49 days to EU AI Act enforcement — what "compliant" actually means for agents

August 2, 2026 is the date GPAI enforcement kicks in. Penalties go up to 6% of annual global revenue. Most teams working on AI compliance have spent the last 18 months on model documentation — training data lineage, conformity assessments, model cards.

None of that covers what your agents actually do at runtime.

The gap regulators are going to find

The EU AI Act was written for artifacts: models that can be examined, tested, documented before deployment. What it's catching up to, slowly, is the reality that an AI agent is not a document — it's a process. It makes tool calls. It decides whether to proceed. It allocates resources. It can spend money.

Article 55 of the GPAI section requires providers to implement adversarial testing for systemic risks. Article 53 requires incident reporting. Both assume you can observe what your system did and prove it. For a model sitting in an inference server, that's hard but doable — you log inputs and outputs, you have evals.

For an agent fleet of 10 agents each making 400+ tool calls per session, "log inputs and outputs" produces a haystack with no audit trail structure. Regulators don't want haystack. They want a signed, timestamped record that says: this agent, at this time, operating under this policy, made this decision, and here's the evidence that the policy was enforced.

That's execution evidence. It's different from logs.

What execution evidence actually requires

Three things, in order:

1. Policy-at-decision-time capture. Not just what the agent did — what policy was active when it did it. Agents can update their system prompts mid-session, receive new tool permissions via MCP, or operate under different delegation chains depending on which user triggered them. The audit trail has to capture the policy state at the moment of each consequential decision, not just the final output.

2. Tamper-evident chaining. Regulators checking for retroactive log manipulation (and they will) need cryptographic linking between events. Each execution record needs to hash into the next so a missing or altered entry is detectable.

3. Separation from the agent's own observation plane. If the agent writes its own audit log, it can edit it. The audit trail has to be written by a layer the agent can't reach — infrastructure level, not agent level.

The window is 49 days

GDPR took 2 years from announcement to enforcement. The compliance tooling market accelerated in the 6 weeks before the first major fine. EU AI Act enforcement for GPAI is August 2. The companies shipping agent-facing products now are the ones that will get pulled into compliance reviews first.

BizSuite's ai-audit delivers a 48-hour technical assessment of your agent stack against these specific requirements: runtime observability coverage, policy-at-decision-time capture, and tamper-evident audit trails. $997 for the assessment. Prioritized action plan in 48 hours.

The enforcement deadline is fixed. The audit window is now. https://getbizsuite.com/ai-audit.html