About Regula

Regula is an open-source command-line tool that scans codebases for EU AI Act risk indicators. It combines static code analysis with governance questionnaires to produce evidence a lawyer, auditor, or notified body can review. It is not an AI governance platform, not a compliance certificate, and not legal advice.

What Regula does

Regula scans source code in 8 programming languages for patterns that match the EU AI Act's risk categories. It classifies systems into the Act's four tiers (prohibited, high-risk, limited-risk, minimal-risk), maps findings to specific articles, and generates structured compliance evidence. It runs entirely locally with zero external dependencies — no API calls, no data transmission, no account required.

It works on two fronts:

  • Code scanning — 419 regex patterns across Articles 5–15, with a 6-layer precision architecture (AST context gating, domain exclusions, library fingerprinting, confidence floors) to reduce false positives. Published precision on a random corpus: 83.5%.
  • Governance questionnaires — structured self-assessments for organisational obligations that code cannot verify, including risk management (Article 9), quality management (Article 17), and fundamental rights impact assessments (Article 27).

61 CLI commands. 12 compliance framework mappings (EU AI Act, NIST AI RMF, ISO 42001, NIST CSF, SOC 2, ISO 27001, OWASP LLM Top 10, MITRE ATLAS, LGPD, Marco Legal da IA, EU CRA, ICO/DSIT). Multi-jurisdiction risk indication across 3 jurisdictions (EU AI Act, South Korea AI Basic Act, Colorado SB 26-189). 2,531 tests. Free under Apache 2.0 / EUPL 1.2.

What Regula does not do

Static code scanning can address roughly 30% of the EU AI Act. The remaining 70% — risk management systems, quality management, fundamental rights impact assessments, post-market monitoring, conformity assessments — are organisational obligations that require human processes, not code analysis. Regula does not pretend to verify them.

Specifically, Regula does not:

  • Determine whether a system is high-risk under Article 6 (this requires contextual assessment of intended purpose and deployment context)
  • Verify that a risk management system is actually operated (Article 9)
  • Run a fundamental rights impact assessment (Article 27)
  • Replace legal advice or issue compliance certificates

The full scope statement is published at docs/what-regula-does-not-do.md. The project maintains a Trust Pack with security audit results, test counts, and verified numbers.

Who maintains it

Regula is maintained by Kuziva Muzondo, a software engineer based in the UK who explores AI governance outside his day job. The project started as a practical question: if the EU AI Act creates obligations that apply to code, what would a developer-facing compliance tool actually look like?

Commits include a Co-Authored-By: Claude Opus 4.6 trailer where work was paired with Anthropic's Claude. This is standard pair-programming attribution — the maintainer is accountable for every merged change. The project's approach to honesty is documented in the codebase: no fabricated statistics, no overstated capabilities, no marketing claims that can't be verified against the code.

Kuziva also writes The Implementation Layer, a newsletter on the gap between AI governance theory and organisational reality.

How it works

Regula's classification engine matches source code against regex patterns mapped to EU AI Act articles. A 6-layer precision architecture reduces false positives:

  1. Match-line context gating — AST analysis suppresses findings where all pattern matches occur inside docstrings or string literals
  2. Opt-in category expansion — categories with high false-positive rates require additional corroborating evidence
  3. Domain exclusion patterns — medical imaging libraries are excluded from biometrics findings, database migration tools from migration findings, etc.
  4. Project fingerprinting — scans package.json and import graphs to identify AI library projects and suppress self-scan noise
  5. Confidence floors — findings with confidence below a threshold and no corroborating evidence are suppressed
  6. Cross-file oversight enrichment — optional Article 14 analysis traces AI outputs across files to human review gates

Evidence packs are signed with SHA-256 integrity manifests and in-toto attestations. Every finding is traceable to a file and line number.

Disambiguation

This is Regula the EU AI Act compliance CLI, published at getregula.com and pypi.org/project/regula-ai. It is not affiliated with Regula Forensics (regula.com), which is an identity verification and document authentication company.

Contact

support@getregula.com · GitHub · PyPI