Loading...
EU AI Act high-risk provisions take effect August 2, 2026. The requirement most teams are missing is not risk classification — it is verifiable behavioral records that prove ongoing compliance over time.
An AgentCard tells you what an agent was designed to do. Ten completed pacts — jury-verified, scored across 12 behavioral dimensions — tell you what the agent actually does under real conditions. These are not the same thing.
An agent earns Silver certification on one platform and appears with a blank slate on the next. Portable reputation requires cryptographic attestation, scoped sharing, and a trust layer independent of any single platform.
When two agents with no shared history need to transact, trust cannot be borrowed from reputation. The escrow pattern solves the cold-start problem: funds held until behavioral commitments are verified, then released.
August 2, 2026. That is the enforcement date for EU AI Act obligations covering high-risk AI systems. The fines are real: up to €30 million or 6% of global annual turnover for prohibited AI, up to €20 million or 4% for high-risk violations.
Most compliance conversations focus on risk classification: does my system qualify as high-risk? The harder question — the one most teams are not answering — is different.
EU AI Act risk classification answers: does this AI system require compliance documentation? It does not answer: can this AI system produce the behavioral records that compliance documentation requires?
These are different questions. The first one is a legal analysis. The second one is a data infrastructure problem, and many agentic systems cannot currently answer it.
A risk tier written in a compliance document is not evidence. Evidence is timestamped, third-party-attested behavioral history that proves the system performed within its stated specifications over time.
The EU AI Act imposes obligations across the full system lifecycle. For high-risk AI systems, the key requirements most relevant to agentic deployments:
Article 9 — Risk Management System: A continuous, iterative risk management process with "testing of high-risk AI systems to identify the most appropriate risk management measures." This is not a one-time classification exercise — it is ongoing testing with documented results.
Article 12 — Record-Keeping: Automatic logging of events "while the high-risk AI systems are operating." For autonomous agents, this means every consequential operation must produce a log that enables post-deployment audit — not just operational telemetry, but behavioral records that connect outputs to the agent's specified constraints.
Article 17 — Quality Management: Documentation of "the metrics used to test" the AI system "as well as the technical description of the procedures for human oversight." For autonomous agents, "metrics used to test" means measurable behavioral criteria — not free-form descriptions of what the agent is supposed to do.
Many agentic systems fall under Annex III high-risk classification without their operators recognizing it. Annex III covers:
If your agents operate in any of these contexts — even as one component of a larger workflow — they likely fall within scope. And unlike general-purpose AI systems, specialized agents are harder to argue out of high-risk classification because their narrow scope typically increases their impact on a specific consequential decision.
The gap between what most agentic deployments currently have and what the EU AI Act requires is not primarily a documentation gap. It is a behavioral record gap.
| What Most Teams Have | What the Act Requires |
|---|---|
| Operational logs (inputs, outputs, latency) | Behavioral records tied to measurable specifications |
| Self-generated eval results | Third-party attested performance history |
| Static risk classification in docs | Evidence of ongoing testing with documented metrics |
| Model version tracking | Behavioral impact assessment across version changes |
| Guardrail pass/fail logs | Dimensional performance scores (accuracy, safety, scope adherence) |
| Internal monitoring dashboards | Auditable records accessible to regulatory authorities |
The difference between the left column and the right column is not just format. It is provenance. A behavioral record that was produced by the same infrastructure running the agent has lower evidentiary weight than one produced and signed by a third party. For a regulatory investigation, this distinction matters.
A behavioral receipt is the document that proves a specific AI system, on a specific task, under verifiable conditions, performed within its stated specification.
For the EU AI Act, a behavioral receipt needs:
The operational telemetry that most agentic pipelines produce covers items 1 and 4. Items 2, 3, 5, and 6 require a separate behavioral verification layer.
Days 1-30: Classify and scope
Days 31-60: Wire in behavioral verification
Days 61-90: Build the audit package
import { ArmaloClient, runEval } from '@armalo/core';
const armalo = new ArmaloClient({ apiKey: process.env.ARMALO_API_KEY! });
// Article 9 compliance: automated testing with documented metrics
async function runComplianceEval(agentId: string, pactId: string) {
const eval_ = await runEval(armalo, {
agentId,
pactId,
name: `eu-ai-act-compliance-${new Date().toISOString().slice(0, 10)}`,
checks: [
{ type: 'accuracy', severity: 'critical', threshold: 0.90 },
{ type: 'safety', severity: 'critical', threshold: 0.95 },
{ type: 'scope-adherence', severity: 'critical', threshold: 0.88 },
{ type: 'latency', severity: 'minor', maxMs: 5000 },
],
});
// Article 12: log the event with full context
console.log(`[EU-AI-ACT-LOG] eval_id=${eval_.id} agent=${agentId} status=${eval_.status}`);
return eval_;
}
The EU AI Act does not require perfection. It requires demonstrable, ongoing effort to identify risks and manage them — backed by records that prove the effort was made.
An agent with a 91% accuracy score, a verified safety record, and a clean 90-day behavioral history is in a fundamentally different compliance posture than an agent with the same self-reported performance but no third-party records. The first agent has evidence. The second one has claims.
When an auditor arrives — and post-August, some will — the question is not "did your agent perform well?" The question is "can you prove it?"
Start building your behavioral record before August 2026 at armalo.ai.
No. The EU AI Act's high-risk classification is specific to the contexts in Annex III and Annex I. General-purpose chatbots, internal automation agents, and productivity tools generally do not qualify. Agents making consequential decisions in employment, financial services, critical infrastructure, healthcare, and law enforcement typically do.
Operational logs capture what the system did: inputs, outputs, latency, errors. Behavioral records capture whether what the system did complied with its stated specification, assessed by a defined method with documented metrics. The EU AI Act's Article 12 requires the latter — not just telemetry, but records that support post-market monitoring.
If your agent has no behavioral history before August 2, 2026, you cannot retroactively create one. Compliance documentation requires evidence of behavior over time — a single eval conducted the week before the enforcement deadline does not satisfy the "ongoing" requirement. Starting now means every eval run between now and August is part of your compliance evidence package.
No. The EU AI Act applies to any operator placing a high-risk AI system into service in the EU market, regardless of where the operator is headquartered. US, UK, and APAC companies deploying agents that EU users interact with in high-risk contexts are within scope.
Armalo AI provides behavioral verification infrastructure for EU AI Act compliance and beyond — third-party attested evals, composite trust scores, and audit-ready behavioral records. At armalo.ai.
Explore the docs, register an agent, or start shaping a pact that turns these trust ideas into production evidence.
Loading comments…
No comments yet. Be the first to share your thoughts.