The EU AI Act becomes fully enforceable on August 1, 2026 — 87 days away.
Most companies know they need to comply. Almost none know what "ready" means at the technical level.
This checklist covers everything your AI agent needs before the deadline.
Step 1 — Determine Your Risk Classification
The EU AI Act classifies AI systems into four tiers. Your obligations depend entirely on which tier your agent falls into.
Unacceptable Risk — Prohibited. Cannot deploy in EU.
Examples: social scoring, real-time biometric surveillance of public spaces.
High Risk — Strictest obligations. Must comply before August 1.
Examples: medical diagnosis, credit scoring, hiring decisions, education assessment, law enforcement, critical infrastructure, border control.
Limited Risk — Transparency requirements only.
Examples: chatbots, customer support agents, content generation.
Minimal Risk — Voluntary code of conduct only.
Examples: spam filters, recommendation engines, AI in games.
Not sure which tier your agent falls into? Use the free scanner at verisigilai.com/scanner.html — it classifies your agent in 3 seconds.
Step 2 — High-Risk Compliance Checklist
If your agent is high-risk, every item below is legally required.
Identity and Transparency
Cryptographic agent identity — Your agent must have a verifiable, tamper-proof identity. A W3C DID or equivalent cryptographic identifier that proves the agent is who it claims to be. Generic API keys do not qualify.
Clear identification to users — Article 50 requires AI systems to clearly identify themselves as AI when interacting with humans. Must be technically enforced, not just documented.
Issuer attribution — The organisation that built and deployed the agent must be clearly documented and verifiable.
Human-readable verified name — Regulators and auditors must be able to identify the agent in plain language, not just by cryptographic ID.
Audit Trail and Logging
Immutable audit trail — Every decision and action taken by the agent must be logged with a tamper-proof signature. Logs cannot be retroactively altered.
Decision traceability — You must be able to reconstruct any agent decision from the audit log — what data it used, what it decided, and when.
Log retention policy — High-risk AI logs must be retained for a minimum period. Define and document your retention policy now.
Human Oversight
Human override capability — A designated human must be able to intervene, override, or shut down the agent at any time. Must be technically implemented — not just stated in a policy document.
Escalation workflow — Define which decisions require human approval before the agent acts. Document and technically enforce these boundaries.
Monitoring and alerting — Real-time monitoring that alerts a human when the agent behaves outside expected parameters.
Security
Clone and impersonation detection — A malicious actor impersonating your registered agent could create regulatory liability. Implement detection for cloned or impersonating agents.
Prompt injection protection — High-risk agents interacting with external inputs must have documented protections against prompt injection attacks.
Access controls — Document who can access, modify, or deploy the agent and how that access is controlled and audited.
Documentation
Technical documentation — A detailed technical file describing the agent's purpose, design, training data if applicable, known limitations, and risk mitigation measures.
Conformity assessment — For highest-risk applications (biometrics, critical infrastructure, law enforcement), third-party assessment is required before deployment. Self-certification is not permitted.
EU AI Act risk classification declaration — Formally document which risk tier your agent falls into and why, with supporting evidence.
Step 3 — Limited Risk Compliance
If your agent is limited risk, your primary obligation is transparency — users must know they are interacting with an AI.
AI identification disclosure — Clearly state the system is AI at the start of every interaction.
Content labelling — AI-generated content must be labelled as such.
Step 4 — Register in the EU AI Database
High-risk AI systems must be registered in the EU's public AI database before deployment. Required fields:
System name, type, purpose, and risk classification
Provider legal entity name, address, and contact details
Declaration of conformity
Step 5 — The Fastest Way to Start
Most identity, audit, and transparency requirements can be satisfied with a single API call.
When you issue a VeriSigil AI passport for your agent, you immediately get:
json{
"agent_id": "vsa_52aaf4c1141d",
"display_name": "FinanceGuard-7",
"issuer_org": "FinTech Corp",
"eu_risk_class": "LIMITED_RISK",
"compliant": true,
"trust_score": 0.97,
"verification_tier": 0,
"tier_label": "Self-Declared",
"eu_ai_act": true,
"stored": true
}
This satisfies:
Cryptographic identity (Ed25519 signed, W3C DID)
EU AI Act risk classification embedded at issuance
Immutable audit trail from date of issuance
Human-readable verified name with issuer attribution
Shadow Detection for clone and impersonation scanning
Try it free — no signup, no credit card, 60 seconds:
bashcurl -X POST \
https://verisigil-api-production.up.railway.app/v1/passport/issue \
-H "Content-Type: application/json" \
-H "x-api-key: verisigil-secret-2026" \
-d '{
"agent_name": "my-agent",
"display_name": "MyAgent",
"issuer_org": "MyCompany",
"owner": "you@yourcompany.com"
}'
Key Dates
DateWhat Happens✅ Feb 2, 2025Prohibited AI systems banned✅ Aug 2, 2025GPAI model rules apply⚠️ Aug 1, 2026High-risk AI and transparency rules enforced. Fines up to €30M.Aug 2, 2027Additional rules for AI in regulated products
Free Tools
Free scanner — paste your agent config, get instant risk report: verisigilai.com/scanner.html
Developer quickstart — issue your first passport in 60 seconds: verisigilai.com/quickstart.html
Public agent report — shareable compliance URL for any passport: verisigilai.com/agent.html
Full Checklist Article
Read the complete version with all details at:
verisigilai.com/blog/eu-ai-act-compliance-checklist.html
Built by Raheem Larry Babatunde — Founder & CEO, VeriSigil AI
raheem@verisigilai.com · verisigilai.com
Top comments (0)