The EU AI Act: A Practical Guide for AI Agents

Key takeaways

The Act is risk-based: obligations scale with how risky the AI use is.
Most agent workflows land in limited or minimal risk, but some uses are high-risk with real obligations.
Transparency and human oversight are recurring themes — design for them now.
The practical prep — inventory, risk classification, oversight, documentation — is good governance anyway.

The EU AI Act is the first comprehensive attempt to regulate artificial intelligence, and it is phasing into force now. For teams deploying AI agents it can feel daunting, but the core idea is pragmatic: the more risk an AI use carries, the more you have to do about it. Most of the preparation is good governance you would want regardless. This is practical guidance, not legal advice — involve your legal and compliance teams on anything specific.

What the Act does, in plain terms

The Act regulates AI by use and risk rather than by technology. It bans a small set of unacceptable practices outright, imposes substantial obligations on a defined set of high-risk uses, requires transparency for certain limited-risk uses, and leaves the large minimal-risk category mostly alone. Obligations apply on a phased timeline, so different requirements take effect at different points.

The risk tiers

Unacceptable risk — prohibited uses (for example, certain manipulative or social-scoring systems).
High risk — uses in sensitive areas carry strict obligations: risk management, data governance, documentation, human oversight, accuracy and more.
Limited risk — transparency obligations, such as telling people they are interacting with AI or that content is AI-generated.
Minimal risk — the majority of uses, largely unregulated.

Where AI agents usually land

An agent workflow is assessed like any other AI use — by what it does. Many internal, bounded workflows (triaging an inbox, preparing a draft, chasing a document) sit in limited or minimal risk. But agents used in areas such as recruitment, creditworthiness, or access to essential services can fall into the high-risk tier, with real obligations. The first job is therefore to classify each use honestly, which is exactly what our AI assurance work does.

Transparency and human oversight

Two themes recur throughout the Act and are worth designing for now regardless of tier: transparency (people should know when they are dealing with AI) and human oversight (a person should be able to understand, intervene in and override high-stakes AI decisions). Both map directly onto how we already build agents — disclosure where appropriate, and the human-in-the-loop design that keeps people in control.

Practical steps to prepare

You do not prepare for the Act with a legal memo alone; you prepare by running AI well. Inventory your AI uses, classify each by risk, add transparency where required, design proportionate human oversight, and keep documentation and evidence so you can demonstrate diligence. That is the same evidence-led governance covered in our AI governance checklist — and where you need a roadmap for the board, our strategy and advisory practice can help sequence it.

Questions

Frequently asked.

What is the EU AI Act?

The EU AI Act is the European Union's comprehensive law regulating artificial intelligence. It takes a risk-based approach: it bans a small set of unacceptable uses, places significant obligations on high-risk uses, requires transparency for certain limited-risk uses, and leaves minimal-risk uses largely unregulated. Its obligations are phasing in over time.

Does the EU AI Act apply to AI agents?

The Act regulates AI systems by how they are used and the risk they pose, rather than by whether they are called agents. An agentic workflow is assessed like any other AI use — by its purpose and risk tier. Many internal, bounded agent workflows fall into limited or minimal risk, but uses touching areas like employment, credit, or essential services can be high-risk.

What are the risk tiers in the EU AI Act?

Broadly four: unacceptable risk (prohibited), high risk (strict obligations around risk management, data, documentation, human oversight and more), limited risk (transparency obligations, such as telling people they are dealing with AI), and minimal risk (largely unregulated). Where your use lands determines what you must do.

How do we comply without slowing everything down?

Start with an inventory and a risk classification, then put proportionate controls where the risk actually is. For most agent workflows, the practical work — least-privilege access, human oversight, evaluation and documentation — is good governance you should want anyway. Treat compliance as a by-product of running agents well, not a separate burden. This is not legal advice; involve your legal and compliance teams.

Where this leads

Related services.

↗

Put one workflow to work.

Tell us the workflow you want to automate, the systems involved and any risk or compliance concerns. We reply to every serious enquiry within one business day.

Send a message → Book a 30-min call

Reply within one business day Human oversight by design Senior team, always

The EU AI Act,
practically.