AI Agent Compliance: EU AI Act

The EU AI Act entered into force August 1, 2024. Most businesses deploying AI agents haven't assessed their obligations yet — PwC found that 58% of non-EU companies haven't even started. That's a significant compliance liability sitting unchecked.

Here's what makes this regulation different from GDPR: it classifies AI systems by risk level and imposes progressively stricter rules. An AI agent screening job applicants faces completely different requirements than one summarizing meeting notes. Getting the classification right is step one, and getting it wrong is expensive.

The enforcement timeline gives you a window — full compliance required by August 2027 for most provisions. But prohibited practices enforcement started February 2025, and general-purpose AI model obligations kicked in August 2025. The complexity of the requirements means preparation should've started yesterday. I've walked 4 clients through EU AI Act gap analyses, and in every case the biggest challenge wasn't the technical compliance — it was understanding which requirements actually applied to their specific agents.

Four tiers: unacceptable risk (banned outright), high risk (extensive requirements), limited risk (transparency obligations), and minimal risk (no specific requirements beyond general law).

Most business AI agents fall into limited or minimal risk. But watch out: if your agent is used in employment (screening, evaluation, task allocation), credit decisions, insurance, education, or law enforcement — it's high risk with mandatory compliance requirements. An AI agent that ranks job applicants is high-risk even if it's just a pre-screening tool.

Limited risk covers most customer-facing chatbots and content-generation agents. The main obligation: tell users they're talking to an AI. Not buried in terms of service — clearly, before or at the start of interaction. Minimal risk covers most internal process automation. No specific requirements, but voluntary adherence creates a governance foundation that simplifies compliance if the agent's scope later expands.

Transparency applies across all risk tiers. For agents interacting with people: clearly inform them they're communicating with AI. Before or at the start of the interaction. Clear and unambiguous. Burying disclosure in ToS doesn't count.

Human oversight for high-risk agents is demanding. Humans must understand the agent's capabilities and limitations, interpret its outputs, override its decisions, and intervene at any time. Simple kill switches aren't enough if the operator can't understand the agent's reasoning.

Practically, this means dashboards showing agent activities, decision rationale, confidence levels, and one-click pause/override/redirect capability. Operators must be trained — not just on the tools, but on understanding when to intervene. Document the training.

Phase one (do now): inventory every AI agent, classify by risk category. Include shadow AI deployments — not just officially sanctioned agents. This inventory is the foundation for everything else.

Phase two: gap analysis. For each high-risk agent, assess current practices against mandatory requirements. Common gaps: insufficient documentation, no formal risk management, inadequate data governance for knowledge bases, missing human oversight, incomplete logging. Prioritize by enforcement timeline: prohibited practices (Feb 2025), GPAI obligations (Aug 2025), everything else (Aug 2027).

Phase three: sustainable compliance operations. Ongoing monitoring, team training, compliance checks in CI/CD pipelines, and a regulatory watch process for updates. The Commission and national authorities will continue issuing guidance — your compliance program must incorporate it.