🌙 Toggle Dark Mode Home MoltGuard MT Global MolTrust Sports MT Shopping MT Travel MT Skills MT Prediction MT Salesguard MT Music Integrity Dashboard VCOne Blog Developers Enterprise Partners Compliance About Publications Verify Us Status Contact API Docs
EU AI Act · Article 12 · Annex III High-Risk

Article 12 logging support
for autonomous AI agents.

Frontier AI models reach 7–63% legal compliance when deployed as agents (Aithos LARA, 12 models tested, leaderboard as of 03.06.2026). The Agent Authorization Envelope (AAE) makes authorization constraints structural — enforced before the tool call.

Read the Technical Paper View a Sample Audit Bundle → Contact for Evaluation

Built for compliance officers, AI platform leads, and conformity assessment bodies. This surface is for technical evaluation and integration planning — not self-service signup.

🇪🇺
Article 12 logging

Scope & responsibility

MolTrust is a deterministic cryptographic protocol layer for agent authorization — comparable in role to transport-security and identity protocol layers such as TLS or PKI. It supports EU AI Act Article 12 logging requirements with cryptographic provenance, while full logging responsibility under Article 12(1) remains with the AI-system provider. Only zero-knowledge proofs and cryptographic hashes of non-personal operational data are anchored on the Base L2 ledger — no personal data, no agent payload.

Conformity assessment under Article 43 and overall compliance responsibility under Article 16 remain with the AI-system provider placing the system on the market. MolTrust provides logging and identity infrastructure used by those providers and will cooperate with competent authorities as required by applicable law. Source: Aithos LARA Leaderboard →

Who this is for

Four audiences. One verifiable evidence layer.

MolTrust's compliance surface is built for the parties who need to evaluate, document, or report on agent behaviour against legal requirements — not just the developers integrating the SDK.

Policymakers & Regulators
Reproducible evidence of agent behaviour against EU AI Act, GDPR, eIDAS 2.0 and equivalent frameworks. Every credential publicly verifiable without vendor access.
Journalists & Civil Society
Independent verification of compliance claims made by AI deployments. On-chain anchoring means no party can rewrite the record after the fact.
Compliance Officers
Audit-ready evidence material for in-house conformity assessment. Maps to Article 12 logging requirements; complements the role of accredited assessment bodies.
AI Developers & Researchers
Structural enforcement of authorization scope before the tool call. W3C-standard DIDs and VCs — no proprietary primitive to learn.
Standards & references
arXiv
2605.06738 (cs.AI) — peer-reviewed technical paper.
IETF
draft-kroehl-agentic-trust-aae-00 — Independent Submission, in active standardization.
W3C
DID Core + Verifiable Credentials v2 conformance. Universal Resolver integration submitted (DIF PR #540).
IMDA MGF v1.5
Singapore Model AI Governance Framework § 2.1.2 — signed authorization envelopes as agent-accountability basis.
ATF
Listed in the Agent Trust Framework ecosystem registry.
Circle Alliance
Member of the Circle Alliance Program — independent peer validation of trust-infrastructure design.
The regulation

Article 12 requires automated logging and cryptographic agent identity. Generic API keys do not qualify.

Annex III high-risk AI systems become enforceable in December 2027. Article 50 transparency obligations apply from August 2026. Non-compliance carries fines of up to €15 million or 3% of annual global turnover.

Generic API key approach
No cryptographic agent identity — opaque to auditors
No explicit authorization scope — agent acts without bounded mandate
Logs can be edited or rotated — no tamper-evidence
No standards-based interop with downstream verifiers
MolTrust approach
W3C DID per agent — verifiable, standards-based identity
Agent Authorization Envelope (AAE) — signed MANDATE + CONSTRAINTS + VALIDITY
Base L2 anchored audit trail — tamper-evident by cryptographic proof
Verifier-independent — any auditor can validate without vendor lock-in
Article-by-article mapping

EU AI Act → MolTrust capability.

Each Article 12 obligation mapped to a concrete MolTrust feature, with current implementation status.

W3C DID (Art. 12 § identity)
did:moltrust:* — registered, signed, resolvable. Live.
Tamper-evident log (Art. 12 § logging)
SHA-256 evidence hash anchored on Base L2. Live.
MANDATE logging
AAE envelope — purpose of authorization recorded cryptographically. Live.
CONSTRAINTS
AAE envelope — explicit scope, rate, and value bounds per agent. Live.
VALIDITY
AAE envelope — time-bounded authorization with automatic expiry. Live.
Auditor export
GET /compliance/export — signed bundle for regulator review. Q3 2026.

Singapore's IMDA Model AI Governance Framework v1.5 § 2.1.2 independently endorses the AAE approach as a basis for agent accountability.

Scope of service

What MolTrust does — and what it does not do.

