SBOM Analyzer — supply chain visibility
Upload SPDX or CycloneDX bills of materials, map components to known vulnerabilities, and align findings with compliance frameworks — processed in your browser.
SBOM ingestion
Support for SPDX and CycloneDX formats with component inventory and dependency graphing.
CVE & severity mapping
Match components to vulnerability databases with prioritised risk views for remediation teams.
Compliance alignment
Map SBOM coverage to NTIA minimum elements, EO 14028, and supply-chain audit expectations.
Client-side processing
Your SBOM files are not uploaded to our servers — analysis runs locally in the browser.
AI Governance Review — accountability in five phases
Five guided phases. Regulatory citations built in. Five audience-specific reports — all in your browser, no data leaving your device.
Guided 5-Phase Workflow
Define System → Component Inventory → Gap Analysis → Assess & Assign → Evidence Package. Each phase has a clear deliverable.
See all five phases →32 Structured Questions
Across six governance domains with regulatory citations. Each question explains why it matters and which regulation it maps to.
See the domains →Automatic Gap Analysis
Auto-generated from your answers. Every gap includes severity (Critical/Major/Minor), a regulatory citation, and exactly what evidence is needed to close it.
How gaps are generated →Five Stakeholder Reports
One session produces five downloadable HTML reports: Executive/Board, Technical/Auditor, Legal/DPO, CISO/Risk, and Procurement.
See the reports →Offline, Browser-Based
No account required. No data sent to any server. The entire review — questions, gap analysis, and report generation — runs in your browser.
How it protects your data →EU AI Act Risk Classification
Built-in EU AI Act risk tier classification as the first step. Every gap and report references the regulatory framework relevant to your system’s risk level.
Regulatory frameworks covered →Guided 5-Phase Assessment Workflow
Every phase has a defined input and a specific deliverable. You always know where you are and what comes next.
Define System
Name the AI system, describe its purpose, and classify its EU AI Act risk tier. Guided field-by-field with plain-language explanations.
Produces: Formal system record with unique ID, risk classification, and accountable owner.
Component Inventory
32 guided questions across Models, Data, Vendors, Infrastructure, Controls, and Monitoring. Each question shows why it matters and which regulation it maps to.
Produces: A complete, structured evidence record across all six governance domains.
Gap Analysis
Auto-generated from your answers. Every gap includes its regulatory citation, the risk if left unaddressed, and exactly what evidence closes it.
Produces: Regulatory-cited gap register by severity — Critical, Major, Minor.
Assess & Assign
Assign an owner, remediation approach, and target date to each gap. This information flows into every report automatically.
Produces: Working action plan with owners and dates embedded in every report.
Evidence Package
Generate five downloadable HTML reports, each written for its audience — from board narrative to technical audit detail — with no additional effort.
Produces: Board report · Technical audit record · Legal/DPO package · CISO assessment · Procurement review.
32 Questions Across Six Governance Domains
Every question is anchored to at least one regulatory framework. You can see exactly why you’re being asked — and what answering it gives you.
Foundation model, fine-tuning approach, model card availability, and version control. Maps to EU AI Act transparency requirements.
Training data provenance, data quality controls, personal data handling, and retention. Maps to GDPR Articles 5, 13, and 25.
Third-party AI service providers, sub-processors, contractual obligations, and exit planning. Maps to NIST AI RMF Govern 1.6.
Compute environment, deployment architecture, access controls, and network isolation. Maps to NIST AI RMF Manage 2.2.
Human oversight mechanisms, fallback procedures, output validation, and incident response. Maps to EU AI Act Article 14 and 17.
Ongoing performance tracking, drift detection, logging, and post-market surveillance obligations. Maps to EU AI Act Article 72.
Automatic Gap Analysis with Regulatory Citations
Generated from your answers — no manual interpretation. Every gap tells you what regulation requires it, what the risk is, and exactly what evidence closes it.
Severity classification
Each gap is rated Critical, Major, or Minor based on regulatory weight and organizational risk.
Regulatory citation
Every gap cites the specific article, section, or control it maps to — EU AI Act, GDPR, NIST AI RMF, or SBOM-for-AI.
Risk if unaddressed
Plain-language explanation of what the gap means for regulatory exposure, operational risk, or audit readiness.
Evidence required
Specific description of what document, record, or control would close the gap — so you know exactly what to produce.
Five Stakeholder-Specific Reports
One session. One record. Five downloadable HTML reports — each written and organized for its intended audience.
Executive / Board Report
Risk posture summary, gap count by severity, and accountability ownership — written for board-level review. No technical background required to understand it.
Technical / Auditor Record
Full inventory of all questions, answers, and gaps with regulatory citations. Structured for technical review and third-party audit use.
Legal / DPO Package
GDPR data handling gaps, EU AI Act obligations, and evidence of controls — organized for Data Protection Officers and legal counsel review.
CISO / Risk Assessment
Security controls, infrastructure gaps, monitoring coverage, and incident response readiness — organized for security leadership and risk committee review.
Procurement Review
Vendor obligations, third-party AI service gaps, and contractual accountability — structured for procurement teams and supplier due diligence.
All five, one session
No extra work to produce different views. The tool generates all five from the same record — downloaded as self-contained HTML files.
Start AI ReviewRegulatory Frameworks
Every question and gap is anchored to a specific regulation or standard. These are tool-generated indicators — not regulatory certifications or legal opinions.
Unacceptable, High, Limited, and Minimal risk tiers. Articles 6, 9, 13, 14, 17, and 72 cited throughout the inventory and gap register.
Articles 5, 13, 22, and 25 covering lawfulness of processing, transparency, automated decision-making, and privacy by design.
All four core functions referenced. Specific subcategory citations (e.g. Govern 1.1, Manage 2.2) embedded in each relevant gap.
Emerging SBOM-for-AI minimum element requirements covering model provenance, training data lineage, and component transparency.
The entire review runs in your browser
Questions, answers, gap generation, and report production all run locally. Nothing you enter about your AI system leaves your device. No account required. See our Trust page for the full picture.