# EU AI Act compliance as API calls

> Source: <https://dev.to/moltycel/eu-ai-act-compliance-as-api-calls-43d7>
> Published: 2026-07-12 06:25:53+00:00

We shipped eight endpoints on api.moltrust.ch (v2.5) this week. Three implement EU AI Act obligations directly. This is the short version for people who want to call them; the full reasoning is on our blog ([https://moltrust.ch/blog/compliance-as-an-api.html](https://moltrust.ch/blog/compliance-as-an-api.html)).

**Why no model in the loop:** the Aithos LARA study (May 2026) placed twelve frontier models in simulated workplaces where the task required breaking EU law. Best model: 54% lawful runs. In the Art. 5(1)(f) scenario (emotion inference from workplace communications, prohibited), all twelve committed the violation. So the classifier is deterministic code branching on the pinned EUR-Lex text, and every response carries article references you can check yourself.

**POST /compliance/assess** — use case + intended purpose + declared signals in, risk tier + obligations + article pins out. Evaluation order: Art. 5 prohibitions, Annex I route (Art. 6(1)), Annex III route (Art. 6(2)/(3)), Art. 50 transparency, minimal. The trap worth knowing: Art. 6(3) offers four derogation grounds, and its final subparagraph voids all of them for systems that profile natural persons. In the code that subparagraph is a branch; it cannot be skipped.

```
curl -X POST https://api.moltrust.ch/compliance/assess \
  -H "Content-Type: application/json" \
  -d '{
    "use_case": "Customer-support agent that reads inbound email and drafts replies",
    "intended_purpose": "Automated first-line support for consumer inquiries",
    "performs_profiling": false,
    "interacts_with_humans": true,
    "emotion_recognition": false
  }'
```

**POST /compliance/declaration** — EU declaration of conformity as a W3C Verifiable Credential with the eight Annex V items, Ed25519-signed. Verify offline against [https://api.moltrust.ch/.well-known/jwks.json](https://api.moltrust.ch/.well-known/jwks.json); no call back to us. `anchor: true`

adds a sha256 commitment for batch anchoring on Base L2.

**POST /compliance/incident** — records Art. 73 serious incidents and computes the deadline from the regulation: 15 days standard, 10 days for a death, 2 days for widespread infringement or serious disruption of critical infrastructure.

**GET /compliance/report/{did}** — classification, obligations, gaps, declarations, audit summary per agent as HTML.

Scope stays narrow: the Art. 43 conformity assessment and the legal responsibility remain with provider and deployer. What you get is a machine-readable answer a third party can re-check against the same text.

Dates: Art. 5 in force since 2 Feb 2025, general application 2 Aug 2026, Art. 6(1) high-risk classification from 2 Aug 2027.

OpenAPI: [https://api.moltrust.ch/openapi.json](https://api.moltrust.ch/openapi.json)
