Skip to content
Apiway Docs

EU AI Act

The EU AI Act requires organisations to maintain traceability, transparency, and risk management for AI systems. When AI agents access your APIs — through MCP or direct integration — Apiway provides the governance layer.

Traceability (Article 12)

Section titled “Traceability (Article 12)”

The AI Act requires automatic recording of events for high-risk AI systems.

How Apiway addresses this:

  • Every MCP tool call is logged — When an AI agent calls an API operation via the MCP endpoint, it goes through the full gateway pipeline. Authentication, request details, response, and RU consumption are all recorded.
  • Audit trail — The datatracker service maintains change-set records. Every API modification, deployment, and subscription change is tracked.
  • Per-agent metering — AI agents authenticate with their own credentials. Their consumption is tracked separately from human users.

Transparency (Article 13)

Section titled “Transparency (Article 13)”

AI systems must be transparent about their capabilities and limitations.

How Apiway addresses this:

  • MCP tool definitions from OAS — Each API operation’s MCP tool description comes directly from the OpenAPI spec. The AI agent knows exactly what each tool does, what parameters it accepts, and what it returns.
  • OAS quality scoring — The recommendations service scores your spec for description completeness. Better descriptions mean more transparent AI interactions.
  • Scope-based access — AI agents can only access operations their subscription entitles them to. The scope list is explicit and auditable.

Risk Management

Section titled “Risk Management”

The AI Act requires risk assessment and mitigation for AI systems.

How Apiway addresses this:

  • Risk service — Operational security events (WAF violations, auth failures, anomalous patterns) are classified and tracked per API, per consumer — including AI agents.
  • Rate limiting — AI agents are subject to the same per-subscription rate limits as any consumer. Prevents runaway automated access.
  • Budget controls — Consumption cost guards apply to AI agent subscriptions. A misconfigured agent hits the budget ceiling, not unlimited costs.
  • Governance — Granting an AI agent access to an API goes through the same governance approval as any other subscription.

AI Agent Identity

Section titled “AI Agent Identity”

AI agents are consumers — they authenticate, they’re entitled, they’re metered, they’re governed. Apiway treats them identically to human consumers, which means:

  • No special-case access — same authentication pipeline
  • No unmetered consumption — same RU tracking
  • No ungoverned access — same approval workflows
  • Full audit trail — same logging and traceability

This makes AI Act compliance a natural outcome of using Apiway’s existing features, not a separate compliance effort.