Agentic AI and regulation: who answers when the agent acts alone
An AI agent does not answer questions: it executes. It opens an account, denies a loan, escalates a case or moves funds without a human approving every step. When that decision harms a customer or breaches a rule, the regulator does not ask which model made it. It asks who was accountable for it. Agentic AI does not open a legal vacuum: it lands squarely on frameworks already in force.
Agentic AI does not open a legal vacuum
A financial institution deploying autonomous agents operates under three regimes at once. The Reglamento UE 2024/1689: marco europeo para sistemas de IA basado en riesgo. Prohíbe usos inaceptables, regula los de alto riesgo y establece transparencia para modelos generativos. Entrada en vigor escalonada 2025-2027.AI Act (Regulation (EU) 2024/1689) governs the AI system itself. Digital Operational Resilience Act: reglamento UE 2022/2554 sobre resiliencia operativa digital. Exige a entidades financieras de la UE resistir, responder y recuperarse de incidentes TIC. En vigor desde 17 enero 2025. Leer más → DORA (Regulation (EU) 2022/2554) treats the model provider as an ICT third party, with everything that entails. And sector rules (Spain's Law 10/2010 on money-laundering prevention, consumer-credit regulation) still demand the same controls even when the actor is a machine.
The founding mistake is to treat an agent as an internal tool and therefore opaque to the supervisor. It is not. If the agent decides about people, its decisions are auditable, attributable and, in many cases, high-risk.
The AI Act classifies by risk: finance lands in high-risk
The AI Act ranks systems by risk level and reserves the regulatory weight for the high-risk tier. Two of the Annex III cases land directly in banking and insurance:
| Case (Annex III) | Systems affected |
|---|---|
| Point 5(b) | Creditworthiness evaluation and credit scoring of natural persons, except financial-fraud detection. |
| Point 5(c) | Risk assessment and pricing in life and health insurance. |
If an agent scores an applicant's creditworthiness or prices a health policy, it is a high-risk system. That triggers a block of obligations that are not optional: risk management (Art. 9), training-data governance (Art. 10), technical documentation (Art. 11), automatic event logging (Art. 12), transparency to the deployer (Art. 13), human oversight (Art. 14) and accuracy, robustness and cybersecurity (Art. 15). Certain deployers must also run a fundamental-rights impact assessment (Art. 27) before first use.
The Digital Omnibus moves the dates, not the obligations
The AI Act applies in phases. Worth keeping in view, because it changed in May 2026.
| Milestone | Date |
|---|---|
| Entry into force | 1 August 2024 |
| Prohibited practices and AI literacy | 2 February 2025 |
| General-purpose models (GPAI) | 2 August 2025 |
| Annex III high-risk (standalone systems) | 2 December 2027 (deferred) |
On 7 May 2026, the Council and Parliament reached a provisional political agreement on the Digital Omnibus, which defers the application of Annex III high-risk obligations from 2 August 2026 to 2 December 2027; high-risk systems embedded in Annex I products are pushed to August 2028. It is a delay, not a repeal, and it still has to be formally adopted.
The correct reading is not "there is more time, this can wait." It is that the model's compliance deadline decouples from the real deployment calendar: agents are already in production making decisions today, and the traceability that Art. 12 will require in 2027 is not built in hindsight. If the log did not exist when the agent acted, it cannot be reconstructed afterwards.
Where the autonomous agent breaks classic control
The concrete operational problem sits in two articles. Art. 14 requires effective human oversight: a person able to understand, monitor and, if needed, reverse the system's decision. Art. 12 requires automatic event logging across the lifecycle.
An autonomous agent strains both. It chains tool calls and decisions at machine speed, so human-in-the-loop oversight at every step stops being viable. And an agent moving between systems on shared credentials leaves no attributable trail: the log says which service account acted, not which agent, on whose behalf, under what authorisation.
The answer is not to throttle the agent into uselessness. It is to decide which decisions are irreversible and require human control only there, while everything else is logged by design.
The architecture that sustains oversight
Meeting these articles is, in practice, a matter of architecture, not policy. Three pieces hold it up:
- Cryptographic identity per agent. Each agent acts under its own verifiable identity, not a shared service credential. It is the same thesis we hold for connectivity: identity precedes access. Without it, the Art. 12 log is not attributable and Art. 14 has no one to oversee.
- Human control at the irreversible points. The four-eyes principle, already established in Anti-Money Laundering: prevención de blanqueo de capitales. Consume 5-10% del presupuesto operativo de una entidad media; los sistemas tradicionales generan >95% falsos positivos. Leer más → AML compliance, moves Art. 14 oversight to where it matters: a decision that cannot be undone is approved by a person; the routine one, by the agent.
- Audit trail by design. Every agent action is logged with integrity and is recoverable, not as an application log that rotates after thirty days, but as regulatory evidence held to the same standard as the document retention Law 10/2010 already imposes.
On that base, standards provide the management frame: ISO/IEC 42001 defines a certifiable AI management system, and the NIST AI RMF supplies the risk vocabulary. But neither replaces the architecture: a certificate does not rebuild a log that never existed.
Conclusion: traceability is the new compliance
Agentic AI regulation does not reward the best model, but the institution that can prove who decided what, when and under what authorisation. The Digital Omnibus delay buys room to build it well, not an excuse not to build it. The institution that deploys agents on a base of verifiable identity, human control over the irreversible and intact traceability reaches 2027 with compliance already solved. The one improvising logs after the fact does not.
At BlueUP we build that base: identity before connectivity, four eyes over what cannot be undone, and an audit trail with evidentiary value. To see how it applies to DORA and AML compliance, read our practical DORA guide for financial institutions and how we automate SEPBLAC reporting without losing traceability, or let's talk about your case.