SentinelEU AI Act
Log inStart free audit
Real audit · unmodified output · AUD-2026-00013

Hugging Face Transformers
audited under EU AI Act

We ran Sentinel on transformers v5.10.0.dev0 — the most widely used open-source AI framework. Every number below is taken directly from the engine output. Nothing has been adjusted.

Engine: SENTINEL_V2_STATIC · Sector profile: hr_recruitment_ai · Scoring: ARTICLE_WEIGHTED_V3 · 2026-06-08

Final score
18 / 100
Verdict
GAP
Dossier readiness
79 / 100
Art. 5 clean
7 / 7 ✓
Dossier files
27
Total placeholders
393
Compliance is not inherited

Transformers scores 18/100. If you deploy a high-risk application on top of it, your Art. 9, 10, 14, and 27 obligations are entirely your own. Sentinel audits your codebase, not your upstream libraries.

Art. 49 registration warning

EU AI Act database registration was not declared for a system classified as high-risk. Registration is mandatory before market placement. Sentinel applied an automatic score cap at 75.

Art. 5 — fully compliant

All 7 prohibited practice checks passed: no subliminal manipulation, no social scoring, no biometric categorisation by sensitive attributes, no emotion recognition in workplace settings, no predictive policing patterns.

393 provider actions generated

Sentinel auto-generated 27 dossier documents. 16 contain placeholder fields that must be completed by the provider — including risk register (51 gaps), PMM plan (70 gaps), and FRIA (31 gaps).

Full audit output

AUD-2026-00013

transformers v5.10.0.dev0 · audit_id: fffea2a0d0014374 · 2026-06-08T10:46:13Z

github.com/huggingface/transformers
Per-article compliance
Method: ARTICLE_WEIGHTED_V3Bonus: +2
Art. 5Prohibited Practices
7pts7/7
Art. 12Record Keeping
3pts1/2
Art. 19Auto-Generated Logs
3pts1/2
Art. 13Transparency1.3×
10pts1/4
Art. 20Logging
8pts1/4
Art. 9Risk Management1.2×
13pts0/6
Art. 10Data Governance1.4×
11pts0/5
Art. 14Human Oversight1.2×
13pts0/5
Art. 15Robustness
5pts0/4
Art. 17Quality Management
3pts0/2
Art. 27Fundamental Rights1.4×
4pts0/2
Art. 47EU Declaration
4pts0/3
Art. 49EU Registration
2pts0/2
Art. 50AI Output Transparency
4pts0/4
Art. 72Post-Market Monitoring
4pts1/3
Total weight
101 pts
Score before bonus
16 pts
Final score
18 / 100
Critical gaps — all requirements missing
Art. 9Risk Management13 pts · 1.2× sector
Risk management plan document (Art. 9(2))
Risk identification and analysis signals (Art. 9(2)(b))
Risk evaluation and residual risk assessment (Art. 9(2)(c))
Risk control measures implemented in code or docs (Art. 9(2)(d))
Data governance plan for training/validation/test data (Art. 9(5))
Testing procedures for risk identification (Art. 9(7))
Art. 14Human Oversight13 pts · 1.2× sector
Human override mechanism implemented in code (Art. 14(2))
System interrupt / stop capability in code (Art. 14(2))
Circuit breaker or fallback mechanism (Art. 14(2))
Human review trigger for individual decisions (Art. 14(4)(a))
Escalation to human operator mechanism (Art. 14(4)(b))
Art. 10Data Governance11 pts · 1.4× sector
Data governance practices documented (Art. 10(2)(a))
Data collection and processing procedures (Art. 10(2)(b))
Data quality measures documented (Art. 10(2)(f))
Bias examination documentation or detection signals (Art. 10(2)(g))
Personal data handling measures (Art. 10(5))
Art. 50AI Output Transparency4 pts
AI interaction disclosure signal in code (Art. 50(1))
Synthetic or AI-generated content labelling/watermarking (Art. 50(2))
GPAI SDK dependency declared — AI generation origin traceable (Art. 50(3))
Deepfake or face-swap detection/disclosure present (Art. 50(4))
Art. 5 — Prohibited Practices — 7/7 ✓
No subliminal or manipulative behaviour techniques
No vulnerability exploitation patterns
No social scoring patterns
No predictive policing or criminal risk profiling
No real-time biometric identification
No biometric categorisation by sensitive attributes
No emotion recognition in workplace or educational settings
Art. 49 — Registration Warning · score capped at 75
EU AI Act database registration not declared for a high-risk system. Mandatory before market placement under Art. 49(1).

Who uses Sentinel

The audit above is representative of what Sentinel produces for any codebase. Your system, your obligations.

GPAI / Foundation Model Providers
Art. 51Art. 53Art. 55

Training deps (Accelerate, Datasets, DeepSpeed) trigger GPAI classification. Sentinel evaluates systemic risk thresholds (≥10²⁵ FLOPs), model card completeness, and copyright policy presence.

HR & Recruitment AI
Art. 9Art. 10Art. 14Art. 27

CV screening and candidate ranking are Annex III high-risk. Sector multipliers of 1.2–1.4× amplify missing controls. Sentinel checks bias detection signals, human override mechanisms, and FRIA documentation.

Law Enforcement & Biometric AI
Art. 5Art. 9Art. 14

Seven Art. 5 prohibited practice checks: emotion recognition, social scoring, real-time biometric, predictive policing. Pattern-matched at AST level across all 15 supported languages.

Vector DBs & AI Infrastructure
Art. 13Art. 50

GPAI API integration triggers Art. 50 transparency obligations. Sentinel detects 89 tracked AI packages, checks for AI output disclosure signals, and evaluates logging infrastructure completeness.

Compliance Consultancies
Art. 47Art. 49Art. 72

Portfolio view across all client organisations. Each client receives a permanent sharable audit link, Notified Body export package, and full dossier with epistemic map, SBOM, and score trace.

DevOps / CI-CD Integration
Art. 9Art. 15Art. 20

API key auth for CI pipelines. SARIF output integrates directly with GitHub Advanced Security, flagging compliance regressions per commit. Delta scoring tracks drift between releases.

What does your codebase score?

Free plan includes 60 credits. No credit card required. Results in minutes.