A new open-source command-line tool called Comply aims to answer a question most development teams are quietly ignoring: does your code trigger obligations under the EU AI Act?
Running npx @systima/comply scan analyzes a repository to detect which AI frameworks you're using, traces how AI-generated outputs flow through your application, and flags patterns that could put you on the hook for regulatory compliance. It works across 37+ AI frameworks, uses AST-based import detection (parsing your code's structure rather than just searching for keywords) via the TypeScript Compiler API and web-tree-sitter, and runs directly in CI/CD pipelines. It posts findings on pull requests with no API keys required.
The EU AI Act, which started phasing in enforcement in 2025, classifies AI systems by risk level and imposes requirements ranging from transparency disclosures to full conformity assessments. Most teams building with AI SDKs haven't mapped their usage against these categories. A tool that surfaces potential obligations automatically during code review fills a practical gap, even if the output still needs a human (ideally someone with legal context) to interpret.
The tool is still early. Automated compliance scanning can catch obvious patterns like importing a face-recognition library, but the EU AI Act's risk classifications often depend on how you deploy a system, not just which libraries you import. A sentiment analysis model used for content moderation hits different rules than the same model used for market research. Static analysis alone can't resolve that distinction.
Still, for teams shipping AI-powered features into EU markets, having a baseline scan that runs on every PR is better than the current default, which for most companies is nothing.