Live Demo · AI Governance · Deterministic Analysis

AI Governance
Code Scanner

Most AI governance assessments are expensive, subjective, and slow — a week of consultant interviews produces a report that's already stale. This scanner shows a different approach: point it at any public repository and receive a scored compliance analysis in under 30 seconds, derived directly from source code. No generated answers. No manual review. Just a reproducible, auditable baseline that's the same every time you run it.

Live · Powered by Azure Function (Flex Consumption)
AI Governance Code Scanner
Deterministic pattern analysis · Real GitHub repos · Sub-30s results
Live
Infrastructure: Azure Function (Flex Consumption, Python 3.11) · GitHub Trees API + raw content fetch · 8-worker parallel processing · CORS-enabled for this origin · ← Back to Demos
The Problem · Solution Design · Value

Why deterministic analysis over AI-generated review

Organizations building AI products are increasingly expected to demonstrate compliance with NIST AI RMF, ISO 42001, the EU AI Act, and other frameworks before going to production or facing audit. The problem is that compliance assessment has traditionally required hiring consultants or security firms to conduct manual code reviews — a process that costs weeks, depends on reviewer expertise, and produces a point-in-time artifact that doesn't stay current as the codebase evolves.

Design Principle 1
Scan the actual code, not a description of it
The scanner fetches raw source files via the GitHub API and runs regex-based rules directly against them. Each finding includes the exact line of code that triggered it. This produces evidence that can be reviewed and disputed — not a probabilistic summary that can't be traced back to a specific artifact.
Design Principle 2
Deterministic results that survive re-runs
All analysis is pattern-matching — no LLM inference involved. The same repository scanned twice returns identical findings. This matters for audit and certification workflows: a tool whose output changes between runs can't be used as a compliance artifact. Determinism is a design requirement, not an implementation detail.
Design Principle 3
Severity-weighted scoring that prioritizes what matters
Each framework pillar produces a 0–100 score weighted by finding severity — a single Critical gap has more impact than five Info findings. This gives teams a triage signal: fix the Critical and High gaps first, then work down. An overall score aggregates across frameworks so leadership has a single number to track over time.
The value proposition: A team can run this scanner on a new repository before any compliance engagement, arrive at the first meeting with a scored baseline, and direct the assessment conversation toward the specific gaps the tool identified — rather than starting from scratch. What used to take days of pre-work takes 30 seconds.
Framework Coverage

10 governance frameworks, 40+ pillars

Coverage was built by translating canonical framework requirements into testable code patterns. Each framework maps to its standard pillar structure — so a NIST result can be taken directly into an AI RMF assessment, and an EU AI Act result maps directly to Article obligations. Coverage spans the major AI and data governance standards plus enterprise-specific domains.

NIST AI RMF
The NIST Artificial Intelligence Risk Management Framework. Four pillars covering the full AI lifecycle — organizational readiness through active model management.
GovernMapMeasureManage
ISO 42001
International standard for AI Management Systems. Covers leadership commitment, risk treatment, operational planning, and continual improvement of AI systems.
LeadershipRiskOperationsImprovement
EU AI Act
European Union regulation for high-risk AI systems. Scans for data governance (Article 10), human oversight (Article 14), transparency (Article 13), and accuracy requirements (Article 15).
Article 10 — DataArticle 13 — TransparencyArticle 14 — OversightArticle 15 — Accuracy
HIPAA
Healthcare data protection. Checks for PHI handling patterns, access controls, encryption, audit logging, and minimum necessary access principles in source code.
PHI HandlingAccess ControlAudit TrailEncryption
GDPR
EU General Data Protection Regulation. Evaluates consent management, data minimization, right to erasure patterns, anonymization, and cross-border transfer controls.
ConsentMinimizationErasureAnonymization
SOC 2
Service Organization Control 2. Evaluates security controls, availability patterns, processing integrity checks, confidentiality handling, and change management evidence.
SecurityAvailabilityIntegrityConfidentiality
ModelOps
Model operations maturity. Detects versioning, experiment tracking, drift monitoring, model registry usage, A/B testing, rollback capability, and performance logging patterns.
VersioningDrift DetectionRegistryRollback
AIOps
AI-driven operations practices. Scans for structured logging, health endpoints, distributed tracing, circuit breakers, async error handling, and observability instrumentation.
ObservabilityHealth ChecksTracingCircuit Breakers
XDR / Security
Extended Detection and Response security posture. Flags hardcoded secrets, SQL injection risk, missing auth patterns, insecure defaults, and unvalidated input handling.
SecretsInjection RiskAuthInput Validation
FinOps
Cloud financial governance. Detects resource tagging, cost allocation patterns, budget alert usage, rightsizing signals, and infrastructure cost awareness in code and config.
TaggingCost AllocationBudget AlertsRightsizing