2 Aug 2026 — first EU AI Act transparency obligations apply. Counting down.

Provider publishes. Deployer subscribes. Webhook fires.

One record flows end to end — published once, versioned automatically, retrieved by API, and exported as audit evidence. Here is what happens, in order.

Step 1

Provider publishes a record

An AI provider publishes one schema-validated disclosure — intended purpose, risk class, training data lineage, conformity assessment — instead of answering the same questionnaire for every deployer.

A published disclosure record — CreditRisk Evaluator: intended purpose, risk class, Annex III category, training data lineage, and cryptographic signature
A published disclosure record
Step 2

Platform versions every change

Each edit is indexed, timestamped, and tamper-evident. Auditors get a full change history — what was disclosed, when, and by whom — without chasing PDF revisions.

Version history for a disclosure — immutable, hash-chained, signed entries showing fields changed, fairness and recall deltas, and per-version event types
Immutable, hash-chained version history
Step 3

Deployer subscribes via API

Deployer organisations pull the records they depend on into existing GRC or procurement tooling — one API call per record, machine-readable, no spreadsheets.

A deployer's subscriptions in MCX — vendors followed and models pinned, each with event filters, delivery channels, and last-event activity
Subscribe to the vendors and models you depend on
Step 4

Webhook fires on material change

When a risk class, conformity status, or training-data field changes, a signed webhook propagates the update instantly. No stale PDFs sitting in an inbox.

Webhook delivery log in MCX — each row a fired event (disclosure.updated, training_data.changed, incident.updated) with delivered status, 200 response, attempts, and delivery timestamp
Signed webhooks propagate every change
Step 5

Deployer exports audit evidence

At audit time, export structured, versioned evidence for every subscribed provider. "The provider said it was compliant" becomes a record with identity, attestation, and a timestamp.

Audit evidence export in MCX — a tamper-evident ZIP of disclosure records, event and delivery log, and a SHA-256 checksum manifest so any reviewer can verify nothing was altered post-export
Tamper-evident, SHA-256-manifested audit bundle
Registry · canonical record source Schema · standardised structure Versioning · full change history APIs · machine-readable retrieval Webhooks · real-time propagation

The API is the product surface.

Every disclosure record is reachable in one call; every material change emits a signed webhook.