Agentic AI: how do autonomous AI agents fall under the rules?

Short answer: Agentic AI — systems that turn goals into steps, call tools and APIs, and take actions on their own — has no separate category in the AI Act. Yet it is not unregulated: the underlying model often falls under the GPAI regime, risk classification follows the concrete use, and the duties on transparency (Art. 50) and human oversight (Art. 14) apply in full. The sharpest open question is who is liable for what an agent does autonomously.

What sets agentic AI apart

Generative AI produces output on request: text, images, code. Agentic AI goes a step further. Such a system turns a goal into a plan, calls tools or APIs on its own, takes actions, and can thereby bind a user to consequences — sometimes with only limited human oversight. Think of an agent that schedules appointments, places orders, runs code or enters into obligations on a user's behalf.

The difference is not academic: it shifts the risk from "wrong output" to "wrong action".

The AI Act has no separate "agent" category

The AI Act is structured around the risks of AI systems, not around agents as a distinct species. Even so, agentic AI is covered along four lines:

• The underlying model. If the agent is built on a general-purpose AI model, the GPAI obligations (Art. 53 and 55) apply to that model. See the GPAI regime.
• Risk classification follows the use. If the agent is deployed in an Annex III context (for example recruitment, lending or critical infrastructure), the system is high-risk, with all the attendant duties. See the high-risk obligations.
• Transparency (Art. 50). A user interacting with an AI system must be aware of it. See Article 50.
• Human oversight (Art. 14). For high-risk systems a human must be able to intervene effectively — precisely the point that rubs against the autonomy that makes an agent useful.

The open question: who answers for what the agent does?

The AI Act was written before the breakthrough of agents. As systems carry out irreversible actions — a transaction, a message sent, a change in production code — the liability question becomes pressing: does responsibility lie with the provider of the agent, with the organisation deploying it (the deployer), or with the provider of the underlying model? Beyond the AI Act this touches product liability and contract law — a knot that legislators and courts have yet to cut.

International movement

Soft law runs ahead of legislation here. On 22 January 2026, at the World Economic Forum, Singapore presented its Model AI Governance Framework for Agentic AI — the world's first framework built specifically for agentic AI. It is voluntary, but stresses human accountability and "bounding by design": limit what an agent can do by constraining its tool access, permissions and scope of action. In the US, NIST is building dedicated single-agent and multi-agent control overlays on SP 800-53 through COSAiS (Control Overlays for Securing AI Systems), and in February 2026 launched an AI Agent Standards Initiative. The common thread: existing rules are not replaced, but supplemented with expectations on how to govern a system that acts on its own.

What to do

• Treat an agent as high-risk until a classification shows otherwise — the impact of a wrong action is greater than that of wrong output.
• Build human checkpoints before irreversible actions (payments, external communication, production changes).
• Log and monitor every action so there is an audit trail of what the agent did and why.
• Set contractual terms with the agent and model provider on responsibility, limits and indemnification.

Agentic AI is where the governance question of 2026 becomes sharpest: the technology runs ahead of the categories the law works with, and the first organisation that can demonstrably govern its agents has the edge.