Is Protect AI Guardian a competitor or a complement?

Complement. Guardian focuses on model artifact safety before deployment. DeepInspect focuses on policy enforcement and audit on requests against deployed models. A mature AI program runs both.

Does DeepInspect scan model artifacts?

No. DeepInspect does not perform pre-deployment model scanning. The product is the policy gateway in the request path. For artifact-level scanning, Guardian, Trail of Bits, and MLflow integrations are the tools designed for it.

What changed when Palo Alto Networks acquired Protect AI?

The brand and product roadmap are now part of Palo Alto's AI security portfolio. From a buyer's perspective, the contract relationship moves to Palo Alto. The product still solves model artifact safety. The acquisition does not extend the product into request-time policy enforcement.

Which product answers an EU AI Act audit?

Article 11 (technical documentation) is partially supported by Guardian's scan reports. Article 12 and Article 19 (lifetime logging, traceability of risk situations) require a per-decision audit trail that DeepInspect produces. For a high-risk system, the regulator expects both kinds of evidence.

DeepInspect vs Protect AI Guardian: per-decision audit versus model-scanning

Protect AI was acquired by Palo Alto Networks in August 2025. Guardian remains the front-end name for the model-scanning product. The category Protect AI built is model supply chain security: scan model artifacts, surface ML-specific vulnerabilities, integrate the result into the ML platform. DeepInspect operates in a different layer of the stack. The gateway sits in the HTTP path between authenticated users or agents and any LLM, enforces identity-bound policy at the request layer, and writes a per-decision audit log.

I want to walk through the architectural difference, then where each product is the right answer.

Enforcement boundary

DeepInspect operates at the inference request layer. Every call to a model from a user, an agent, a service account, or a vendor-embedded path is intercepted by the gateway. Identity gets resolved. Policy gets evaluated. The decision (allow, mask, block, escalate) writes to the audit log before the response returns to the caller. The boundary is the live AI request.

Protect AI Guardian's primary mode is pre-deployment scanning of model artifacts. A team downloads a model from Hugging Face, an internal registry, or a fine-tuning pipeline. Guardian scans the artifact for malicious code, unsafe deserialization patterns, and known vulnerable dependencies. The scan happens before the model gets promoted into production.

The two boundaries answer different questions. Guardian answers "is this model artifact safe to deploy." DeepInspect answers "is this specific request from this specific principal to this specific model allowed by policy, and what does the audit trail say about the decision."

What each product produces as an artifact

Guardian's artifact is a scan report. The report enumerates the vulnerabilities found in the model file, the dependency graph, and the recommendations. The report is the input to a deployment gate. After the gate passes, the model is in production and Guardian's role in that artifact's lifecycle is complete.

DeepInspect's artifact is a per-decision log. Each AI request that crosses the gateway produces a record with the principal, model, endpoint, redacted prompt, response treatment, policy version, decision outcome, and timestamp. The log accumulates across the lifetime of the deployment. Six-month retention floor under EU AI Act Article 19; longer under financial-services and healthcare obligations.

The regulatory artifact under Article 12 is the second kind. The text mandates automatic recording of events across the lifetime of the system. A scan report from before deployment does not satisfy that requirement.

Coverage of vendor and embedded AI

A large share of AI usage in enterprises flows through vendor SaaS tools that embed LLM calls. The customer-service platform summarizes tickets. The fraud tool ranks transactions. The HR tool screens resumes. None of those vendor environments expose the underlying model artifact to the customer's security team.

Guardian's coverage extends to models the customer can scan. If the model lives in the customer's registry, the customer can run Guardian against it. If the model lives in the vendor's environment, Guardian cannot scan it.

DeepInspect's coverage extends to AI requests that cross the customer's HTTP path. When a vendor SaaS calls a model on the customer's behalf using the customer's keys or routes through a customer-controlled egress, the request is in DeepInspect's path and the gateway captures it. Vendor-embedded usage is the dominant share of enterprise AI right now and is also the share that produces the most regulatory exposure.

Identity at the request layer

Article 19 requires identification of natural persons involved in result verification. Identity must travel with the request.

Guardian's scan does not engage with request-time identity. The scan is asset-centric, not request-centric. There is no per-request principal to attach.

DeepInspect resolves identity at the gateway through OAuth, SSO, or signed agent identities. The resolved principal attaches to every audit record. The record will hold up under a regulator's question of "who initiated the request that produced this decision."

Runtime exploitation versus pre-deployment vulnerability

The two products defend against different attack patterns. Guardian defends against malicious or vulnerable model artifacts that should never have been deployed. DeepInspect defends against unauthorized, policy-violating, or risk-creating use of legitimately deployed models. Both attack patterns exist. The defenses are not substitutes.

A real coverage map for an enterprise AI program needs both. Guardian gates the model into production. DeepInspect governs how the deployed model gets used. Skipping Guardian leaves a malicious model in the path. Skipping DeepInspect leaves the model exposed to identity-less, unaudited, untreated requests for the rest of its production life.

Regulatory fit

For a deployer chasing the EU AI Act August 2 deadline, the artifact the regulation expects is the per-decision log under Article 12 and Article 19. Guardian's scan reports support the technical documentation obligation under Article 11, which covers the design-time evidence of safety. The two regulatory obligations are complementary.

For NIST AI RMF compliance, Guardian supports the MEASURE function (evaluate the system before deployment). DeepInspect supports MEASURE and MANAGE both, because the per-decision log feeds continuous monitoring of risk in production.

For HIPAA, OCR's complaint review asks who accessed PHI in what context with what authorization. DeepInspect's per-decision record carries that. Guardian's scan report does not address request-time access.

DeepInspect

DeepInspect is a stateless policy gateway for any LLM. Identity travels with the request. Policy evaluates at the gateway. Decisions write to an append-only, signed, per-decision audit log. End-to-end overhead is under 50ms in production tests. The gateway covers programmatic, agent-driven, browser-mediated, scheduled, and vendor-embedded AI traffic with a single policy plane and a single audit trail.

For a deployer that has model-scanning covered (whether by Guardian, an MLflow scanner, or an internal pipeline) and still needs to produce the per-decision artifact a regulator expects, the gateway is the missing layer.

If your AI program has the design-time scanning piece and you need the runtime policy and audit piece, let's talk today.