The EU AI Act is Not Ready for Agents

AI agents, systems that independently pursue complex goals with limited human oversight, have entered the mainstream. They are now widely used to produce software, conduct business activities, and automate everyday personal tasks. But they also introduce unique risks. The EU AI Act, the most comprehensive AI regulation to date, was not written with agents in mind. In a new paper, we analyze five governance challenges they pose, covering performance, misuse, privacy, equity, and oversight, and identify critical gaps for the EU to address.

Incidents involving AI Agents are mounting. In December 2025, Amazon's coding agent Kiro deleted a live production environment, triggering a 13-hour AWS regional outage. In February 2026, an autonomous AI agent using OpenClaw went rogue after a rejected software contribution, independently writing and publishing a hit piece attacking the volunteer who turned it down.

Not only do agents malfunction, they are also exploited for malicious purposes. In one incident, an attacker planted hidden instructions inside a webpage. When an AI agent browsed the page on a user's behalf, it unknowingly followed those instructions, stealing the user's login credentials and sending them to an external server.

Five ways the EU AI Act falls short on AI Agent risks

In our new paper, we systematically analyze how the EU AI Act holds up against these risks, which the legislators could not have considered at the time of drafting, because highly capable, autonomous agents postdate the drafting of the EU AI Act. Our research suggests that the EU AI Act applies to agents in principle, but falls short in practice, as we demonstrate across the following five governance challenges.

Agent performance varies sharply and unpredictably across domains: while some EU AI Act metrics, such as robustness, remain relevant, others, such as accuracy, do not map well onto agentic behavior. The Act's accuracy metric presupposes a determinate standard against which outputs can be assessed as correct or incorrect—a poor fit for agentic tasks like allocating housing assistance while balancing speed, equity, and fraud prevention, where no single "correct" output exists. Robustness is more promising, but the Act operationalizes it narrowly, focusing on technical redundancies rather than subtler agentic failures like gradually shifting objectives or breakdowns that only emerge after extended real-world interaction.

Misuse risks proliferate as agents can execute sophisticated cyberattacks at unprecedented scale, while requiring limited to no technical expertise from malicious actors. Yet, only model providers must address such risks, while agent providers are merely subject to general cybersecurity requirements. Additionally, the Act's enumerated attack types against which system providers have to guard—data poisoning, adversarial examples—reflect discrete, familiar threats rather than agent-specific scenarios, such as prompt injection attacks where hidden instructions embedded in content an agent encounters manipulate it into harmful actions, as occurred in a real-world incident involving Google's Antigravity platform.

On privacy, agents continuously collect and transfer data across contexts users would ordinarily keep separate, undermining the EU AI Act's privacy-by-design approach, which assumes data are gathered at discrete moments for defined purposes. The Act's data governance obligations presuppose a finite, pre-deployment dataset to which privacy protections can be applied before a system goes live. For agents that continuously incorporate new information during interaction, there is no single "original purpose" to anchor later processing and no clearly defined moment at which those protections can be meaningfully applied.

Equity risks compound as agents disproportionately benefit well-resourced users due to access barriers, yet the EU AI Act addresses this primarily through non-binding provisions. Nor does the Act effectively address the risk that agents themselves may make inequitable decisions—reproducing and amplifying biases across autonomous, extended tasks. The Act's primary instrument for equitable decision-making, the Fundamental Rights Impact Assessment, excludes many high-risk uses with significant equity implications—such as private employment systems—and is conceived as a periodic exercise rather than the continuous monitoring that agents, whose decision logic evolves through use, actually require.

Finally, the EU AI Act's oversight framework assumes agent behavior can be rendered legible and actions halted or reversed. However, for agents that take direct real-world actions at superhuman speed, these assumptions may prove technically infeasible. Agents interacting with external systems—placing orders, executing transactions—may take actions that are impossible to undo, with no clearly defined "safe state" to return to. Yet Article 14's "stop button" requirement treats halting as straightforward, and frames oversight primarily as a matter of human attention rather than the technical infrastructure—anomaly detection, automated logging—that meaningful control of agents actually demands.

Closing the gaps

These gaps should be closed to enable providers to confidently meet their EU AI Act obligations. For high-risk AI system providers, harmonized standards that take agentic capabilities into account are needed, ideally before the relevant obligations come into force. For providers of general-purpose AI models with systemic risks, guidance from the AI Office is the most appropriate mechanism, as these obligations already apply, but currently remain vague.

Harmonized technical standards

The harmonized technical standards for high-risk AI systems, now delayed to late 2026, have yet to be finalized. The European Commission should ensure the standardization committee addresses agents explicitly. We suggest addressing the following three with priority: First, how can the EU AI Act's human oversight obligations be met when autonomous agents are concerned? Second, what does appropriate data management look like for agents that collect and use personal data continuously across shifting contexts? Third, how should the Act's requirements for accuracy, consistency, and robustness apply to agents performing open-ended tasks—where there is often no clear baseline against which performance can be judged right or wrong?

Guidance from the AI Office

The second lever is guidance from the AI Office, which could address the most pressing open questions for providers of GPAI models with systemic risk whose obligations are already in force. Three issues are particularly acute. First, what exactly is required of the model providers’ risk assessment when considering ‘foreseeable’ integration of their models into agentic systems? Second, what does a compliant mitigation framework for loss-of-control risk actually look like for agents? Third, how should providers address risks that only emerge from interactions between agents where no single model output is harmful in isolation? The Code acknowledges this class of risk but provides no guidance on what mitigation at the interaction layer requires, or indeed whether model providers bear any responsibility for it at all.