We shipped eight endpoints on api.moltrust.ch (v2.5) this week. Three implement EU AI Act obligations directly. This is the short version for people who want to call them; the full reasoning is on our blog (https://moltrust.ch/blog/compliance-as-an-api.html).
Why no model in the loop: the Aithos LARA study (May 2026) placed twelve frontier models in simulated workplaces where the task required breaking EU law. Best model: 54% lawful runs. In the Art. 5(1)(f) scenario (emotion inference from workplace communications, prohibited), all twelve committed the violation. So the classifier is deterministic code branching on the pinned EUR-Lex text, and every response carries article references you can check yourself.
POST /compliance/assess — use case + intended purpose + declared signals in, risk tier + obligations + article pins out. Evaluation order: Art. 5 prohibitions, Annex I route (Art. 6(1)), Annex III route (Art. 6(2)/(3)), Art. 50 transparency, minimal. The trap worth knowing: Art. 6(3) offers four derogation grounds, and its final subparagraph voids all of them for systems that profile natural persons. In the code that subparagraph is a branch; it cannot be skipped.
curl -X POST https://api.moltrust.ch/compliance/assess \
-H "Content-Type: application/json" \
-d '{
"use_case": "Customer-support agent that reads inbound email and drafts replies",
"intended_purpose": "Automated first-line support for consumer inquiries",
"performs_profiling": false,
"interacts_with_humans": true,
"emotion_recognition": false
}'
POST /compliance/declaration — EU declaration of conformity as a W3C Verifiable Credential with the eight Annex V items, Ed25519-signed. Verify offline against https://api.moltrust.ch/.well-known/jwks.json; no call back to us. anchor: true adds a sha256 commitment for batch anchoring on Base L2.
POST /compliance/incident — records Art. 73 serious incidents and computes the deadline from the regulation: 15 days standard, 10 days for a death, 2 days for widespread infringement or serious disruption of critical infrastructure.
GET /compliance/report/{did} — classification, obligations, gaps, declarations, audit summary per agent as HTML.
Scope stays narrow: the Art. 43 conformity assessment and the legal responsibility remain with provider and deployer. What you get is a machine-readable answer a third party can re-check against the same text.
Dates: Art. 5 in force since 2 Feb 2025, general application 2 Aug 2026, Art. 6(1) high-risk classification from 2 Aug 2027.
OpenAPI: https://api.moltrust.ch/openapi.json
Top comments (0)