Is the EU AI Act ready for AI agents?

The EU AI Act vs Agentic AI Risks

February 12, 2025 · 6 min read

The EU AI Act, set to be the world's first comprehensive regulatory framework for AI, aims to address the risks associated with AI systems, including AI agents. However, there are several gaps in the Act when compared to the emerging risks posed by AI agents:

  1. Autonomous Decision-Making: The EU AI Act does not fully address the risks associated with the autonomous nature of AI agents. While it focuses on high-risk AI systems, it doesn't specifically account for the complex decision-making processes of autonomous agents[1][6].

  2. Data Exposure and Exfiltration: AI agents can potentially access and process vast amounts of data, increasing the risk of data breaches. The AI Act doesn't adequately address the specific risks of data exposure and exfiltration that AI agents may introduce[2].

  3. Resource Consumption: AI agents can consume significant system resources, potentially leading to denial of service issues. The Act doesn't explicitly cover this risk[2].

  4. Agent Hijacking: The potential for unauthorized actors to take control of AI agents is a significant risk not fully addressed in the AI Act[2].

  5. Supply Chain Risks: The use of third-party libraries or code in AI agents introduces supply chain risks that are not comprehensively covered in the Act[2].

  6. Public vs. Private Sector Divergence: The AI Act applies different rules to public and private sector actors, which may not be justified given that the power asymmetry created by AI use can be similar regardless of the actor[4].

  7. Intentionality Requirement: The Act requires intent for certain prohibitions to apply, which may leave gaps in protection against unintended harmful consequences of AI agents[4].

  8. Limited Scope of Vulnerability: The Act's focus on vulnerabilities due to age and physical or mental disability may not sufficiently protect against manipulation based on other characteristics protected under EU equality law[4].

  9. Inconsistent Risk Classification: The Act's risk-based approach sometimes places similar types of systems in different risk categories without clear justification[4].

  10. Lack of Coherence with Existing EU Law: There are inconsistencies between the AI Act and other EU regulations such as the GDPR and ePrivacy regulation, which may create regulatory confusion[4][5].

  11. Limited Regulation of Fully Autonomous Agents: There is a lack of specific regulation for fully autonomous agents with legal personhood[8].

  12. Ethical Decision-Making: The Act doesn't provide comprehensive guidelines for ensuring AI agents make decisions aligned with human and societal values[6].

To address these gaps, policymakers may need to consider updating the AI Act to more specifically address the unique challenges posed by AI agents, including their autonomous nature, potential for misuse, and broader societal impacts[6].

Citations:
[1] https://www.ibm.com/think/topics/eu-ai-act
[2] https://www.computerweekly.com/opinion/Gartner-Mitigating-security-threats-in-AI-agents
[3] https://www.ceps.eu/ceps-publications/the-ai-act-and-emerging-eu-digital-acquis/
[4] https://www.europarl.europa.eu/RegData/etudes/STUD/2022/729507/EPRS_STU(2022)729507_EN.pdf
[5] https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
[6] https://www.weforum.org/stories/2024/12/ai-agents-risks-artificial-intelligence/
[7] https://www.edf-feph.org/publications/eus-ai-act-fails-to-set-gold-standard-for-human-rights/
[8] https://www.linkedin.com/pulse/regulatory-gap-materializes-eus-proposed-ai-act-fully-igor-barshteyn
[9] https://artificialintelligenceact.eu/high-level-summary/
[10] https://www.lumenova.ai/blog/ai-agents-potential-risks/