How does this help with EU AI Act compliance?
MCX gives deployers a structured, versioned source of compliance evidence for the AI providers they consume — mapped to Article 13, Annex IV, and related obligations. We provide the evidence layer; deployers still interpret it against their own compliance posture.
Do providers have to publish their secrets?
No. The schema covers regulatory disclosure fields — intended purpose, risk classification, training data lineage, conformity assessment, evaluation outcomes. It is not a model-architecture or trade-secret dump. Providers control visibility per record: public, gated to verified deployers, or fully private.
Are you a compliance certifier?
No. MCX is a registry, not a certifier. We validate that disclosures conform to the schema structure. We do not validate that disclosure content is accurate, and we are not a Notified Body. Providers attest. Deployers verify. We propagate.
Is the schema open and extensible?
Yes. The schema is published openly under a permissive licence. Domain-specific extensions (healthcare, finance) are layered on top of a regulator-aligned core. Any GRC platform, auditor, or deployer tool can read and validate against it without integrating with us.
What if a provider doesn't use MCX?
Then deployers fall back to whatever process they have today — typically a spreadsheet. The schema is open, so any tool can produce conformant records even without using our registry. The registry adds versioning, identity, propagation, and audit evidence on top.
When does the registry launch?
The design partner phase is live now. Public registry launches with the first cohort of verified providers and deployers. Both provider and deployer onboarding is gated to verified-domain accounts in this phase.
How is this different from Credo AI or OneTrust?
Those are deployer-side governance platforms. Providers interact with them by responding to each deployer's individual portal. MCX is neutral infrastructure — providers publish once into a registry both sides reference. Think SBOM and SPDX for software supply chain, not procurement workflow tooling.
How is this different from Hugging Face model cards?
Model cards are documentation. MCX records are machine-readable disclosure artefacts aligned to specific regulatory articles, with versioning, identity, attestation, and webhook propagation. Different scope, different audience. Providers can publish to both.
Who is responsible for disclosure accuracy?
The publishing provider. Every record carries a formal attestation naming a human accountable for the content. Deployers verify accuracy against their own risk processes. MCX is responsible for the integrity of the registry — that what was published is what is propagated — not for the truthfulness of what providers say.