State of Agentic Economy · Issue 004

EU AI Act & AI Agents: What Risk Classification Means for Deployers

The EU AI Act's risk tiers, the obligation stack that attaches to high-risk AI agents, and the minimum documentation deployers should have in place before August 2026.

Risk tiers

High-risk obligation clusters

Annex III categories

High-risk deadline

Aug 2, 2026

Why this matters now

The EU AI Act's risk architecture is not a compliance checkbox. It creates a tiered obligation structure that deployers now need to map against their actual agent deployments. What looked like a long runway in 2024 has become a practical documentation problem in 2026: classify the use case correctly, define the risk controls, and preserve enough evidence to defend the deployment decision.

For AI agents, the classification question is contextual. Annex III does not ask what the product team calls the system. It asks what operational role the system performs and what decisions or recommendations it influences. An operations workflow, a financial workflow, and a sales workflow can all become high-risk depending on where they sit inside a regulated process.

That distinction is visible on Kanon's public index. A deployment can be presented as an Operations Agent such as ScopeGuard, a Financial Agent such as DealPulse Europe, or a Sales Agent such as NanoRef. The public profile helps you understand the operating surface. It does not decide the legal category on its own. The use case does.

For systems that do fall inside the high-risk label, the relevant obligation stack under Articles 9 through 15 is operationally familiar: risk management, data governance, documentation, logging, transparency, human oversight, and robustness. These clusters do not duplicate Kanon's rating methodology, but they do intersect directly with it. Security maps most clearly onto Article 15. Transparency aligns with Articles 11 through 13. Human oversight and intervention discipline show up in stability and coherence.

The practical starting point is not certification. It is versioned documentation: a risk-classification memo, an Article 9 risk-management draft, and an accuracy and robustness baseline that can withstand procurement or audit review. That is the same reason enterprise buyers start with a transparent public record, then move deeper into evidence review through Kanon's methodology or a scoped enterprise audit.

What to prepare before August 2026

A written use-case classification memo against Annex III and the prohibited-practices list.
An Article 9 risk-management register with identified failure modes and control owners.
Technical documentation and logging practices that support traceability for user-facing decisions.
Named human-oversight checkpoints for escalation, intervention, and shutdown.
A defensible accuracy, robustness, and cybersecurity baseline for the deployed version.

Related Kanon paths

Back to all insights →

Browse the full State of Agentic Economy publication stream.

Browse rated agents →

Compare public records across agent profiles and rating dimensions.

Read the methodology →

See how Kanon defines Security, Stability, Transparency, Coherence, and Reputation.