15 Research Lab -Adversarial Safety Evaluation of Frontier AI Systems

John Kearney

EU AI Act August 2026 Deadline: What Needs to Be Ready

March 1, 202615 Research Lab

eu-ai-actcompliance

August 2, 2026 is when the EU AI Act's high-risk AI system obligations become enforceable under Annex III. Organizations deploying AI agents in high-risk domains have less than six months to comply. Here is what needs to be in place.

What Becomes Enforceable

The full Title III obligations for high-risk AI systems, including:

Risk management system (Article 9): Continuous identification, evaluation, and mitigation of risks
Data governance (Article 10): Requirements for training, validation, and testing data
Technical documentation (Article 11): Full system documentation
Record-keeping (Article 12): Automatic logging of system events
Transparency (Article 13): User-facing information about the system
Human oversight (Article 14): Mechanisms for human monitoring and intervention
Accuracy, robustness, cybersecurity (Article 15): Performance and security requirements

Priority Checklist for Agent Deployments

Classification (do this first): Determine whether your AI agent falls under Annex III high-risk categories. If it does not, the Title III obligations do not apply. But document your classification reasoning.

Risk management system: Create a risk register. Identify risks specific to your agent (prompt injection, tool misuse, data exfiltration). Document mitigations. Test them. This is the foundation for everything else.

Audit logging: Deploy hash-chained receipt generation for all agent actions. Every tool call, policy decision, and approval outcome needs a tamper-evident record. You cannot retroactively add logging after the deadline.

Human oversight mechanisms: Build and test approval workflows for high-risk actions. Deploy a kill switch and verify it works. Create a monitoring dashboard. Train the people who will use it.

Technical documentation: Document your system architecture, training data, evaluation results, known limitations, and intended use. This is not optional and it is the artifact most likely to be requested by regulators.

Conformity assessment: For most agent deployments, self-assessment is sufficient (unless your agent falls under Annex III point 1, which requires third-party assessment). Conduct the assessment against the checklist in Annex VII.

What Happens If You Are Not Compliant

Penalties for non-compliance with high-risk obligations: up to 15 million EUR or 3% of global annual turnover, whichever is higher. For prohibited AI practices, the cap is 35 million EUR or 7% of turnover.

Enforcement is by national market surveillance authorities in each EU member state. Expect enforcement to be uneven initially, with focus on high-profile cases and clear violations.

Practical Advice

Start with the technical controls that take the longest to build: audit logging, policy enforcement, and human oversight mechanisms. These require engineering work that cannot be compressed into a final sprint.

Documentation can be written in parallel. Risk assessments should already be underway.

If you are building on a framework that already provides these controls (Authensor provides policy enforcement, audit receipts, and approval workflows), your timeline compresses significantly. If you are building from scratch, start now.