New Dr. Chase Cunningham research on Agentic Zero Trust – Download
EU AI Act — Enforcement 02 August 2026
As a deployer, you have three tasks: know what AI is running in your environment, fulfill your own obligations, and get the right documentation from your vendors.
The EU AI Act applies a risk-based framework to agentic AI use. Enterprises using autonomous AI agents must ensure transparency, human oversight, logging, risk management, and compliance controls — especially for high-risk use cases like HR, finance, healthcare, or critical infrastructure.
For Security Leaders
The EU AI Act splits obligations across providers and deployers. If you are deploying AI, not building it, here is what you own, what you demand from vendors, and what you need to file.
Task 01
Monitor your AI systems. Assign human oversight. Retain logs for at least six months. Intervene when something goes wrong. Article 26 makes you accountable for the AI you deploy regardless of who built it.
This means knowing which agent accessed which system, under what permissions, and when — and being able to produce that log to a regulator on request.
Task 02
The companies that built the AI you deploy hold Article 9 (risk management), Article 12 (logging capability), and Article 13 (transparency documentation) obligations. You need their compliance documentation before 02 August.
Ask each vendor in writing now. See the vendor questions section for exact language.
Task 03
If you are deploying high-risk AI systems as defined under Annex III, you may need to register in the EU database before deployment. Your legal counsel makes the high-risk determination.
What they will need from you: a complete inventory of every AI system in your environment — who owns it, what it accesses, and when it was deployed.
Plain Language
The six articles that matter most for deployers, in plain English. Each one has a different owner — provider, deployer, or both.
The AI system must have an ongoing risk management process across its full lifecycle, including after deployment. Provider's job to build and document; your job to verify they have it.
Owner: Provider
Training data must meet quality, relevance, and representativeness standards. Providers hold this for the models they supply. If you fine-tune a model yourself, you hold it. Requires data classification, sensitive data handling, and regional controls.
Owner: Provider (or Deployer if fine-tuning)
High-risk AI systems must technically allow automatic logging of events over the system's lifetime. If your AI vendor cannot produce these logs, it is non-compliant — but the problem lands on your deployment.
Owner: Provider
Your AI vendor must give you documentation on what the system can and cannot do, its accuracy and limitations, known risks, and how to interpret its outputs. Should come with the product.
Owner: Provider
High-risk AI systems must be designed so humans can effectively supervise them — detect anomalies, override outputs, and shut them down. You must assign people with authority and training to actually do this.
Owner: Deployer
This is your article. Use the system per the vendor's instructions. Monitor it. Retain logs. Assign qualified human oversight. Report serious incidents. If you deploy it, you own how it runs.
Owner: Deployer
Certain deployers — public bodies, and organizations deploying high-risk AI in areas like employment, credit, or biometrics — must conduct a fundamental rights impact assessment before going live. Documents potential harms to individuals.
Owner: Deployer (where applicable)
Before deploying a high-risk AI system, it must be registered in the EU database. Providers register their systems. Public authorities register their use cases. Counsel determines whether your deployment qualifies under Annex III.
Owner: Provider + Deployer
Key Dates
The EU AI Act rolled out in phases. Not everything is enforced on 02 August.
02 Feb 2025
Article 5 prohibited AI practices are now illegal in the EU. Fines up to €35M or 7% of global turnover. In effect now.
02 Aug 2025
General-Purpose AI model obligations apply. GPAI providers must produce technical documentation, comply with copyright rules, and publish training data summaries. In effect now.
07 May 2026
Political agreement reached to delay parts of the timeline by 16 months. Not yet enacted into law. The AI Act is not retroactive. Legal counsel across the industry is advising clients to plan for 02 August 2026 regardless.
02 Aug 2026 — Primary deadline
The majority of AI Act obligations enforce. High-risk system requirements under Annex III. Articles 9, 10, 12, 13, 14, 26, 27, and 49 all active. Article 50 transparency rules for AI interactions.
02 Aug 2027
High-risk AI rules extend to AI embedded in regulated products — medical devices, machinery, toys, vehicles. If you deploy AI in physical products, this date applies to you.
