AI Agents Under EU Law: First Systematic Regulatory Mapping Reveals Critical Compliance Gaps for Autonomous Systems

A landmark working paper provides the first systematic regulatory mapping for AI agent providers under the complex web of EU legislation, revealing that high-risk agentic systems with untraceable behavioral drift currently cannot satisfy the AI Act's essential requirements.

The Regulatory Landscape

AI agents don't face just one law — they trigger obligations under multiple simultaneous regulations:

Nine Agent Deployment Categories

The paper provides a taxonomy mapping concrete agent actions to regulatory triggers across nine deployment categories.

Key Findings

1. Behavioral drift problem — High-risk agentic systems with untraceable behavioral drift cannot currently satisfy AI Act requirements
2. Multi-party action chains — Transparency across complex agent workflows is a major compliance challenge
3. Human oversight — The degree of autonomy in agents conflicts with EU requirements for meaningful human control
4. Runtime behavior — Current laws assume static systems; agents that evolve at runtime create regulatory blind spots

The 12-Step Compliance Architecture

The paper proposes a comprehensive compliance framework with twelve steps for AI agent providers.

The Foundational Task

"The provider's foundational compliance task is an exhaustive inventory of the agent's external actions, data flows, connected systems, and affected persons."

Why It Matters

• Timing — EU AI Act enforcement is ramping up; agents deployed today need compliance now
• Practical guidance — First paper integrating draft harmonization standards (M/613, M/606)
• Agent-specific — Unlike general AI compliance, addresses unique challenges of autonomous multi-step action chains
• Global impact — EU regulations often set de facto global standards