We ran Guardia AI on itself

A compliance tool should survive its own audit. Below is our EU AI Act self-scan, a voluntary Fundamental Rights Impact Assessment, and a category-by-category Annex III self-assessment — generated with our own product, reviewed by a human, published in full.

EU AI Act risk level

Limited

Transparency tier (Article 50). Not high-risk, not prohibited.

Compliance gaps found

0

By our own rule-based classifier, run with truthful inputs.

Annex III categories that apply

0 of 8

Guardia analyses code, not people. Full table below.

FRIA (Article 27)

Voluntary

Not legally required at our risk level — completed and published anyway.

Straight talk: what we claim, and what we refuse to claim

Claims we make — and can back up

Guardia AI makes no decisions about natural persons.

It analyses source code and configuration files. It does not evaluate, score, rank, or profile any person, and it has no actuation path — every output is a report a human reads and decides on.

The core scanner is deterministic.

Repository scanning and risk classification are pattern matching and rules against published signature lists — no ML model. Identical input produces identical output, every run.

AI-generated content is always labelled.

The chat assistant discloses it is an AI system (Article 50). LLM-drafted documentation is marked as AI-generated and must be reviewed and edited by a human before use.

You can reproduce our results.

The self-scan below was produced by the same detection engine we ship in our GitHub Action and GitLab component, run against our own repository.

Claims you will never hear from us

🚫 "Guardia AI is unbiased."

Nobody can prove a negative, and we won’t pretend to. What we can show is structural: bias harms regulated by the AI Act travel through decisions about people, and Guardia makes none.

🚫 "Guardia AI is AI Act certified."

No official EU AI Act certification scheme exists yet. Anyone claiming one is misleading you. What you see here is a self-assessment, published in full so you can check our reasoning.

🚫 "Our reports are legal advice."

They are engineering-grade compliance documentation. Every report says so, and for binding questions we tell users to consult a legal professional.

1. The self-scan

Run on 2026-07-05 with the same detection engine we ship in our GitHub Action and GitLab CI/CD component, against our own repository. Result: limited risk — AI is used, none of it biometric, safety-critical, or in an Annex III area.

DetectedCategoryWhereWhat it actually is
openai (npm SDK)LLM APIfrontend/app/api/ai/*The OpenAI-compatible SDK pointed at Groq. Powers the chat assistant (Llama 3.1 8B) and documentation drafting (Llama 3.3 70B) — assistive text only, human-reviewed.
scikit-learnML Frameworkbackend/requirements.txtUsed with fairlearn to compute fairness metrics (demographic parity, equalized odds) on customer-uploaded model outputs. Measurement, not inference — no model is trained or deployed.
GROQ_API_KEYCredential (config scan)netlify.toml, .env exampleDeployment credential for the Groq features above. Consistent with declared usage — no undeclared AI providers configured.

The scan found a real issue — here is what we did about it

The config-detection layer flagged stale OPENAI_API_KEY references in our deployment configuration and health check, left over from before we switched to Groq-hosted models. We removed them and fixed the health check the same day (2026-07-05). It stays in the published report's remediation log — that is how the tool is supposed to work.

What the scan correctly did not flag as our AI: the core scanner and risk classifier themselves. They are deterministic pattern matching and rules — no ML model — which is exactly why our scan results are reproducible.

2. Annex III, category by category

"Not high-risk" is only credible if you show your work. Here is every Annex III high-risk category and why it does not apply. We also checked all eight Article 5 prohibited practices: none apply — Guardia processes code, not biometric or behavioural data about people.

Annex IIICategoryApplies?Because
§1BiometricsNoGuardia processes no biometric data of any kind. Inputs are source code, dependency manifests, and configuration files.
§2Critical infrastructureNoGuardia is not a safety component of anything. Its output is a report; it has no control path to any physical or digital infrastructure.
§3Education & vocational trainingNoGuardia does not evaluate, admit, grade, or monitor students or learners.
§4Employment & workers’ managementNoGuardia makes no assessment of any employee or candidate. It analyses codebases, not people.
§5Essential services (credit, insurance, benefits)NoGuardia performs no scoring of natural persons and gates no one’s access to any service.
§6Law enforcementNoNot designed for, marketed to, or usable as a law-enforcement assessment tool.
§7Migration, asylum & border controlNoOut of scope entirely; no such functionality exists.
§8Justice & democratic processesNoReports are compliance documentation for the customer’s own use — not binding legal interpretation, and every report says it is not legal advice.

What does apply: Article 50 transparency

Our chat assistant interacts with people, so the AI Act requires exactly one thing of it: tell people it's AI. It is labelled as an AI assistant, its answers carry a "general guidance, not legal advice" notice, and LLM-drafted documentation is marked as AI-generated. Obligation met — and that is the entire extent of our obligations under the Act at this risk level.

3. The voluntary FRIA

Article 27 requires a Fundamental Rights Impact Assessment only for certain deployers of high-risk systems — so legally, we owe nobody this document. We completed it anyway, with our own FRIA module, because asking customers to fill out an assessment we never applied to ourselves would be hollow. All six required sections:

Art. 27(1)(a)Processes using the AI system

Software teams use Guardia to inventory AI usage in their codebases and prepare EU AI Act documentation. Components: a deterministic repository scanner (no ML), a rule-based risk classifier citing AI Act articles, a statistical fairness-metrics module (fairlearn/scikit-learn), and an LLM-assisted chat and drafting aid (Groq-hosted Llama). Every output is an advisory report addressed to a human reviewer.

Art. 27(1)(b)Period and frequency of use

Ongoing from public launch in 2026. Strictly user-initiated — per scan, per chat message, per document generation. No continuous or autonomous operation.

Art. 27(1)(c)Affected persons

Directly affected: platform users (developers, compliance officers, founders) who read the reports. No other natural persons are affected — the system analyses code, not people. It does not evaluate, score, rank, or profile anyone, and no vulnerable groups are within its scope of effect.

Art. 27(1)(d)Specific risks of harm

The material risks are informational: a false negative could lead a customer to under-estimate their obligations; LLM-drafted text could contain errors; a false positive could cause unnecessary work. Because Guardia makes no decisions about persons, discriminatory-outcome harms are structurally out of scope. Mitigations: deterministic core, LLM output clearly separated and labelled, "not legal advice" notice on every report.

Art. 27(1)(e)Human oversight

Oversight is structural: Guardia has no actuation path. It cannot merge code, block deployments (CI gating is opt-in and customer-configured), or act toward third parties. Every output is read and decided on by a human; LLM-assisted text is labelled and editable.

Art. 27(1)(f)Measures when risks materialise

Internal incident procedure per our quality management system (Art. 17-aligned) and post-market monitoring plan (Art. 72-aligned): triage, root-cause analysis, corrective release, customer notification, changelog entry. Users report issues via the support channel — answered by a person, not an automated system.

The raw artifacts

Don't take the summary's word for it — the full documents are public:

Everything on this page is a self-assessment prepared with Guardia AI's own tooling and reviewed by a human. It is our good-faith analysis under Regulation (EU) 2024/1689 — not legal advice and not a certification (no official EU AI Act certification scheme exists yet). If Guardia's functionality changes materially, we redo and re-publish these documents. Questions or challenges to our reasoning: we want to hear them.