EU AI Act 2026 Governance Challenges for Agentic AI Systems

AI agents hold the promise of automatically moving data between systems and triggering decisions, but in some cases, they can act without a clear record of what, when, and why they undertook their tasks.

This creates a significant governance challenge for which IT leaders are ultimately responsible. If an organisation cannot trace an agent's actions and lacks proper control over its authority, leaders cannot prove that a system is operating safely or lawfully to regulators.

⚠️ This issue becomes critically important from August this year, as enforcement of the EU AI Act begins. According to the Act, there will be substantial penalties for governance failures relating to AI, especially when used in high-risk areas such as processing personally-identifiable information or conducting financial operations.

What IT Leaders Need to Consider in the EU

Several steps can be taken to mitigate high levels of risk. The key considerations include:

• Agent identity
• Comprehensive logs
• Policy checks
• Human oversight
• Rapid revocation capabilities
• Vendor documentation availability
• Evidence formulation for regulatory presentation

There are several options decision-makers can consider to create a comprehensive record of activities undertaken by agentic systems. For example, a Python SDK (software development kit), Asqav, can sign each agent's action cryptographically and link all records to an immutable hash chain – the type of technique more commonly associated with blockchain technology. If someone or something changes or removes a record, verification of the chain fails.

For governance teams, implementing a verbose, centralized, possibly-encrypted system of record for all agentic AIs provides data well beyond the scattered text logs produced by individual software platforms. Regardless of the technical details of how records are made and kept, IT leaders need to see exactly where, when, and how agentic instances are acting throughout the enterprise.

Many organisations fail at this first step in recording automated, AI-driven activity. It's necessary to maintain a registry of every agent in operation, with each uniquely identified, plus records of its capabilities and granted permissions.

📋 EU AI Act Article 9 Requirements

For high-risk areas, AI risk management must be an ongoing, evidence-based process built into every stage of deployment (development, preparation, production), and be under constant review.

📋 EU AI Act Article 13 Requirements

High-risk AI systems must be designed so that those deploying them can understand a system's output. Thus, an AI system from a third-party must be interpretable by its users (not an opaque code blob), and should be supplied with sufficient documentation to ensure its safe and lawful use.

This requirement means the choice of model and its methods of deployment are both technical and regulatory considerations.

Implementing Emergency Controls

It's essential for any agentic deployment to offer a facility for the revocation of an AI's operating role, preferably within seconds. The ability to revoke quickly should be part of emergency response processes. Revocation options should include:

• 🔴 Immediate removal of privileges
• 🔴 Immediate cessation of API access
• 🔴 Flushing of queued tasks

The presence of human oversight, combined with sufficient context for humans to make informed decisions, means that human operators must be able to reject any proposed action. It's not considered adequate for the person reviewing a decision to see only a prompt or a confidence score. Effective oversight requires information around context, every agent's authority, and sufficient time to intervene to prevent missteps.

Multi-Agent System Considerations

While every agent's action should be recorded automatically and retained, multi-agent processes are particularly complex to track, as failures can occur among chains of agents. It's therefore crucial for security policies to be tested during the development of any system that intends to utilize multiple agents.

⚖️ Important: Governing authorities may require logs and technical documentation at any time, and will certainly need them after any incident they have been made aware of.

Key Takeaways for IT Leaders

The critical question for IT leaders considering using AI on sensitive data or in high-risk environments is whether every aspect of the technology can be identified, constrained by policy, audited, interrupted, and explained. If the answer is unclear, governance is not yet in place.

Image source: "Last Judgement" by Lawrence OP is licensed under CC BY-NC-ND 2.0. To view a copy of this license, visit https://creativecommons.org/licenses/by-nc-nd/2.0

Want to learn more about AI and big data from industry leaders? Check out AI & Big Data Expo taking place in Amsterdam, California, and London. The comprehensive event is part of TechEx and co-located with other leading technology events.

AI News is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars.