The EU AI Act is not coming. It's here. The world's first comprehensive AI regulation entered into force in August 2024 and its requirements are now active and enforceable for many AI system categories. If your AI agents process EU residents' data, operate in EU markets, or are deployed by EU-based organisations, this regulation applies to you — regardless of where your company is headquartered.
This article cuts through the legal complexity to explain what the Act actually requires for AI agents, who it applies to, and what you need to have in place right now.
The timeline — what's active now
Does your AI agent qualify as high-risk?
The EU AI Act takes a tiered approach to risk. Most AI systems fall into the limited or minimal risk categories and face only light-touch transparency obligations. High-risk systems face the full weight of compliance requirements.
An AI agent is likely to be classified as high-risk if it is used in one of the following contexts:
- Critical infrastructure (energy, water, transport, financial systems)
- Education and vocational training (decisions about learning outcomes)
- Employment and HR (recruitment, performance evaluation, work allocation)
- Access to essential private services (credit scoring, insurance pricing)
- Law enforcement or border control
- Administration of justice
- Democratic processes
If you are not in one of these categories, your obligations are lighter — but you still need to comply with transparency requirements and, if you use GPAI models like GPT-4 or Claude, with the obligations that flow from those models' frontier status.
What high-risk AI agents must do
For high-risk AI systems, the Act specifies five categories of requirement that map directly to how you govern your AI agents:
| Requirement | What the Act says | TrustLoop coverage |
|---|---|---|
| Audit Trail | Automatic logging of events, with tamper-evident records stored for at least 6 months | Blockchain-anchored audit log, full call history |
| Human Oversight | Mechanisms allowing humans to monitor, intervene, and override AI decisions | Approval workflows, kill-switch, real-time alerts |
| Transparency | Documentation of how the system works, what data it uses, what decisions it makes | Plain-English rule engine, decision logging with context |
| Risk Management | Ongoing identification, analysis, and mitigation of risks throughout the AI lifecycle | Policy enforcement, PII masking, blocked tool tracking |
| Data Governance | Controls over training and operational data, including personal data protection | Automatic PII/secret masking before logs are stored |
The five-minute compliance checklist
If you need to get a handle on your current compliance position, run through these five checks:
-
Can you produce a complete audit log for any AI action in the last 6 months? Not just that the action happened — who authorised it, what data it touched, what the outcome was.
-
Can you stop a specific AI tool from running without a code deployment? The Act requires human intervention to be immediate. A kill-switch that requires a PR, review, and deployment is not compliant.
-
Do you have a documented process for high-stakes AI decisions? Not informal ("we Slack the team lead") — a structured workflow where the human decision and the reasoning are recorded.
-
Is personal data masked before it enters your AI logs? Storing raw names, emails, or financial data in your audit logs creates GDPR exposure on top of AI Act risk.
-
Can you demonstrate that your AI policies are being enforced, not just documented? A written policy that isn't technically enforced is not evidence of compliance — it's evidence that you knew the rules and didn't follow them.
Penalties — and why they matter even outside the EU
The EU AI Act carries fines of up to €35 million or 7% of global annual turnover for the most serious violations — exceeding even GDPR. Prohibited AI practices carry the highest penalty tier; high-risk system failures sit at €15 million or 3% of turnover.
More importantly for US-based companies: the Act applies extraterritorially. If your AI system produces outputs that are used in the EU, or if you provide AI systems to EU-based operators, you are in scope. This is the same market reach principle that made GDPR a global standard despite being EU regulation. Expect the EU AI Act to do the same.
The bottom line
The EU AI Act is not a future regulatory risk. For many AI agent deployments, it is a present requirement. The organisations that are ahead of it are the ones that built governance infrastructure as a foundation rather than a retrofit — because when a regulator asks to see your audit trail, you want to be producing evidence, not building a system to generate it.
Compliance is not the end goal. It is the floor. The real advantage of governing your AI agents well is that you understand what they're doing, you can stop them when something goes wrong, and you can demonstrate that control to anyone who asks — customer, partner, regulator, or board.
EU AI Act compliant in under 5 minutes.
TrustLoop covers audit trail, human oversight, transparency, and risk management — all five high-risk requirements — with a single integration and zero code changes to your existing agents.
Start free — no credit card