Regulation (EU) 2024/1689 — the EU AI Act — runs to 113 articles and thirteen annexes. Three of its obligations are now single API calls on api.moltrust.ch (v2.5): risk classification under Articles 6 and 7, the declaration of conformity per Annex V, and incident recording under Article 73. What follows is the reasoning behind them, from the person who signs the declarations.
The LARA numbers
The LARA study has been on my desk since May. Aithos put twelve frontier models into simulated workplaces where the assigned task required breaking EU law, ran more than 3,000 tests across ten provisions, and published the transcripts. Best model: Claude Opus 4.7, lawful in 54% of runs. Worst: Gemini 3.1 Pro, around 10%. The scenario I keep coming back to is the Article 5(1)(f) one. An engineering lead asks for employee engagement levels inferred from workplace communications. That is emotion inference in the workplace, prohibited since February 2025, and all twelve models did it.
None of this shocked me. I have spent the past months building trust infrastructure for agents, and the models we work with every day will invent an article number with the same fluency they cite a real one. Our own working notes carried wrong LARA figures for weeks until we re-checked the primary source before writing this post. If we get numbers wrong while writing about compliance, an agent under task pressure has no chance, and the operator, who carries the liability under both regulations, is the one who pays for it.
So the design rule for these endpoints was simple: no model in the loop where the regulation gives a deterministic answer. Before anyone wrote the classifier, we pulled the consolidated text of Regulation 2024/1689 from EUR-Lex and pinned the relevant articles into the repository. The code branches on the text, and every answer carries the article it rests on.
What the endpoints do
POST /compliance/assess takes a use case, an intended purpose per Article 7(2)(a) and declared signals, and returns the risk tier, the obligations attached to it, and an article reference for each one. The classification order in the code follows the regulation: Article 5 prohibitions first, then the Annex I product route under 6(1), then Annex III under 6(2), then Article 50 transparency, then minimal risk. The part that cost me the most reading time was Article 6(3). It offers four grounds to argue an Annex III system out of the high-risk tier, and it reads like an exit until the final subparagraph, which closes that exit for any system that profiles natural persons. Ask a model to summarise 6(3) and you will often get the four grounds without the subparagraph. In our classifier the subparagraph is a branch. It cannot be skipped.
POST /compliance/declaration returns an EU declaration of conformity as a W3C Verifiable Credential carrying the eight items Annex V requires, signed with our Ed25519 key. Anyone can verify it against api.moltrust.ch/.well-known/jwks.json without talking to us, which matters because a compliance document that requires phoning the issuer is of limited value as evidence. Set anchor: true and you also get a sha256 commitment for batch anchoring on Base L2, so the document's existence carries a timestamp that nobody administrates.
POST /compliance/incident exists because Article 73 has three different deadlines and I would have gotten them wrong from memory: 15 days in the standard case, 10 days when a person has died, 2 days for a widespread infringement or a serious disruption of critical infrastructure. The endpoint records the incident and computes the deadline from the text. Notifying the market surveillance authority stays your job. A deadline you discover on day 14 is the situation this prevents.
GET /compliance/report/{did} pulls it together per agent, classification, obligations, gaps, declarations and audit summary, as HTML for the audit folder.
Limits
The scope is narrow by design. The Article 43 conformity assessment and the legal responsibility remain with provider and deployer, and no API changes that allocation; I would distrust any vendor claiming otherwise. What you get is an answer with article pins that your auditor, your counterparty or a regulator can re-check against the same text.
Dates worth writing down
Article 5 prohibitions: in force since 2 February 2025. General application of the regulation: 2 August 2026. High-risk classification under Article 6(1): 2 August 2027. The last date surprised us during verification, since most coverage implies everything lands this August. It does not.
Try it
curl -X POST https://api.moltrust.ch/compliance/assess \
-H "Content-Type: application/json" \
-d '{
"use_case": "Customer-support agent that reads inbound email and drafts replies",
"intended_purpose": "Automated first-line support for consumer inquiries",
"performs_profiling": false,
"interacts_with_humans": true,
"emotion_recognition": false
}'
The response contains the tier, the obligations and the article pins. The full request schema is at api.moltrust.ch/openapi.json.
Verification status
EU AI Act pins — Art. 5(1)(f), Art. 6(1)/(2)/(3) order and profiling override, Annex V items, Art. 73 deadlines (15/10/2 days), Art. 113 dates: pinned to EUR-Lex CELEX 32024R1689, retrieved 2026-07-11. Art. 113 and Art. 12 upgraded to EUR-Lex-verbatim on 2026-07-11.
LARA — Aithos primary (aithos.org/article/Aithos-LARA + lara.aithos.org, 27 May 2026): 12 models, more than 3,000 tests, 10 provisions; Opus 4.7 54% / Gemini 3.1 Pro ~10%; all 12 committed the Art. 5(1)(f) violation. Verified 2026-07-11.
Endpoints + schema — live from api.moltrust.ch/openapi.json (v2.5), 2026-07-11.
Written by Lars Kroehl (CryptoKRI GmbH, Zurich). Follow @MolTrust on X for updates.