GPAI obligations
General-Purpose AI models have provider-side obligations under Articles 53 and 55. Meridian Blue maintains a per-provider compliance posture so deployers can see — and route around — providers that haven't published the required documentation.
Article 53 — all GPAI
Every GPAI provider must publish a detailed training-data summary and a copyright-compliance policy. GET /api/v1/gpai/providers returns the per-provider posture: whether the summary is published, link to the document, last-checked date.
Article 55 — systemic risk
Models the EU AI Office classifies as systemic-risk (FLOPs above the threshold, broad deployment) carry extra obligations: red-team testing, incident reporting, cybersecurity controls. Posture for those models is tracked the same way and surfaced in the registry.
Provider compliance registry
The registry is queryable via GET /api/v1/gpai/providers and is used by the Coverage Gate (S23.5): when a tenant policy enables strict_eu_compliance, models from non-Article-53-compliant providers (or providers under EU AI Office investigation) are filtered out of routing decisions.
Filtering at routing time
The compliance check runs as part of checkGeoCompliance during chain validation. If every entry in your models chain comes from a non-compliant provider, the request is rejected with 403 gpai_non_compliant. Switch to a compliant provider or relax the policy.