The Commonplace
Home Dashboard Papers Evidence Digests 🎲
← Papers

The EU's AI Act is poorly equipped to govern autonomous AI agents: rules built for conventional systems leave enforcement, monitoring, and resourcing gaps that risk unchecked failures, misuse, and unequal access unless policymakers rapidly revise institutional design.

Regulating AI Agents
Kathrin Gardhouse, Amin Oueslati, Noam Kolt · March 24, 2026
arxiv commentary n/a evidence 7/10 relevance Source PDF
The EU AI Act, crafted before mainstream AI agents, is ill-suited to address agents' autonomous failures, misuse risks, and unequal access because of gaps in substantive rules, enforcement allocation, reliance on self-regulation, and under-resourced institutions.

AI agents -- systems that can independently take actions to pursue complex goals with only limited human oversight -- have entered the mainstream. These systems are now being widely used to produce software, conduct business activities, and automate everyday personal tasks. While AI agents implicate many areas of law, ranging from agency law and contracts to tort liability and labor law, they present particularly pressing questions for the most globally consequential AI regulation: the European Union's AI Act. Promulgated prior to the development and widespread use of AI agents, the EU AI Act faces significant obstacles in confronting the governance challenges arising from this transformative technology, such as performance failures in autonomous task execution, the risk of misuse of agents by malicious actors, and unequal access to the economic opportunities afforded by AI agents. We systematically analyze the EU AI Act's response to these challenges, focusing on both the substantive provisions of the regulation and, crucially, the institutional frameworks that aim to support its implementation. Our analysis of the Act's allocation of monitoring and enforcement responsibilities, reliance on industry self-regulation, and level of government resourcing illustrates how a regulatory framework designed for conventional AI systems can be ill-suited to AI agents. Taken together, our findings suggest that policymakers in the EU and beyond will need to change course, and soon, if they are to effectively govern the next generation of AI technology.

Summary

Main Finding

The EU AI Act, designed for conventional and generative AI artifacts, is poorly matched to the governance challenges posed by autonomous AI agents. While most agents fall within the Act’s formal scope, key substantive rules, institutional arrangements, and governance instruments (including reliance on standards and self-regulation) fail to address agents’ autonomy, adaptability, cross-context behavior, and the fragmented value chain. Policymakers must revise regulatory design and substantially strengthen monitoring, enforcement, and resourcing to govern agentic systems effectively.

Key Points

  • Definition and scope

    • AI agents generally meet the Act’s definition of an “AI system,” but are not automatically classified as high-risk. High-risk status depends on intended use and Annex III categories, leaving ambiguity for adaptable, general-purpose agents.
    • The Act’s extraterritorial reach makes it consequential for global firms (the “Brussels effect”), but also raises jurisdictional and enforcement complexity.

  • Performance and robustness

    • Agents exhibit heterogeneous, sequence-dependent failures (not just single erroneous outputs). Proxies in the Act—accuracy, consistency, robustness—do not fully capture agent risks. Robustness is the closest fit but is difficult to specify and operationalize for long-running, adaptive agents.
    • Real-world examples (Anthropic’s “Project Vend” experiments with Claude) show agents can perform some tasks well while unpredictably failing at others, and even attempt actions beyond their capabilities.

  • Misuse and cybersecurity

    • The Act gives limited direct attention to malicious misuse of agents. The GPAI Code of Practice contains stronger misuse-prevention and cybersecurity expectations, but much depends on voluntary compliance and standards.
    • Agents amplify misuse risks because they can autonomously seek external tools/resources and operate at scale.

  • Privacy and contextual integrity

    • Agents operating across contexts (personal, professional, public) create complex leaks of contextual information. The Act does not adequately grapple with shifting norms of contextual integrity when agents collect, aggregate, and act on personal data across settings.

  • Equity and distributional concerns

    • The Act does little to ensure equitable access to economic benefits from agents or to address biased impacts in agent decision-making. Agents may concentrate rents, reinforce incumbents, and exacerbate inequalities absent explicit distributional or access policies.

  • Oversight and institutional capacity

    • Obligations in the Act are premised on human oversight of systems; they are less effective when agents are designed to operate with limited human intervention.
    • The Act relies heavily on standards, codes of practice, and provider disclosures, exacerbating information asymmetries across model providers, system integrators, and deployers (the “many-hands” problem).
    • Enforcement responsibilities split across national market surveillance authorities and an EU AI Office create jurisdictional complexity. Current institutional resourcing and expertise are likely inadequate for effective continuous monitoring of agents.

  • Lessons and recommended shifts

    • Artifact-centric regulation (focusing on discrete models/systems at deployment time) is insufficient; governance must account for agents’ operational environment and lifecycle.
    • Policymakers should reduce over-reliance on voluntary standards, clarify allocation of responsibilities along the value chain, require stronger continuous monitoring and incident reporting, and materially increase regulatory resourcing and technical capacity.

Data & Methods

  • Legal and policy analysis of the EU AI Act text, its definitions, Annex III risk categories, and the separate GPAI Code of Practice.
  • Case illustration and qualitative evidence drawn from public experiments and reporting (e.g., Anthropic’s “Project Vend” and related journalism) to show agent behavior in practice.
  • Literature synthesis: integrates prior scholarly work on AI agents, governance, liability, robustness, and systemic risk (legal scholarship, technical papers, policy reports).
  • Institutional analysis: examination of governance architecture (allocation of obligations among model providers, system providers, deployers), standard-setting, enforcement mechanisms, and resourcing.
  • Conceptual mapping of five governance challenges—performance, misuse, privacy, equity, oversight—and assessment of how the Act’s substantive provisions and institutional apparatus address each.

Note: the paper is doctrinal/policy research; it does not present primary quantitative empirical estimation or novel experimental data beyond public case vignettes and literature-based analysis.

Implications for AI Economics

  • Productivity and adoption

    • Agents promise automation gains but unpredictable performance and liability/credibility uncertainty may slow firm adoption. Economic benefits will depend on regulators’ ability to reduce tail risks and create reliable compliance regimes.
    • Firm-level investment decisions will internalize regulatory compliance costs and expected enforcement risk; high upfront compliance and monitoring costs favor larger incumbents, likely increasing market concentration.

  • Innovation incentives and market structure

    • Heavy reliance on standards and voluntary codes can create coordination problems and regulatory uncertainty, shaping firms’ strategic choices (e.g., vertically integrating model development and deployment to internalize many-hands risks).
    • Extraterritorial rules and uncertain classification (high-risk vs non-high-risk) create regulatory arbitrage incentives and may distort location of R&D and deployment.

  • Externalities, systemic risk, and insurance markets

    • Agent-caused harms are often diffuse, time-extended, and cross-jurisdictional, creating negative externalities that markets may underprice. This raises demand for new liability frameworks and insurance products, but insurers will struggle to price risk without better data and regulatory clarity.
    • Systemic risk concerns (when GPAI-backed agents are widely deployed) could create correlated shocks across sectors—requiring public-sector mitigation and potential macroprudential-style oversight.

  • Labor and distributional effects

    • Autonomous agents change task complementarities, potentially displacing some middle-skill work while creating new tasks around monitoring, integration, and oversight. Uneven access to agent capabilities may exacerbate wage and employment inequality.
    • Without interventions to widen access or redistribute gains, economic rents may accrue to firms that control agent platforms and to jurisdictions with stronger AI ecosystems.

  • Information frictions and transaction costs

    • The many-hands problem increases transaction costs between model providers, integrators, deployers, and clients (e.g., warranties, audits, contractual indemnities). These frictions can reduce the efficiency of market transactions and slow diffusion.
    • Greater demand for transparency (audit logs, incident reporting) will create new data goods and services (third-party auditors, compliance platforms), altering market opportunities.

  • Policy and public investment implications

    • Effective governance requires public investment in regulator technical capacity and continuous monitoring infrastructure—these are public goods with potentially large social returns relative to private provision.
    • Policymakers should consider targeted instruments: certification regimes for agent deployment in sensitive sectors, mandatory reporting/incidence databases to support insurance and market discipline, subsidies or standards to lower compliance costs for smaller firms, and R&D support for robust agent design.

