When do EU AI Act obligations for high-risk AI systems apply?

Under the AI Act as adopted, obligations for high-risk AI systems under Annex III apply from 2 August 2026. A provisional "Omnibus" agreement reached in May 2026 would postpone that date to 2 December 2027, but it only becomes binding once formally adopted and published in the EU Official Journal. Prohibited-practice rules applied from 2 February 2025 and general-purpose AI (GPAI) model obligations from 2 August 2025.

How does Execlave help with EU AI Act compliance for AI agents?

Execlave provides runtime policy enforcement, append-only hash-chained audit logs, human-in-the-loop approval, and RSA-signed compliance reports mapped article-by-article to the EU AI Act (Articles 9, 10, 12, 13, 14, 15, 17, 19, 26 and 50).

§ EU AI ACT

Get ahead of the EU AI Act high-risk deadline

The EU AI Act is the first comprehensive law governing artificial intelligence. If your autonomous agents fall under Annex III, you need risk management, record-keeping, human oversight, and auditable evidence — in production, not on a slide. Execlave is the enforcement and evidence layer that gets you there.

The Act takes a risk-based approach: a small set of practices are prohibited, a broad “high-risk” category carries the heaviest obligations, and general-purpose AI models have their own transparency duties. Autonomous AI agents that make or support consequential decisions frequently land in the high-risk bucket.

Deadline in flux: the AI Act as adopted sets the high-risk (Annex III) date at 2 August 2026. A provisional “Omnibus” agreement reached in May 2026 would postpone it to 2 December 2027, but that change is not yet law — it binds only once formally adopted and published in the EU Official Journal. Building governance in now de-risks either outcome.

This page is an overview, not legal advice. For the full article-by-article control mapping, see the EU AI Act compliance docs. Always confirm current dates against the official EU sources.

§ TIMELINE

When the obligations land

The Act applies in phases. The high-risk deadline most agent teams care about is dated 2 August 2026 — with a proposed Omnibus postponement to December 2027 that is not yet binding.

2 February 2025
Prohibited AI practices + AI literacy
Bans on unacceptable-risk systems (e.g. social scoring) and the AI-literacy duty take effect.
2 August 2025
General-purpose AI (GPAI) models
Technical documentation, training-data summary, and downstream-operator cooperation.
2 August 2026
High-risk systems (Annex III) — as adopted
The date in the AI Act as adopted for providers and deployers of stand-alone high-risk systems. See the Omnibus note below — a postponement is in progress.
2 December 2027
High-risk systems (Annex III) — proposed
The postponed date under the provisional May 2026 Omnibus agreement. Binding only once formally adopted and published in the EU Official Journal.

§ COVERAGE

Execlave, article by article

How the platform maps to the high-risk obligations that apply to AI agents.

Article 9 — Risk management

▸19 built-in policy types: prompt injection, data access, cost, quality, tool integrity, groundedness, OPA Rego, agent lineage.
▸Four enforcement modes — monitor, warn, require approval, block.
▸Incident tracking with severity, timeline, and resolution workflow.

Article 10 — Data governance

▸SDK PII scrubbing across 14 categories before data leaves your process.
▸Input-sanitisation middleware on every ingest endpoint.
▸EU data residency on enterprise tier.

Articles 12 & 19 — Record-keeping & logs

▸Every agent execution traced with input, output, model, tokens, cost, latency.
▸Append-only audit log; UPDATE/DELETE blocked at the database trigger level.
▸Hash-chained entries — tampering is detectable offline. Retention up to 10 years.

Articles 13 & 50 — Transparency

▸Every enforcement decision carries a human-readable reason and rule IDs.
▸SDK emits a provenance header on every response for downstream watermarking.
▸Agent identity surfaced for user-facing disclosure banners.

Article 14 — Human oversight

▸Kill switch from the dashboard or Slack.
▸require_approval mode halts execution until a human decides.
▸Real-time view of every pending decision; approval expiry prevents hung requests.

Articles 15, 17 & 26 — Robustness & oversight

▸Client- and server-side prompt-injection scanning with severity scoring.
▸Policy and prompt versioning with before/after audit entries.
▸Per-agent metering with EWMA anomaly detection and threshold alerts.

Regulator-ready evidence on demand

The compliance export produces a signed, time-bounded evidence package — policy inventory, enforcement statistics, approval records, agent registry, and the hash-chained audit trail — as an RSA-SHA256-signed PDF, HTML, or JSON document. The signature lets an auditor verify the report was not altered after generation.

Get audit-ready ahead of the deadline

Free tier available. No credit card required.

Get started See compliance features