Guardia AI — User Guide

Introduction

Guardia AI is an AI infrastructure governance platform for Azure. It continuously scans your Azure cloud resources — ML workspaces, Cognitive Services accounts, Container registries, AKS clusters, RBAC assignments, diagnostic settings, and Azure Policy — against seven global regulatory frameworks.

Guardia AI is not a data governance tool. It does not scan datasets, models, documents, or pipelines. It scans your Azure resource configuration — the infrastructure controls that regulators check during an audit.

Plans & Tier Features

Every feature in this guide is labelled with the minimum plan required to use it:

Quick-Start Checklist

Follow these steps in order. Most customers are up and running within 10 minutes of purchase.

1. 1

   Create an Azure Service Principal with read-only roles

   Guardia needs a service principal assigned four read-only roles on each subscription you want to scan. Detailed instructions →

2. 2

   Activate your account on the landing page

   After purchasing on Azure Marketplace, complete the activation form at app.trustguardia.com/landing to receive your API key. Details →

3. 3

   Sign in to the portal

   Go to app.trustguardia.com/portal and paste your gai-… API key. Details →

4. 4

   Verify your Azure subscriptions & credentials

   Go to the Azure Setup tab and confirm your subscription IDs and service principal credentials are saved correctly. Details →

5. 5

   Select your regulatory frameworks

   Go to the Frameworks tab and enable the frameworks relevant to your organisation. Details →

6. 6

   Run your first scan

   Go to the Scan tab, confirm selections, and click Run Scan. Results appear in 30–90 seconds. Details →

7. 7

   Review your compliance dashboard

   Click Open ↗ on any report in Scan History to see scores, findings, and remediation steps. Details →

8. 8

   Professional Enterprise — Set up Continuous Governance

   Go to the Governance tab to configure automated recurring scans, notification email, and drift alerts. Details →

9. 9

   Professional Enterprise — Configure CMK Encryption

   Optionally configure Customer-Managed Key encryption from the CMK Encryption section of the portal. Details →

Azure Service Principal Setup

Guardia AI needs a read-only service principal to scan your Azure subscriptions. It cannot modify, delete, or deploy any resources. The service principal needs four roles:

Option A — Azure Portal (no CLI required)

1. 1

   Create the app registration

   Go to Microsoft Entra ID → App registrations → New registration. Name it guardia-ai-reader. Click Register. Copy the Application (client) ID and Directory (tenant) ID shown on the overview page.

2. 2

   Create a client secret

   Go to Certificates & secrets → Client secrets → New client secret. Set an expiry (24 months recommended). Copy the Value immediately — it won't be shown again.

3. 3

   Assign roles to each subscription

   For each subscription you want to scan: go to the subscription → Access control (IAM) → Add role assignment. Add all four roles above, assigning them to your guardia-ai-reader app registration.

Option B — Azure Cloud Shell (faster)

Open Cloud Shell in the Azure Portal (the >_ icon) and run, replacing <SUB_ID> with your subscription ID:

Copyaz ad sp create-for-rbac \
  --name "guardia-ai-reader" \
  --role "Reader" \
  --scopes /subscriptions/<SUB_ID> \
  --sdk-auth

# Then add remaining roles
SP_ID=$(az ad sp list --display-name guardia-ai-reader --query "[0].id" -o tsv)
az role assignment create --assignee $SP_ID --role "Security Reader"       --scope /subscriptions/<SUB_ID>
az role assignment create --assignee $SP_ID --role "Monitoring Reader"     --scope /subscriptions/<SUB_ID>
az role assignment create --assignee $SP_ID --role "Resource Policy Reader"--scope /subscriptions/<SUB_ID>

Save the JSON output — you'll need clientId, clientSecret, tenantId, and subscriptionId in the next step.

Activating Your Account

After purchasing on Azure Marketplace, you are redirected to app.trustguardia.com/landing. Fill in the activation form with the values from your service principal setup:

On successful activation you receive your Guardia AI API key, which looks like gai-xxxxxxxxxxxxxxxxxxxx. This key authenticates all API calls and portal sessions. Store it securely.

Signing in to the Portal

Go to app.trustguardia.com/portal. When prompted, paste your gai-… API key and click Sign In.

• Your key is stored in the browser's localStorage — you won't need to re-enter it on the same device.
• To sign out, click the account icon in the top-right session bar and choose Sign Out. This clears the key from the browser.
• Never share your API key. It grants full access to run scans and view all compliance reports for your account.

Once logged in, the portal shows five tabs: Overview · Azure Setup · Frameworks · Scan · Governance.

Managing Azure Subscriptions

In the portal, go to the Azure Setup tab → Azure Subscriptions section.

Adding a subscription

1. Click + Add Subscription.
2. Enter your Azure Subscription ID (format: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).
3. Click Save Subscriptions.

Subscription limits by plan

Updating Azure Credentials

In the portal, go to the Azure Setup tab → Azure Credentials section. Enter the values from your service principal:

Click Save Credentials. Credentials are encrypted at rest and never returned in API responses.

