AI SYSTEMS // 2 DETECTED
| PROVIDER | SDK | CATEGORY | LOCATION | RISK TIER |
|---|---|---|---|---|
| OpenAI | openai | inference | package.json | limitedTENTATIVE |
| Anthropic | direct API call | inference | .grc-scanner/scanner/ai/provider.ts | limitedTENTATIVE |
RISK TIERprohibited (Art. 5)high (Annex III)limited (Art. 50)minimal
CATEGORYinferencetrainingvector-dbframeworkself-hosted
EU AI ACT COMPLIANCE // 83%
2 PASS · 1 PARTIAL · 0 FAIL · 10 N/A
HIGH-RISK 0 · EU MARKET 2
GOVERN
0P · 1A · 0F · 2 N/A
MAP
1P · 0A · 0F · 1 N/A
MEASURE
N/A
0P · 0A · 0F · 3 N/A
MANAGE
1P · 0A · 0F · 4 N/A
ARTICLES // 3 APPLICABLE
| ID | PHASE | ARTICLE | STATUS | NIST AI RMF | ISO 42001 |
|---|---|---|---|---|---|
| ART-4 | Govern | AI literacy | [!!] PARTIAL | GOVERN 2.2, GOVERN 3.2 | A.3.2, A.4.2 |
| ART-9 | Govern | Risk management system | [--] N/A | GOVERN 1.4, MAP 5.1, MANAGE 1.3 | A.5.2, A.5.4, A.6.1.2 |
| ART-10 | Govern | Data and data governance | [--] N/A | MAP 2.3, MEASURE 2.2 | A.7.2, A.7.3, A.7.4 |
| ART-5 | Map | Prohibited AI practices | [OK] PASS | GOVERN 1.1, MAP 1.1 | A.5.3, A.6.1.2 |
| ART-11 | Map | Technical documentation | [--] N/A | MAP 4.1, MEASURE 1.3 | A.6.2.2, A.6.2.3 |
| ART-12 | Measure | Record-keeping | [--] N/A | MEASURE 2.8, MANAGE 4.1 | A.6.2.8, A.8.4 |
| ART-15 | Measure | Accuracy, robustness, cybersecurity | [--] N/A | MEASURE 2.5, MEASURE 2.7 | A.6.2.4, A.8.2 |
| ART-27 | Measure | Fundamental Rights Impact Assessment (FRIA) | [--] N/A | MAP 5.2, MEASURE 3.2 | A.5.5, A.8.3 |
| ART-13 | Manage | Transparency to deployers | [--] N/A | GOVERN 4.2, MANAGE 3.1 | A.6.2.6, A.8.1 |
| ART-14 | Manage | Human oversight | [--] N/A | MEASURE 2.6, MANAGE 2.1 | A.6.2.7, A.9.2 |
| ART-50 | Manage | Transparency obligations for providers and users | [OK] PASS | GOVERN 5.1, MANAGE 3.2 | A.8.1, A.9.3 |
| ART-71 | Manage | EU database registration (Annex III high-risk) | [--] N/A | GOVERN 4.1 | A.2.3 |
| ART-73 | Manage | Reporting of serious incidents | [--] N/A | MANAGE 4.3 | A.8.5, A.10.3 |
GAPS // 1 ARTICLES
| ID | ARTICLE | STATUS | EVIDENCE |
|---|---|---|---|
| ART-4 | AI literacy | [!!] PARTIAL | AI systems detected (2). AI literacy is a program-level obligation — document the training your developers and deployers receive. |
Scoping. High-risk-only articles (9 / 11 / 12 / 13 / 14 / 15 / 27 / 60 / 73) display N/A unless a
Overrides. Hover any tier for its reasoning. Declare
Caveat. Advisory output — this is not a conformity assessment and does not substitute for review by a notified body.
high or prohibited system is detected. Articles 27 and 60 additionally require eu_market: true.Overrides. Hover any tier for its reasoning. Declare
risk_tier and eu_market per system under ai_systems: in .grc/config.yml to replace the heuristic.Caveat. Advisory output — this is not a conformity assessment and does not substitute for review by a notified body.