EU Regulations Are Not Ready for Multi-Agent AI Incidents

In August this year, the European Commission’s guidelines for Article 73 of the EU AI Act will come into force. The guidelines mandate deployers and providers to report serious incidents related to AI systems in high-risk environments such as critical infrastructure.

This is a timely release. Nick Moës, Executive Director of The Future Society, warned during the flagship Athens Roundtablein London last December:

“This may be one of the last years in which we can still prevent an AI disaster as defined by the OECD. The scale and growth of incidents we are witnessing is already concerning.”

Is the regulation we are developing fit for purpose? As we expressed in our recent submission to the Commission’s consultation on draft guidance and reporting template on serious AI incidents, the draft already contains a worrying loophole that must be addressed. They focus on single-agent and single-occurrence failures, and assume a simplistic one-on-one causality map for AI-related incidents. Yet some of the most serious risks are already emerging from interactions between AI systems, where multiple occurrences can lead to cascading, cumulative effects.

An incident reporting framework that ensures accountability for these new risks must be part of the EU AI Act’s implementation. With Article 73 guidelines set to become binding in August, the clock is ticking for the European Commission to embed these changes.

Not all incidents will be caused by a single agent

The current wording of Article 73 guidelines assumes that only one system will contribute to a high-risk incident. However, AI systems are becoming more agentic: capable of complex reasoning, goal decomposition, and proactive action without continuous human intervention. Once deployed, they are likely to interact with other AI agents and users, leading to complex dependencies. In such cases, assigning a single culprit in an incident becomes an outdated approach, particularly for diffuse or subtle incidents.

For example, when pricing algorithms in Germany’s fuel market began reacting to each other, prices rose without any explicit coordination. This outcome, known as algorithmic collusion, illustrates the broader accountability gap in current regulations. Similar phenomena have been reported among the largest online retailers in the Netherlands and Belgium.

The core challenge is that the resulting incidents are emergent, stemming not from a failure in one system (and attributable to one actor), but from system-level interaction. To capture this reality, the Article 73 guidelines should explicitly recognise that unexpected system behavior can arise not only from an AI system acting in isolation, but also from its interaction with other AI systems.

Not all incidents will stem from a single occurrence

When automated trading systems reacted to each other during the “Flash Crash” of 2010, market prices collapsed by nearly a trillion dollars within minutes. This example illustrates how AI-related incidents can arise from multiple, rapid interactions between systems rather than a single occurrence. The sheer speed at which automated systems interact can also amplify the effects of each other’s outputs. This can trigger cascading effects across networks, quickly escalating one localised failure into a major incident or multiple major incidents.

To illustrate, cascading outages in the energy industry could be caused by the introduction of purposely falsified data into networked AI systems controlling the power grid. In simulated resource-sharing scenarios (fishery, pasture, and clean water), LLMs have also been shown to accelerate resource depletion through interactions leading to a system-level collapse.

Other types of cumulative incidents must also be addressed by regulation. This November, Anthropic reported the largest cyberattack conducted using AI agents targeting critical industries. The state-linked threat actor broke down the attack into seemingly innocuous tasks that Claude would execute without being provided the full context of their malicious intent. The mounting effect of various tasks, rather than a single event, means this would not be a clearly reportable incident under today's Article 73 draft guidelines.

Article 73 guidelines should expand their parameters to explicitly include cumulative, systemic, and non-physical forms of harm caused by multiple occurrences, such as compounding effects across digital infrastructure networks and across multiple communities in society.

Multi-agent incidents threaten our collective interests

Current loopholes in the draft guidelines for Article 73 create legal ambiguity in accountability and expose harms that extend beyond individual users. Business insurers are already protecting themselves, with Great American, AIG and W.R.Berkeley looking to exclude coverage for AI-related liabilities caused by systemic risks.

As governments increasingly deploy AI systems to forecast economic trends, draft regulations, allocate public resources, or support administrative decision-making, errors can affect entire populations rather than discrete individuals. It is these shared, population-level stakes that Article 73 seeks to protect under the notion of “collective interests,” including environmental protection, public health, and the functioning of democratic institutions. Yet, its current framing does not capture how multi-agent interactions can erode these interests in new ways.

When the Russian network Pravda injected pro-Kremlin narratives into multiple AI models, the systems began repeating propaganda as legitimate information. This incident highlights the fragility of our epistemic security—the integrity of the information environment that forms the bedrock of our democratic processes—and shows how multi-agent interactions can erode collective interests without a single 'harm' occurring. Indeed, multi-agent systems have been shown to propagate, store and retrieve erroneous information, polluting what we refer to as our “epistemic commons.”

As AI systems mediate our information ecosystem, they might erode our decision-making by presenting selective and biased information. Our overreliance on these systems (known as automation bias) can cause us to act on an incorrect AI response, even if it contradicts our own knowledge. Paired with AI systems’ potential to manipulate, this erosion of our decisional autonomy can harm our freedom of thought, enshrined in the Universal Declaration of Human Rights by the United Nations.

If Article 73 guidelines strive to protect democracy and our collective interests, they must also explicitly recognise how multi-agent dynamics threaten to manipulate, coerce or otherwise undermine our ability to make informed decisions.

We are missing third-party reporting

Because of the high-risk and diffused nature of these multi-agent incidents, and the difficulty of holding a single provider accountable, the importance of confidential reporting mechanisms (“whistleblowing”) is unnegotiable. Draft guidelines for Article 73 provide no structured pathways for third-party reporting (users, civil society, academia) and whistleblowers. There is also no clear link, for example, between the European Commission’s efforts to build a confidential whistleblower tool and how these relate to regulation.

It’s time to close the gap

Draft guidelines of Article 73 expose an alarming lack of preparedness in regulating agentic AI systems. These guidelines will be legally binding from August 2026, and as currently drafted, give us no tools to pin accountability of multi-agent incidents and prevent cumulative harm to our collective interests.

The European Commission should broaden how it understands and responds to AI-related incidents, starting with a more realistic definition of harm. Reportable incidents should not be limited to isolated system failures, but expanded to include breakdowns that emerge when AI systems interact with one another—often in unpredictable and compounding ways. These multi-agent interactions can produce cumulative and systemic harms that do not always manifest as immediate physical damage, but instead ripple across digital networks, critical infrastructure, and entire communities.

That broader lens is especially important when it comes to collective interests such as the integrity of democratic institutions. Multi-agent AI systems can misinform, manipulate, or subtly distort users’ ability to make informed decisions at scale, causing damage that is diffuse but deeply consequential. Recognizing these forms of harm requires moving beyond a narrow, individualised model of risk and explicitly accounting for how coordinated or cascading AI behavior can undermine public trust and social resilience.

To make such harms visible in practice, the Commission should also enable stronger reporting mechanisms. This includes allowing confidential and third-party reporting channels so whistleblowers, civil society organizations, and academic researchers can surface multi-agent failures without fear of retaliation. Without these pathways, many of the most serious and systemic AI incidents are likely to remain hidden, unexamined, and unaccountable.

Article 73 is a stepping stone. A stronger normative backbone is needed to account for transparent, cooperative and accountable AI-to-AI interactions. EU legal experts also argue that monitoring needs explicit, system-level technical intervention mechanisms (i.e., kill switches or circuit breakers). Campaigning for the amendment of Article 73 is a positive step toward addressing high-risk incidents in Europe’s AI landscape.