Selecting Regulatory Frameworks

In the portal, go to the Frameworks tab. Toggle each framework on or off. Click Save Frameworks. Only enabled frameworks are included in scans.

Running a Compliance Scan

Via the Portal

1. Go to the Scan tab in the portal.
2. Review the selected frameworks (edit in the Frameworks tab if needed).
3. Review the linked Azure subscription IDs.
4. Click Run Scan.
5. A progress indicator appears. Scans typically complete in 30–90 seconds.
6. When complete, the report appears at the top of Scan History automatically.

Via the API

Copycurl -X POST https://app.trustguardia.com/scan \
  -H "X-API-Key: gai-YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "frameworks": ["iso42001", "sr11_7", "eu_ai_act"],
    "subscription_ids": ["YOUR_AZURE_SUBSCRIPTION_ID"]
  }'

Framework identifiers: iso42001 · sr11_7 · eu_ai_act · nist_ai_rmf · mas_trm · sox · dora

Scan limits

Scans count against your monthly quota. The portal shows your remaining scan count in the Overview tab. Quotas reset on the 1st of each calendar month.

Scan History

The Scan History tab in the portal lists every manual scan you've run, newest first. For each report you can:

• Open ↗ — view the full interactive compliance dashboard for that scan
• 🗑 Delete — permanently remove a single report

The Clear History button removes all manual scan reports for your account (governance scans are unaffected). This action cannot be undone.

Scan history retention by plan:

Reading the Compliance Dashboard

Click Open ↗ on any scan report to open the full compliance dashboard. The dashboard is divided into:

Aggregate Score

A 0–100 score reflecting your overall AI infrastructure governance posture across all evaluated frameworks. Score bands:

Per-Framework Scores

Each selected framework shows its own score and pass/fail control summary. Clicking a framework expands the list of individual controls evaluated.

Findings Table

Each finding shows:

• Control ID — the specific clause or control number within the framework
• Resource — the exact Azure resource path that triggered the finding
• Severity — Critical / High / Medium / Low
• Status — Pass / Fail / Warning
• AI Narration — plain-language explanation of the risk and recommended fix ✦ All Plans

IaC Remediation Buttons

Enterprise — For each failing control that has an infrastructure fix, Guardia generates a ready-to-apply remediation script. Click ARM, Bicep, or Terraform to download the script pre-filled with your resource identifiers. More details →

AI Narration

Every finding includes an AI-generated plain-language explanation powered by Azure OpenAI. Narration covers:

• What the finding means — translates control IDs into business language
• Business impact — what risk this finding creates for your organisation
• Recommended fix — the specific Azure action needed to resolve the finding

Narration is generated at scan time and stored with the report — no additional API calls when viewing historical reports.

Comparing Two Reports

The report comparison feature shows you exactly what changed between two scans — which findings were resolved, which are new, and how your score changed. This is your primary tool for demonstrating remediation progress to auditors.

Via the Portal

From Scan History, tick the checkboxes on two reports and click Compare. The diff view shows:

• ✅ Resolved — findings that passed since the earlier scan
• 🔴 New — findings that appeared since the earlier scan
• ⚪ Unchanged — findings present in both reports
• Score delta between the two scans

Via the API

Copycurl -X POST https://app.trustguardia.com/scan/compare \
  -H "X-API-Key: gai-YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "report_id_a": "COMP-20260501-120000",
    "report_id_b": "COMP-20260515-120000"
  }'

Continuous Governance

Continuous Governance automates recurring scans on a schedule — you don't need to remember to run scans manually. Every automated scan produces a full compliance report, checks for drift, and emails you a summary.

Setting Up Continuous Governance

1. 1

   Open the Governance tab

   In the portal, click the Governance tab.

2. 2

   Select subscriptions

   Choose which Azure subscriptions to include in automated governance scans. You can scan a subset of your linked subscriptions.

3. 3

   Set notification email

   Enter the email address where governance scan summaries and drift alerts should be sent. This can be a distribution list.

4. 4

   Save Governance Settings

   Click Save Settings. The platform schedules the first automated scan based on your plan cadence. The next scheduled scan time is displayed in the Governance tab.

5. 5

   Optional: trigger an immediate scan

   Click Run Now in the Governance tab to trigger an on-demand governance scan outside the scheduled cadence. This does not consume your monthly manual scan quota.

Governance History

All automated governance scans are listed in the Governance History section at the bottom of the Governance tab, separate from your manual Scan History. You can:

• Click any row to open the full compliance dashboard for that governance scan
• Click 🗑 on any row to delete a single governance record
• Click Clear History to remove all governance scan records (cannot be undone)

AI Infrastructure Drift Alerts

A Drift Alert fires when Guardia AI detects a meaningful change in your AI infrastructure governance posture between consecutive scans. Alerts are sent to the governance notification email immediately — they do not wait for the next scheduled scan summary.

An alert triggers when either of these conditions are met:

• Your aggregate posture score drops by 5 or more points compared to the previous scan
• One or more new Critical-severity findings appear that were not present in the previous scan

The alert email includes the score delta, a list of new findings, the specific Azure resources affected, and a direct link to compare the two reports.

