EU AI Act compliance as API calls
DEV Community

EU AI Act compliance as API calls

We shipped eight endpoints on api.moltrust.ch (v2.5) this week. Three implement EU AI Act obligations directly. This is the short version for people who want to call them; the full reasoning is on our blog (https://moltrust.ch/blog/compliance-as-an-api.html).

Why no model in the loop

The Aithos LARA study (May 2026) placed twelve frontier models in simulated workplaces where the task required breaking EU law. Best model: 54% lawful runs. In the Art. 5(1)(f) scenario (emotion inference from workplace communications, prohibited), all twelve committed the violation. So the classifier is deterministic code branching on the pinned EUR-Lex text, and every response carries article references you can check yourself.

Endpoints

POST /compliance/assess

Use case + intended purpose + declared signals in, risk tier + obligations + article pins out. Evaluation order:

  1. Art. 5 prohibitions
  2. Annex I route (Art. 6(1))
  3. Annex III route (Art. 6(2)/(3))
  4. Art. 50 transparency
  5. Minimal

The trap worth knowing: Art. 6(3) offers four derogation grounds, and its final subparagraph voids all of them for systems that profile natural persons. In the code that subparagraph is a branch; it cannot be skipped.

curl -X POST https://api.moltrust.ch/compliance/assess \
  -H "Content-Type: application/json" \
  -d '{
    "use_case": "Customer-support agent that reads inbound email and drafts replies",
    "intended_purpose": "Automated first-line support for consumer inquiries",
    "performs_profiling": false,
    "interacts_with_humans": true,
    "emotion_recognition": false
  }'

POST /compliance/declaration

EU declaration of conformity as a W3C Verifiable Credential with the eight Annex V items, Ed25519-signed. Verify offline against https://api.moltrust.ch/.well-known/jwks.json; no call back to us. anchor: true adds a sha256 commitment for batch anchoring on Base L2.

POST /compliance/incident

Records Art. 73 serious incidents and computes the deadline from the regulation:

  • 15 days standard
  • 10 days for a death
  • 2 days for widespread infringement or serious disruption of critical infrastructure

GET /compliance/report/{did}

Classification, obligations, gaps, declarations, audit summary per agent as HTML.

Scope

Stays narrow: the Art. 43 conformity assessment and the legal responsibility remain with provider and deployer. What you get is a machine-readable answer a third party can re-check against the same text.

Dates

  • Art. 5 in force since 2 Feb 2025
  • General application 2 Aug 2026
  • Art. 6(1) high-risk classification from 2 Aug 2027

OpenAPI: https://api.moltrust.ch/openapi.json

Comments

No comments yet. Start the discussion.