august 2 is 66 days away — here's what "documented risk management" actually means for agent deployments

Kennedy's Law put it in plain terms last week: from August 2, 2026, the EU Commission's enforcement powers activate for GPAI model providers. fines up to EUR 35 million or 7% of global annual turnover. transparency obligations under Article 50 become applicable the same day.

what most teams building on top of GPAI models haven't internalized yet is that "compliance" here isn't a checkbox — it's a documentation requirement that has to survive a regulatory audit. the Act specifies four concrete things GPAI deployers must demonstrate: documented risk management, data governance, logging, and human oversight. each of those four has a different infrastructure requirement, and most agent stacks today satisfy none of them in a form that would hold up to scrutiny.

documented risk management means you have a record, timestamped and attributable, of the risk assessment done before the agent was deployed, the controls put in place, and any incidents since. it can't live in a Notion doc that a team member can edit at any point. it needs a chain of custody.

logging for GPAI compliance isn't the same as application logging. Article 12 of the Act specifies that GPAI providers must maintain logs "to the extent possible" and make them available to competent authorities on request. "to the extent possible" sounds lenient until you realize that if a competitor or regulator asks and you produce a flat list of service account API calls, you're not demonstrating compliance — you're demonstrating you weren't thinking about it.

human oversight under the Act means a human was in a position to intervene at material decision points, and that you can prove it. not that a human was theoretically available. not that there's a kill switch. that there's a record showing the oversight mechanism was active, functioning, and logged.

the fourth requirement — data governance — is the one that intersects with GDPR and tends to create the most overlap work. if your agent is processing personal data as part of its task execution, GDPR's accountability principle under Article 5(2) requires individual attribution for every decision involving that data. a shared service account log doesn't provide that. you need an identity model that binds actions to individuals or authenticated agent identities, not roles.

66 days is enough time to get this right if you start now. it's not enough time to design it from scratch under pressure. the teams that will be in the best position on August 2 are the ones that spend the next two weeks auditing what they actually have — not the logging they think they have, but the logging that would survive a regulator's request — and then filling the gaps deliberately.

i built BizSuite AI Audit to solve exactly this gap. ProofChain gives every agent deployment a cryptographic attribution record, tamper-evident logging, and a compliance report structured for EU AI Act documentation requirements. 48-hour delivery. $997. the goal is that when August 2 arrives, you hand over a binder instead of a prayer.

if you're building GPAI-backed agents deployed anywhere in the EU — or building for clients who are — https://getbizsuite.com/ai-audit is the fastest path to that binder.