EU AI Act compliance as API calls
We shipped eight endpoints on api.moltrust.ch (v2.5) this week. Three implement EU AI Act obligations directly. This is the short version for people who want to call them; the full reasoning is on our blog (https://moltrust.ch/blog/compliance-as-an-api.html).
Why no model in the loop
The Aithos LARA study (May 2026) placed twelve frontier models in simulated workplaces where the task required breaking EU law. Best model: 54% lawful runs. In the Art. 5(1)(f) scenario (emotion inference from workplace communications, prohibited), all twelve committed the violation. So the classifier is deterministic code branching on the pinned EUR-Lex text, and every response carries article references you can check yourself.
Endpoints
POST /compliance/assess
Use case + intended purpose + declared signals in, risk tier + obligations + article pins out. Evaluation order:
- Art. 5 prohibitions
- Annex I route (Art. 6(1))
- Annex III route (Art. 6(2)/(3))
- Art. 50 transparency
- Minimal
The trap worth knowing: Art. 6(3) offers four derogation grounds, and its final subparagraph voids all of them for systems that profile natural persons. In the code that subparagraph is a branch; it cannot be skipped.
curl -X POST https://api.moltrust.ch/compliance/assess \
-H "Content-Type: application/json" \
-d '{
"use_case": "Customer-support agent that reads inbound email and drafts replies",
"intended_purpose": "Automated first-line support for consumer inquiries",
"performs_profiling": false,
"interacts_with_humans": true,
"emotion_recognition": false
}'
POST /compliance/declaration
EU declaration of conformity as a W3C Verifiable Credential with the eight Annex V items, Ed25519-signed. Verify offline against https://api.moltrust.ch/.well-known/jwks.json; no call back to us. anchor: true adds a sha256 commitment for batch anchoring on Base L2.
POST /compliance/incident
Records Art. 73 serious incidents and computes the deadline from the regulation:
- 15 days standard
- 10 days for a death
- 2 days for widespread infringement or serious disruption of critical infrastructure
GET /compliance/report/{did}
Classification, obligations, gaps, declarations, audit summary per agent as HTML.
Scope
Stays narrow: the Art. 43 conformity assessment and the legal responsibility remain with provider and deployer. What you get is a machine-readable answer a third party can re-check against the same text.
Dates
- Art. 5 in force since 2 Feb 2025
- General application 2 Aug 2026
- Art. 6(1) high-risk classification from 2 Aug 2027
OpenAPI: https://api.moltrust.ch/openapi.json
Comments
No comments yet. Start the discussion.