EU AI Act Compliance for AI Agents: A Practical Checklist

Scope: when the EU AI Act touches your agents

If an agent influences employment, credit, insurance, biometric ID, or safety-critical systems, assume high-risk obligations apply until legal review says otherwise. Document your rationale either way.

Governance and accountability

• Named owner for each in-scope agent (not “the AI team” generically)
• Risk management process documented and reviewed at least annually
• Post-market monitoring plan for incidents, drift, and misuse reports

Data and documentation

• Training/validation data summary where applicable (provenance, known limitations)
• Technical documentation sufficient for authorities to interpret behavior
• Instructions for use for downstream deployers and operators

Logging and human oversight

• Traceability of inputs, tool calls, and outputs for high-risk workflows
• Human oversight mechanisms where automation cannot be overridden safely
• Override and escalation paths tested—not only designed on paper

Conformity and third parties

• Conformity strategy clear (self-assessment vs notified body where required)
• Vendor and API dependencies mapped; subprocessors documented
• EU representative identified if you are not established in the EU

Putting it into agent workflows

Before deploy

Block promotion if documentation, evaluations, and permission scopes are incomplete for the assigned tier.

During operation

Monitor for policy breaches and behavioral drift; tie alerts to owners with SLA expectations.

After incidents

Preserve logs, notify per playbook, and record corrective actions in the audit trail.

What “done” looks like

You can answer, on short notice: who owns this agent, what it is allowed to do, how we monitor it, and how we prove it—with artifacts that match production reality.