cd /news/ai-policy/eu-ai-act-compliance-as-api-calls · home topics ai-policy article
[ARTICLE · art-55985] src=dev.to ↗ pub= topic=ai-policy verified=true sentiment=· neutral

EU AI Act compliance as API calls

Moltrust shipped eight endpoints on api.moltrust.ch (v2.5), including three that implement EU AI Act obligations directly. The compliance-as-an-API approach uses deterministic code branching on the pinned EUR-Lex text, as Aithos LARA study found frontier models broke EU law in up to 46% of runs. Endpoints include risk assessment, declaration of conformity as Verifiable Credentials, and incident reporting with regulatory deadlines.

read2 min views2 publishedJul 12, 2026

We shipped eight endpoints on api.moltrust.ch (v2.5) this week. Three implement EU AI Act obligations directly. This is the short version for people who want to call them; the full reasoning is on our blog (https://moltrust.ch/blog/compliance-as-an-api.html).

Why no model in the loop: the Aithos LARA study (May 2026) placed twelve frontier models in simulated workplaces where the task required breaking EU law. Best model: 54% lawful runs. In the Art. 5(1)(f) scenario (emotion inference from workplace communications, prohibited), all twelve committed the violation. So the classifier is deterministic code branching on the pinned EUR-Lex text, and every response carries article references you can check yourself.

POST /compliance/assess — use case + intended purpose + declared signals in, risk tier + obligations + article pins out. Evaluation order: Art. 5 prohibitions, Annex I route (Art. 6(1)), Annex III route (Art. 6(2)/(3)), Art. 50 transparency, minimal. The trap worth knowing: Art. 6(3) offers four derogation grounds, and its final subparagraph voids all of them for systems that profile natural persons. In the code that subparagraph is a branch; it cannot be skipped.

curl -X POST https://api.moltrust.ch/compliance/assess \
  -H "Content-Type: application/json" \
  -d '{
    "use_case": "Customer-support agent that reads inbound email and drafts replies",
    "intended_purpose": "Automated first-line support for consumer inquiries",
    "performs_profiling": false,
    "interacts_with_humans": true,
    "emotion_recognition": false
  }'

POST /compliance/declaration — EU declaration of conformity as a W3C Verifiable Credential with the eight Annex V items, Ed25519-signed. Verify offline against https://api.moltrust.ch/.well-known/jwks.json; no call back to us. anchor: true

adds a sha256 commitment for batch anchoring on Base L2.

POST /compliance/incident — records Art. 73 serious incidents and computes the deadline from the regulation: 15 days standard, 10 days for a death, 2 days for widespread infringement or serious disruption of critical infrastructure.

GET /compliance/report/{did} — classification, obligations, gaps, declarations, audit summary per agent as HTML.

Scope stays narrow: the Art. 43 conformity assessment and the legal responsibility remain with provider and deployer. What you get is a machine-readable answer a third party can re-check against the same text.

Dates: Art. 5 in force since 2 Feb 2025, general application 2 Aug 2026, Art. 6(1) high-risk classification from 2 Aug 2027.

OpenAPI: https://api.moltrust.ch/openapi.json

── more in #ai-policy 4 stories · sorted by recency
── more on @moltrust 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/eu-ai-act-compliance…] indexed:0 read:2min 2026-07-12 ·