IaC Remediation Export

For every failing control that can be fixed via infrastructure changes, Guardia AI generates a ready-to-apply remediation script in three formats:

Each script is pre-filled with:

• Your specific Azure subscription and resource group identifiers
• The exact resource names and property paths flagged in the finding
• The correct remediation values required to pass the control

Downloading IaC scripts

1. Open a report from Scan History or Governance History.
2. In the compliance dashboard, click the IaC button (ARM / Bicep / Terraform) next to any failing finding that supports remediation.
3. Alternatively, use the report-level download buttons in the dashboard header to download all remediations for a given format in one file.

Via the API

Copy# Check IaC availability for a report
curl https://app.trustguardia.com/report/COMP-20260515-120000/iac/status \
  -H "X-API-Key: gai-YOUR_KEY"

# Download Terraform remediation script
curl https://app.trustguardia.com/report/COMP-20260515-120000/iac/terraform \
  -H "X-API-Key: gai-YOUR_KEY" -o remediation.tf

# Download Bicep remediation script
curl https://app.trustguardia.com/report/COMP-20260515-120000/iac/bicep \
  -H "X-API-Key: gai-YOUR_KEY" -o remediation.bicep

Customer-Managed Key (CMK) Encryption

By default, scan reports are encrypted using Azure-managed keys. With CMK enabled, all scan reports are encrypted using AES-256-GCM with a Data Encryption Key (DEK) that is wrapped by a key you hold in your own Azure Key Vault. Guardia AI never holds your key.

When you revoke your Key Vault key, Guardia AI immediately loses the ability to decrypt any existing reports. This gives you complete data sovereignty.

Prerequisites

• An Azure Key Vault in your subscription
• A secret stored in that Key Vault (a random 32-byte value is sufficient)
• The guardia-ai-reader service principal must have the Key Vault Secrets User role on the vault (or at minimum Get and List secret permissions)

Setting up CMK

1. 1

   Create a Key Vault secret

   In the Azure Portal, go to your Key Vault → Secrets → Generate/Import. Create a secret named guardia-cmk (or any name you choose). Generate a random value or use your own. Copy the Secret Name.

2. 2

   Grant Guardia's service principal access

   In the Key Vault → Access control (IAM), assign the Key Vault Secrets User role to the guardia-ai-reader service principal.

3. 3

   Configure CMK in the portal

   In the portal, scroll to the CMK Encryption section. Enter your Key Vault URL (format: https://your-vault.vault.azure.net) and your Secret Name. Click Save CMK Settings.

4. 4

   Test the connection

   Click Test CMK Connection. Guardia attempts to read the secret from your Key Vault using the configured credentials. A green success message confirms the connection is working.

Once configured, all new scan reports are CMK-encrypted. Existing reports remain encrypted with their original key (Azure-managed or CMK from a previous configuration).

Removing CMK

Click Remove CMK in the CMK Encryption section. Guardia reverts to Azure-managed encryption for new reports. Existing CMK-encrypted reports can still be read as long as the Key Vault secret remains accessible.

Your API Key

Your API key (gai-…) is displayed in the Overview tab of the portal. Click the key to copy it. The key is partially masked for security — click Show if you need to verify the full value.

Using your API key

Include it in every API request as an HTTP header:

CopyX-API-Key: gai-YOUR_KEY_HERE

Key security

• Never commit your API key to source control.
• Store it as a secret in your CI/CD system (GitHub Secrets, Azure Key Vault, etc.).
• If you believe your key has been compromised, contact support@trustguardia.com immediately for a rotation.

Managing Scan & Governance History

You have full control over your scan and governance history from the portal.

Scan History

• Delete a single report: Click 🗑 on any row in Scan History. You are prompted to confirm before deletion.
• Clear all manual scan history: Click Clear History above the scan list. This deletes all manual scans but leaves governance scans untouched.

Governance History

• Delete a single governance record: Click 🗑 on any row in Governance History.
• Clear all governance history: Click Clear History in the Governance tab. This deletes only governance records and does not affect manual scan history.

Upgrading Your Plan

All plan changes are managed through Azure Marketplace. To upgrade:

1. Go to the Azure Marketplace SaaS subscriptions page in the Azure Portal.
2. Find your Guardia AI subscription and click Change plan.
3. Select your new plan and confirm. The upgrade takes effect immediately.

Your API key, scan history, and all configuration (subscriptions, credentials, CMK settings, governance settings) are preserved when you change plans.

Framework Reference

Frequently Asked Questions

Executive Scorecard, Remediation Roadmap & Auditor Package

Three AI-generated deliverables produced in minutes from your existing scan data — designed for CROs, compliance officers, and external auditors.

💡 Tip: Generate all three from the same report in one click using the "Generate All" button in the portal. Scorecard for the board, Roadmap for the engineering team, Evidence Package for audit file.

Getting Support

When contacting support, please include:

• Your registered email address (not your API key)
• The Report ID (format: COMP-YYYYMMDD-HHMMSS) if the issue is scan-related
• The error message shown in the portal or API response
• Your Azure subscription ID (never send client secrets by email)