I've been building AI agents for the past year. Last month I realized I have no idea what half of them actually do in production.
Like, I think my support agent looks up the right docs and gives good answers. But when someone asks "why did the bot say X?" — I'm grepping through logs hoping to find something useful. Usually I don't.
This wasn't a huge problem until I started reading about the EU AI Act.
The law nobody's talking about
August 2026. That's when the EU AI Act fully kicks in. Fines up to €35 million or 7% of global turnover.
And here's the thing that surprised me: AI agents are in scope.
The law doesn't use the word "agent" anywhere — it was written before the current agentic AI wave. But it covers "AI systems," and agents are AI systems. A report from The Future Society confirmed this: the Act wasn't designed with agents in mind, but it absolutely applies to them.
The tricky part? Agents are harder to comply with than regular AI. A chatbot takes input, gives output, done. An agent takes input, calls three APIs, makes a decision, updates a database, sends an email — and you need to be able to explain every step.
What you actually need to build
I spent a few weeks digging into the actual requirements. Here's the short version:
1. Log everything (Article 12)
Every LLM call, every tool use, every decision. With timestamps. For 10 years if you're high-risk.
This is where I started. Wrapped my OpenAI client, started capturing traces:
import { AgentGov } from "@agentgov/sdk";
import OpenAI from "openai";
const ag = new AgentGov({
apiKey: process.env.AGENTGOV_API_KEY,
projectId: process.env.AGENTGOV_PROJECT_ID,
});
const openai = ag.wrapOpenAI(new OpenAI());
// now every call is traced — inputs, outputs, tokens, cost
If you're using the OpenAI Agents SDK, there's an exporter that plugs right in:
import { BatchTraceProcessor, setTraceProcessors } from "@openai/agents";
import { AgentGovExporter } from "@agentgov/sdk/openai-agents";
setTraceProcessors([
new BatchTraceProcessor(new AgentGovExporter({
apiKey: process.env.AGENTGOV_API_KEY!,
projectId: process.env.AGENTGOV_PROJECT_ID!,
}))
]);
2. Tell users it's AI (Article 50)
If your agent emails customers, chats with users, generates content — they need to know it's AI. Sounds obvious but I've seen a lot of agents that don't disclose this.
3. Figure out your risk level (Annex III)
Not all agents need the same compliance. An agent that filters spam? Minimal risk, basically no requirements. An agent that screens job applicants or scores credit? High-risk, full compliance stack.
This is the part that takes actual thinking. You need to look at Annex III categories and figure out where your agent lands.
4. Human oversight (Article 14)
For high-risk agents: a human needs to be able to stop the agent, override its decisions, and understand what it's doing. This is genuinely hard for autonomous agents. I ended up building approval gates for anything with real-world consequences.
The uncomfortable truth
Most of us are building agents without any of this. I was too. And honestly, if you're just shipping a side project, maybe it doesn't matter.
But if you're building agents for a company that operates in Europe (or has European customers), this is coming. August 2026 is 6 months away. Retrofitting audit trails into an existing system is way harder than building them in from the start.
I started working on this problem because I needed it myself. That turned into AgentGov — open source, combines tracing with EU AI Act compliance stuff (risk classification, documentation generation, incident tracking).
This is my first open source project, so I'm figuring things out as I go. If you have feedback on the approach, the code, or anything really — I'd genuinely appreciate it.
GitHub: github.com/agentgov-co/agentgov
Website: agentgov.co
Anyway, that's where I'm at. Still figuring this out. If you're building agents and thinking about compliance (or deliberately not thinking about it), I'd love to hear how you're approaching it.
Top comments (0)