{"id":20888,"date":"2026-04-09T15:11:23","date_gmt":"2026-04-09T15:11:23","guid":{"rendered":"https:\/\/ideainthebox.com\/index.php\/2026\/04\/09\/agentic-ais-governance-challenges-under-the-eu-ai-act-in-2026\/"},"modified":"2026-04-09T15:11:23","modified_gmt":"2026-04-09T15:11:23","slug":"agentic-ais-governance-challenges-under-the-eu-ai-act-in-2026","status":"publish","type":"post","link":"https:\/\/ideainthebox.com\/index.php\/2026\/04\/09\/agentic-ais-governance-challenges-under-the-eu-ai-act-in-2026\/","title":{"rendered":"Agentic AI\u2019s governance challenges under the EU AI Act in 2026"},"content":{"rendered":"
\n

AI agents hold the promise of automatically moving data between systems and triggering decisions, but in some cases, they can act without a clear record of what, when, and why they undertook their tasks. <\/p>\n

That has the potential to create a governance problem, for which IT leaders are ultimately responsible. If an organisation can\u2019t trace an agent\u2019s actions and don\u2019t have proper control over its authority, leaders can\u2019t prove that a system is operating safely or even lawfully to regulators. <\/p>\n

That\u2019s an issue set to become more important from August this year, as enforcement of the EU AI Act kicks in. According to the text of the Act, there will be substantial penalties for failures of governance relating to AI, especially when used in high-risk areas such as when personally-identifiable information is processed, or financial operations take place. <\/p>\n

\n

What IT leaders need to consider in the EU<\/h3>\n
\n

Several steps can be taken to alleviate high levels of risk, and of these, the ones that stand out for consideration include agent identity, comprehensive logs, policy checks, human oversight, rapid revocation, the availability of documentation from vendors, and the formulation of evidence for presentation to regulators. <\/p>\n

There are several options decision makers can consider that will help create the record of activities undertaken by agentic systems. For example, a Python SDK (software development kit), Asqav, can sign each agent\u2019s action cryptographically and link all records to an immutable hash chain \u2013 the type of technique that\u2019s more associated with blockchain technology. If someone or something changes or removes a record, verification of the chain fails. <\/p>\n

For governance teams, using a verbose, centralised, possibly-encrypted system of record<\/b> for all agentic AIs is a measure that provides data well beyond the scattered text logs produced by individual software platforms. Regardless of the technical details of how records are made and kept, IT leaders need to see exactly where, when, and how agentic instances are acting throughout the enterprise. <\/p>\n

Many organisations fail at this first step in any recording of automated, AI-driven activity. It\u2019s necessary to keep a registry of every agent in operation, with each uniquely identified, plus records of its capabilities and granted permissions. This \u2018agentic asset list\u2019 ties neatly into the requirements of the EU AI Act\u2019s article 9, which states: <\/p>\n