MolTrust is a deterministic cryptographic protocol layer, comparable in role to TLS or PKI. It carries agent authorization metadata; it does not process customer payload, personal data of end users, or business secrets in the intended configuration. The breakdown below distinguishes provided capability from explicit non-claims.

MolTrust provides
Cryptographically verifiable logging and identity infrastructure for autonomous AI agents
W3C-conformant agent identities (DID Core, Verifiable Credentials v2)
Tamper-evident Agent Authorization Envelopes (AAE) with on-chain anchoring
Evidence material that accredited bodies, auditors, and domain experts can audit independently
MolTrust does not
Issue compliance certificates — certification under EU AI Act, GDPR, eIDAS 2.0, NIS2, or other frameworks is performed by accredited conformity assessment bodies, independent auditors, and domain-certified experts
Replace conformity assessment under Article 43 — that remains with the AI-system provider
Constitute an AI system within the meaning of Article 3(1) — MolTrust's core logging and identity infrastructure (the AAE itself) is deterministic cryptographic infrastructure
Provide legal advice — MolTrust is technical infrastructure; legal interpretation belongs to qualified counsel
Integration

From SDK install to auditor-ready evidence in three steps.

Each step is a single command or call. Together they produce a signed, on-chain-anchored Article 12 logging envelope per agent action — the same envelope your conformity assessor will later inspect.

1

Install the SDK

One command from your project root. The SDK is available for TypeScript, Python, and Go.

bash 
npm install @moltrust/sdk
2

Issue an Agent Authorization Envelope

For each agent action, issue an AAE that records what the agent is authorized to do and under what constraints. The envelope is signed, anchored on Base L2, and immediately auditor-ready.

typescript 
import { moltrust } from '@moltrust/sdk';

const aae = await moltrust.issue({
  did: 'did:moltrust:your-agent-id',
  mandate: 'process invoice approvals up to CHF 5,000',
  constraints: { maxAmount: 5000, validUntil: '2026-12-31' },
  validity: { from: 'now', until: '+30d' }
});

// → AAE issued, signed, anchored on Base L2.
// → aae.hash gives you the anchor reference.
3

Hand the audit bundle to your auditor

At audit time, export a signed PDF audit bundle covering any period. Your auditor can verify it independently without contacting MolTrust.

typescript 
const bundle = await moltrust.exportAuditBundle({
  did: 'did:moltrust:your-agent-id',
  period: { from: '2026-01-01', to: '2026-03-31' }
});

// → Signed PDF (PAdES-B-LT), hash anchored on Base L2.
// → Verifier URL included in bundle for independent verification.
See what step 3 produces → View API documentation →
Pricing

What you get for what you pay.

All tiers produce the same auditor-ready evidence. Tiers differ in volume, retention, and how often you receive a packaged audit bundle PDF. See a sample audit bundle PDF →

Free
CHF 0
For proof-of-concept and internal dry-runs.
What you can produce Signed AAEs anchored on Base L2 for up to 5 agents. No packaged audit bundle PDFs at this tier.
Up to 5 agents
30-day envelope validity
Basic AAE issuance + on-chain anchoring
Independent verification via Base L2
Get started for free →
Professional
CHF 99 / month
For teams that need predictable invoicing and quarterly audit packages.
What you get every quarter One signed PDF audit bundle (PAdES-B-LT) per agent, covering the quarter. Includes Article 12 mapping, behavioral evidence, on-chain hash anchor, and verifier URL.
Up to 90-day envelope validity
Unlimited AAEs, renewals, anchoring
Quarterly audit bundle PDF included
3-year evidence retention
99% SLA
Subscribe — CHF 99/month →
Scale
CHF 299 / month
For regulated industries with monthly compliance reporting and 7-year retention.
What you get every month One signed PDF audit bundle per agent per month. Same format as Professional, monthly cadence, plus anomaly alerts on suspicious AAE patterns.
Up to 365-day envelope validity
Unlimited AAEs, renewals, anchoring
Monthly audit bundle PDF included
7-year evidence retention
Anomaly alerts
99% SLA
Subscribe — CHF 299/month →

Need a one-off bundle without a subscription?

The Audit Evidence Bundle is a one-off package for CHF 1,990, covering up to 12 months of agent history. Designed for compliance officers preparing for an upcoming conformity assessment without committing to monthly subscriptions. Buy Audit Bundle — CHF 1,990 →

Technical reference

Verifier-independent. W3C-standard. Not vendor-locked.

The Agent Authorization Envelope (AAE) is the cryptographic primitive behind MolTrust's compliance surface. The full specification — including the formal model for delegation, expiry, and revocation — is published as a peer-reviewed technical paper.

