11 June 2026 · Kuziva Muzondo

Static Analysis for AI Compliance: Why Code Scanning Complements Questionnaires

Code scanning and compliance questionnaires cover different parts of the EU AI Act. Neither alone is sufficient. Most teams need both — and understanding the gap each leaves is the first step to closing it.

What code scanning finds that questionnaires miss

Code scanners detect concrete, verifiable signals that questionnaire respondents may not know about or may describe inaccurately: Article 5 prohibited-practice indicators, AI framework imports that suggest risk tier, credential exposure and unsafe deserialisation affecting Article 15 cybersecurity, and agent autonomy patterns without human oversight gates relevant to Article 14.

Code scanners analyse source code directly. The findings exist in the repository regardless of how anyone answers a questionnaire.

These are facts about the codebase. A questionnaire respondent may not know about them, may understate them, or may describe them inaccurately. Code scanning provides an independent check.

What questionnaires cover that code scanning cannot

Questionnaires capture the roughly 70% of the EU AI Act that has no source-code footprint: risk management systems (Article 9), deployment context that determines risk tier, fundamental rights impact assessments (Article 27), post-market monitoring plans (Article 72), and data governance policies (Article 10). These are organisational obligations that no scanner can verify.

Questionnaires capture organisational and contextual information that does not exist in source code.

Honest comparison: tools in this space

Code scanners include Regula (419 patterns, 8 languages, offline), AIR Blackbox (51 checks, Python-only, Apache 2.0), and Systima Comply (tree-sitter AST, TS/JS/Python). Questionnaire-based tools include the EU Commission ALTAI checker and EuroComply. Enterprise platforms like Credo AI and Holistic AI combine both approaches at enterprise pricing.

Tool Approach Strengths Limitations
Regula Code scan (regex) 419 patterns, 8 languages, zero runtime dependencies, offline Regex-based — no semantic understanding. Deep coverage for Python; shallower for other languages. Cannot assess organisational compliance.
AIR Blackbox Code scan (Python) 51 checks across Articles 9–15, Apache 2.0 licence, 7 framework trust layers Python-only. Narrower pattern set. Focused on high-risk obligations rather than full Act coverage.
Systima Comply Code scan (AST) Tree-sitter AST analysis, 37+ frameworks, TS/JS/Python Newer entrant. AST approach gives deeper understanding per file but limited language coverage.
EU Commission ALTAI checker Questionnaire Free, official, covers organisational and ethical dimensions Self-assessment only. No code verification. Pre-dates the final AI Act text.
EuroComply Questionnaire Guided workflow for EU AI Act obligations, document generation No code analysis. Relies entirely on the accuracy of respondent answers.
Credo AI, Holistic AI Platform (both) Combine code-level analysis with governance workflows, policy management, and questionnaires Enterprise pricing. Heavier integration requirements. Not open source.

When you need both

Most teams building AI systems that may fall under the EU AI Act need code scanning in CI and a questionnaire or governance platform for organisational obligations. The combination looks like this:

The Omnibus Regulation provisional agreement of 7 May 2026 postpones Annex III high-risk obligations to 2 December 2027 (EP approved 16 Jun 2026, Council approved 29 Jun 2026; pending OJ publication). This gives teams more time to build both technical and organisational compliance — but the prohibited practice prohibitions under Article 5 already apply (since 2 February 2025).


Last verified: 11 June 2026 · Author: Kuziva Muzondo · Not legal advice. Regula is a code scanning tool that identifies risk indicators for developer review. It does not determine your system’s risk classification or replace professional legal counsel.

Related reading