Hugging Face Transformers
audited under EU AI Act
We ran Sentinel on transformers v5.10.0.dev0 — the most widely used open-source AI framework. Every number below is taken directly from the engine output. Nothing has been adjusted.
Engine: SENTINEL_V2_STATIC · Sector profile: hr_recruitment_ai · Scoring: ARTICLE_WEIGHTED_V3 · 2026-06-08
Transformers scores 18/100. If you deploy a high-risk application on top of it, your Art. 9, 10, 14, and 27 obligations are entirely your own. Sentinel audits your codebase, not your upstream libraries.
EU AI Act database registration was not declared for a system classified as high-risk. Registration is mandatory before market placement. Sentinel applied an automatic score cap at 75.
All 7 prohibited practice checks passed: no subliminal manipulation, no social scoring, no biometric categorisation by sensitive attributes, no emotion recognition in workplace settings, no predictive policing patterns.
Sentinel auto-generated 27 dossier documents. 16 contain placeholder fields that must be completed by the provider — including risk register (51 gaps), PMM plan (70 gaps), and FRIA (31 gaps).
Full audit output
AUD-2026-00013transformers v5.10.0.dev0 · audit_id: fffea2a0d0014374 · 2026-06-08T10:46:13Z
Who uses Sentinel
The audit above is representative of what Sentinel produces for any codebase. Your system, your obligations.
Training deps (Accelerate, Datasets, DeepSpeed) trigger GPAI classification. Sentinel evaluates systemic risk thresholds (≥10²⁵ FLOPs), model card completeness, and copyright policy presence.
CV screening and candidate ranking are Annex III high-risk. Sector multipliers of 1.2–1.4× amplify missing controls. Sentinel checks bias detection signals, human override mechanisms, and FRIA documentation.
Seven Art. 5 prohibited practice checks: emotion recognition, social scoring, real-time biometric, predictive policing. Pattern-matched at AST level across all 15 supported languages.
GPAI API integration triggers Art. 50 transparency obligations. Sentinel detects 89 tracked AI packages, checks for AI output disclosure signals, and evaluates logging infrastructure completeness.
Portfolio view across all client organisations. Each client receives a permanent sharable audit link, Notified Body export package, and full dossier with epistemic map, SBOM, and score trace.
API key auth for CI pipelines. SARIF output integrates directly with GitHub Advanced Security, flagging compliance regressions per commit. Delta scoring tracks drift between releases.