EU AI Act: what it concretely changes for your agents

The 4 risk levels

The AI Act classifies AI systems into 4 levels: unacceptable risk (banned), high risk (strict obligations), limited risk (transparency), minimal risk (nothing).

• Unacceptable risk: social scoring, subliminal behavioural manipulation — banned.
• High risk: HR, education, access to essential services, justice — heavy documentation required.
• Limited risk: chatbots, deepfakes, generated content — labelling mandatory.
• Minimal risk: most B2B use cases (lead qualification, internal automation, etc.)

Your real obligations for most cases

If your agent doesn't touch recruitment, education, or essential services, you're probably in 'limited risk'. Your obligations:

1. Clearly inform when a human is interacting with an AI ('This email was drafted with the help of an AI assistant'). 2. Label generated content (image, video, audio). 3. Keep internal documentation on training data and uses.

The 4 myths to ignore

Many teams fear the AI Act wrongly. Here's what is NOT true:

• Myth 1: 'Every agent must be audited by an external body.' False. Only high-risk systems are concerned.
• Myth 2: 'We can no longer use US models.' False. The regulation applies to deployment, not the model's origin.
• Myth 3: 'You must host in the EU.' Not mandatory for AI Act compliance (but yes for GDPR if you process personal data).
• Myth 4: 'You must rewrite everything in open-source.' No such obligation.

Our practical checklist

For a typical agent at our clients, here's what we put in place:

• Banner 'You are chatting with an AI assistant' from the first message
• Logs of all interactions (GDPR-compliant, defined retention)
• Internal documentation: model used, training data (if fine-tune), guardrails in place
• One-click human escalation mechanism