Responsibility Split
For each article: who holds the obligation and what evidence your risk officer needs to have on file.
| Article | What It Requires | Owner | Evidence You Need |
|---|---|---|---|
| Art. 9 | Continuous risk management across the full AI lifecycle | Provider | Vendor's risk management documentation — request in writing |
| Art. 10 | Data quality, governance, and regional handling controls for training data | Provider / Deployer if fine-tuning | Vendor's data governance documentation; your own data handling records if you fine-tune |
| Art. 12 | System must technically allow automatic logging over its lifetime | Provider | Vendor confirmation that logging is technically enabled |
| Art. 13 | Provider must supply transparency documentation on capabilities and limits | Provider | Vendor's transparency disclosure — should come with the product |
| Art. 14 | Human oversight mechanisms must be in place | Deployer | Your internal records: assigned oversight roles and training completed |
| Art. 26 | Monitor the system, retain logs 6 months, report incidents | Deployer | Activity logs, incident reports, oversight assignment records |
| Art. 27 | Fundamental rights impact assessment before deploying certain high-risk AI systems | Deployer (where applicable) | Completed FRIA documentation — required for public bodies and certain high-risk use cases |
| Art. 49 | Register in EU database before deployment | Provider + Deployer | EU database registration confirmation and your system inventory |
Vendor Due Diligence
Send these in writing to every AI vendor whose systems you deploy. Their responses — or lack of them — become part of your compliance record.
"Does your system technically allow automatic recording of events over its lifetime as required by Article 12 of the EU AI Act? Can you provide documentation confirming this?"
"Can you provide your Article 9 risk management system documentation? We need to confirm you have a continuous risk management process in place across the full lifecycle of your system."
"Where is your Article 13 transparency disclosure? We need documentation covering the system's capabilities, limitations, accuracy metrics, known risks, and instructions for use."
"Has this system been registered in the EU AI database per Article 49? If so, can you provide the registration reference? If not, what is your timeline?"
If You Are Behind
Full compliance by 02 August is the goal. If you are not there, here is what matters most to regulators — and what demonstrates good faith.
You cannot govern what you cannot see. Having an active discovery process running — even if incomplete — demonstrates intent. Regulators look for evidence you are trying, not evidence you are done.
Have you identified which of your AI systems are potentially high-risk under Annex III? A written assessment — even a preliminary one — shows you have engaged with the framework.
If you have sent your vendors the Article 9, 12, and 13 questions and are waiting for answers, document that. The burden of those obligations sits with the provider. Your job is to have asked.
Regulators respond better to "here is our plan and our timeline" than to silence. A written gap assessment with owner assignments and target dates is worth more than a completed program you cannot evidence.
The AI Act compliance determination is a legal question. Having documented that your counsel is engaged and advising you is itself a form of due diligence.
How Cequence Helps
For each deployer obligation, here is what Cequence AI Gateway provides operationally — the evidence layer, the controls, and the visibility your compliance program needs.
| Article | Your Obligation | What Cequence Provides |
|---|---|---|
| Art. 9 | Continuous risk management across the AI lifecycle | Runtime monitoring, anomaly detection, guardrails, policy enforcement, and kill-switch controls across all agent and API activity |
| Art. 12 | System must allow automatic logging over its lifetime | Audit trails and exportable logs capturing agent identity, tool calls, data accessed, user context, and full request/response flows |
| Art. 13 | Transparency into what the AI system is doing | Real-time visibility into agent behaviour — who called what, what data was accessed, where it went, and under what permissions |
| Art. 14 | Human oversight — assign, train, and enable intervention | Agent Personas with least-privilege access, approval and override patterns, and kill-switch style intervention controls at the gateway layer |
| Art. 26 | Monitor operation, retain logs, report incidents | Six-month log retention, SIEM-exportable activity records, incident detection with alerting, and deployer accountability evidence for regulators |
| Art. 49 | Register high-risk AI systems in the EU database | AI and agent inventory — every agent, MCP server, and agentic workflow is discovered and documented so your counsel has what they need for the filing determination |
It ticks the boxes.CISO, global investment management firm — 1,300 employees, regulated in EU, UK, and South Africa. May 2026.
Start With Visibility
You cannot fulfill Article 26, register under Article 49, or demand the right vendor documentation until you know what AI is deployed. If you have Palo Alto, Fortinet, or any NGFW with logs in Splunk, Sentinel, or Elastic — we can show you how to leverage this data. No deployment. No procurement.
Cequence AI Gateway supports compliance evidence for the obligations described above. Compliance determinations are made by your legal counsel and risk officers, not by Cequence. Article citations per EU AI Act (Regulation (EU) 2024/1689). Fine tiers per Article 99. Dates current as of 20 May 2026.
