (api.groq.com). Powers two assistive features: the compliance chat assistant (Llama 3.1 8B) and documentation drafting (Llama 3.3 70B). Both produce advisory text that a human reviews and edits; neither makes decisions.
EU AI Act note: Deployer of a general-purpose model via API. Article 50 transparency applies to the chat assistant: it is clearly labelled as AI.
Found in: frontend/package.json, frontend/app/api/ai/chat/route.ts, frontend/app/api/ai/generate/route.ts
scikit-learn
ML FrameworkUsed together with fairlearn to COMPUTE statistical fairness metrics (demographic parity, equalized odds) on model outputs customers upload for bias reports. No model is trained or deployed; it is measurement, not inference.
EU AI Act note: Not an AI system making outputs about persons; it is the measurement tooling for our bias reports.
Found in: backend/requirements.txt
GROQ_API_KEY (configuration)
Credential env keyThe deployment credential for the Groq-hosted LLM features above.
EU AI Act note: Consistent with the declared LLM usage โ no undeclared AI providers configured.
Found in: frontend/.env.local.example, frontend/netlify.toml
What is deliberately NOT AI
The parts of Guardia that produce your compliance results are deterministic โ same input, same output.
Repository scanner (core product)
Deterministic pattern matching against published signature lists (AI libraries, model names, endpoints, credential keys). No ML model involved; identical output on identical input.
Risk classification engine
Rule-based mapping to EU AI Act articles (Article 5, Annex III) with cited sources. No ML model involved.
FRIA, Annex IV, ISO 42001 modules
Structured templates and rule-based applicability checks. LLM assistance is optional, labelled, and editable.
Remediation log โ what the scan found and what we did
2026-07-05 โ found by This self-scan (config-detection layer)
Stale OPENAI_API_KEY references in render.yaml, netlify.toml, .env.local.example and the /status health check, left over from before our switch to Groq-hosted models.
โ Removed the stale references and fixed the health check to test the credential actually in use (GROQ_API_KEY). Fixed the same day.
Methodology
- The scan was run with the same detection module we ship to customers (github-action/detection.py, kept identical in gitlab-component/).
- The scanner's own signature databases (lists of AI library names inside repo_scanner.py and detection.py) are string constants, not dependencies; the detection engine distinguishes signature definitions from real imports and manifests since our June false-positive fixes.
- Anyone with repository access can reproduce this report by running the scanner against the repo root.