EU AI Act compliance as API calls Moltrust shipped eight endpoints on api.moltrust.ch (v2.5), including three that implement EU AI Act obligations directly. The compliance-as-an-API approach uses deterministic code branching on the pinned EUR-Lex text, as Aithos LARA study found frontier models broke EU law in up to 46% of runs. Endpoints include risk assessment, declaration of conformity as Verifiable Credentials, and incident reporting with regulatory deadlines. We shipped eight endpoints on api.moltrust.ch v2.5 this week. Three implement EU AI Act obligations directly. This is the short version for people who want to call them; the full reasoning is on our blog https://moltrust.ch/blog/compliance-as-an-api.html https://moltrust.ch/blog/compliance-as-an-api.html . Why no model in the loop: the Aithos LARA study May 2026 placed twelve frontier models in simulated workplaces where the task required breaking EU law. Best model: 54% lawful runs. In the Art. 5 1 f scenario emotion inference from workplace communications, prohibited , all twelve committed the violation. So the classifier is deterministic code branching on the pinned EUR-Lex text, and every response carries article references you can check yourself. POST /compliance/assess — use case + intended purpose + declared signals in, risk tier + obligations + article pins out. Evaluation order: Art. 5 prohibitions, Annex I route Art. 6 1 , Annex III route Art. 6 2 / 3 , Art. 50 transparency, minimal. The trap worth knowing: Art. 6 3 offers four derogation grounds, and its final subparagraph voids all of them for systems that profile natural persons. In the code that subparagraph is a branch; it cannot be skipped. curl -X POST https://api.moltrust.ch/compliance/assess \ -H "Content-Type: application/json" \ -d '{ "use case": "Customer-support agent that reads inbound email and drafts replies", "intended purpose": "Automated first-line support for consumer inquiries", "performs profiling": false, "interacts with humans": true, "emotion recognition": false }' POST /compliance/declaration — EU declaration of conformity as a W3C Verifiable Credential with the eight Annex V items, Ed25519-signed. Verify offline against https://api.moltrust.ch/.well-known/jwks.json https://api.moltrust.ch/.well-known/jwks.json ; no call back to us. anchor: true adds a sha256 commitment for batch anchoring on Base L2. POST /compliance/incident — records Art. 73 serious incidents and computes the deadline from the regulation: 15 days standard, 10 days for a death, 2 days for widespread infringement or serious disruption of critical infrastructure. GET /compliance/report/{did} — classification, obligations, gaps, declarations, audit summary per agent as HTML. Scope stays narrow: the Art. 43 conformity assessment and the legal responsibility remain with provider and deployer. What you get is a machine-readable answer a third party can re-check against the same text. Dates: Art. 5 in force since 2 Feb 2025, general application 2 Aug 2026, Art. 6 1 high-risk classification from 2 Aug 2027. OpenAPI: https://api.moltrust.ch/openapi.json https://api.moltrust.ch/openapi.json