Paper
"Agent Authorization Envelopes: Pre-transaction Trust for Autonomous AI Agents" — open access on arXiv. Covers the W3C VC v2 binding, Base L2 anchoring, and Article 12 mapping in detail.
IETF draft
AAE is in active standardization at the IETF as draft-kroehl-agentic-trust-aae. Aligns with W3C DID and VC working groups.
IMDA reference
Singapore's IMDA Model AI Governance Framework for Agentic AI v1.0 (22.01.2026, WEF Davos launch) explicitly endorses signed authorization envelopes as a basis for agent accountability — independent confirmation that the approach generalises beyond the EU.
No lock-in
Every credential is a standards-compliant W3C VC. Any auditor can validate signatures without any MolTrust software, libraries, or accounts.
View Sample Audit Bundle Read the Technical Paper →
Frequently asked

Six questions, direct answers.

Ordered by audience arrival on the page. No marketing claims — just what holds under regulatory scrutiny.

Which regulatory regimes does MolTrust cover?
MolTrust is regime-agnostic. The same AAE mechanism supports logging requirements under EU AI Act Article 12, GDPR Article 5(1)(f) accountability, IMDA MGF governance provisions (Singapore), NIST AI RMF documentation requirements (US), and equivalent obligations in other jurisdictions. Mapping for each regime is configuration, not separate product.
What do I actually receive — and who certifies it?
You receive a signed PDF audit bundle per agent per period (see a sample →). The bundle contains: agent identity (W3C DID), authorization envelopes issued, behavioral evidence, on-chain anchor hash, Article 12 mapping table, and a verifier URL for independent confirmation. The PDF is signed using PAdES-B-LT (ISO 32000-2), recognized by Adobe Reader and standard EU-compliant verification tools.

You then hand this bundle to your conformity assessment body of choice. Examples: TÜV-family (TÜV Süd / TÜV Rheinland / TÜV Nord), Bureau Veritas, DEKRA, an ISO/IEC 42001-accredited auditor, or your internal conformity team. The bundle is regime-agnostic — the same evidence supports EU AI Act Article 12, ISO/IEC 42001, IMDA MGF, NIST AI RMF, or sectoral audits.

MolTrust provides the evidence layer. Your assessment body performs the conformity decision. The evidence does not, on its own, constitute a compliance certificate — but it is the substantive input most conformity assessments require.
How does my auditor verify the bundle without contacting MolTrust?
Concretely, in three steps:

1. Your auditor opens the PDF audit bundle in Adobe Reader (or any PAdES-compliant viewer). Adobe shows the embedded digital signature as valid, displaying the signing authority and timestamp.

2. The bundle contains a verify.moltrust.ch/bundle/<hash> URL. Your auditor visits that URL — a public page that shows the on-chain anchor transaction on Base L2 (any block explorer confirms it independently).

3. Optionally, your auditor runs moltrust verify bundle.pdf from the open-source CLI (or any W3C DID-conformant tool). It re-checks the signature against the on-chain anchor without contacting any MolTrust service.

No MolTrust API call, account, or contact is in the verification path. The bundle is fully portable. See exactly what your auditor receives →
Why not require this directly from the model provider (Anthropic, Google, OpenAI)?
Because empirically they cannot deliver it. The Aithos LARA evaluation (12 frontier models tested, leaderboard 7–63% compliance as of 03.06.2026) shows that even the most capable models fail legal compliance under realistic deployment conditions. Compliance cannot be a model property — it must be a structural property of the deployment. AAE provides that structural property. Source: lara.aithos.org →
Where does MolTrust differ from other identity providers?
Identity providers establish that an agent is who it claims to be. MolTrust adds verifiable behavioural evidence — what the agent was authorized to do, what it actually did, and immutable evidence of both. Trust through proof, in addition to trust through authentication. The two layers are complementary, not competing.

Note on eIDAS 2.0: MolTrust credentials do not, on their own, satisfy eIDAS 2.0 Level of Assurance "high" requirements, which depend on Qualified Trust Service Provider (QTSP) status. MolTrust does not currently hold QTSP status. Where eIDAS "high" is required (e.g. specific financial-services workflows), MolTrust credentials are designed to complement QTSP-issued credentials rather than replace them.
What are the realistic costs?
Free tier covers up to 5 agents with basic AAE and 30-day validity — enough for proof-of-concept and internal dry-runs. Pay-per-Use is metered (CHF 0.20–0.50 per operation). Professional CHF 99/month includes audit-trail export and unlimited anchoring. Scale CHF 299/month adds monthly export and anomaly alerts. Full tier breakdown above.

Building identity-and-access infrastructure for AI agents? The compliance and IAM surfaces are intentionally separate (NIS2 / ISO 27001 role separation). For machine identity, agent authentication, and IAM-focused integration patterns, see the API documentation or contact us via /contact.