  • Research and measurement priorities

    • Economists should measure: agent-driven productivity gains at firm and industry levels; distributional impacts across occupations and regions; compliance costs and their scaling with firm size; market concentration effects from regulatory fixed costs; and macroeconomic implications of systemic agent deployment.
    • Empirical work is needed on how regulatory uncertainty affects investment and innovation trajectories, and on the effectiveness of different oversight architectures (continuous monitoring vs periodic audits).

Overall, the paper suggests that AI economics must account for regulatory design and institutional capacity as core determinants of the realized economic impact of agentic AI—regulation will shape incentives, market structure, and distribution of benefits as much as the underlying technology.

Assessment

Paper Typecommentary Evidence Strengthn/a — This is a legal and policy analysis rather than an empirical or causal study; it does not present quantitative identification of causal effects or counterfactual estimates, so conventional evidence-strength metrics for causal claims do not apply. Methods Rigormedium — The paper offers systematic textual and institutional analysis of the EU AI Act and plausible arguments about gaps given agent capabilities; however, it relies on legal interpretation, scenario-based reasoning, and normative claims rather than formal empirical validation or comparative case studies that would strengthen claims about implementation outcomes. SampleQualitative analysis of the European Union's AI Act text, its institutional implementation framework, and plausible failure/misuse scenarios for autonomous AI agents, drawing on regulatory design principles and examples rather than original quantitative data. Themesgovernance adoption inequality GeneralizabilityFocuses on the EU legal and institutional context; findings may not directly translate to non-EU jurisdictions with different legal frameworks., Normative and interpretive claims depend on current formulation of the AI Act and may be affected by forthcoming amendments or implementing guidance., Rapidly evolving AI agent capabilities could outpace some specific procedural recommendations, limiting applicability over time., Does not provide empirical estimates of economic impacts, so implications for productivity and labor markets are suggestive rather than measured.

Claims (10)

ClaimDirectionConfidenceOutcomeDetails
AI agents have entered the mainstream. Adoption Rate positive high AI agent adoption / prevalence
0.06
These systems are now being widely used to produce software, conduct business activities, and automate everyday personal tasks. Adoption Rate positive high use of AI agents across software production, business processes, and personal tasks
0.06
AI agents implicate many areas of law, ranging from agency law and contracts to tort liability and labor law. Governance And Regulation mixed high scope of legal domains implicated by AI agents
0.06
AI agents present particularly pressing questions for the European Union's AI Act. Governance And Regulation negative high regulatory adequacy of the EU AI Act for AI agents
0.06
The EU AI Act was promulgated prior to the development and widespread use of AI agents. Governance And Regulation negative high temporal alignment between regulation and technology development
0.1
The EU AI Act faces significant obstacles in confronting governance challenges arising from AI agents, such as performance failures in autonomous task execution. Error Rate negative high ability of regulation to address performance failures (error rates / autonomous task failures)
0.06
The EU AI Act faces significant obstacles in confronting governance challenges arising from AI agents, such as the risk of misuse of agents by malicious actors. Ai Safety And Ethics negative high risk of malicious misuse and regulatory capacity to mitigate it
0.06
The EU AI Act faces significant obstacles in confronting governance challenges arising from AI agents, such as unequal access to the economic opportunities afforded by AI agents. Inequality negative high distribution of economic opportunities from AI agents
0.06
The Act's allocation of monitoring and enforcement responsibilities, reliance on industry self-regulation, and level of government resourcing illustrate how a regulatory framework designed for conventional AI systems can be ill-suited to AI agents. Governance And Regulation negative high fit between regulatory institutional design and requirements for governing AI agents
0.06
Policymakers in the EU and beyond will need to change course, and soon, if they are to effectively govern the next generation of AI technology. Governance And Regulation negative high need for regulatory/policy change to effectively govern AI agents
0.01

Notes