Agentic AI regulation in the EU and UK: what should teams do now?

TL;DR: Organisations deploying agentic AI are finding that ISO 42001, NIST AI RMF, and the EU AI Act do not yet map cleanly to agent behaviour, while UK and EU supervisory bodies are starting to focus on accountability, logging, autonomy limits, and provider-deployer responsibility, according to Zenity. The practical problem is that current governance assumes stable, reviewable actions, but agents can act within bounded autonomy in ways that outpace human oversight cycles.

NHIMG editorial — based on content published by Zenity: Build for Tomorrow, Today: Deploying Agentic AI Under EU and UK Regulations

By the numbers:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: How should organisations govern agentic AI under EU and UK regulations?

A: Treat each agent as a governed digital actor with an owner, defined purpose, approved toolset, and explicit approval boundaries.

Q: Why do existing AI governance frameworks struggle with agentic systems?

A: They mostly describe models, risk categories, or high-level oversight, while agentic systems also need identity, permissions, tool access, and execution controls.

Q: How do security teams know whether an agent is operating inside its intended boundary?

A: They need evidence for both intent and execution.

Practitioner guidance

• Define first-class agent identities Assign each agent an owner, purpose, approved toolset, and bounded data-access scope before it enters production.
• Separate approved actions from autonomous reach Document which actions an agent may take without human approval and which actions require a gate before execution.
• Build execution and intent observability Capture what the agent was allowed to do, what it actually did, and whether its runtime behaviour matched the intended workflow.

What's in the full article

Zenity's full blog post covers the operational detail this post intentionally leaves for the source:

• A 12-point practitioner checklist for deploying agentic systems under overlapping EU and UK obligations.
• Detailed guidance on logging, observability, and human approval boundaries for irreversible actions.
• Practical questions to ask providers when parts of the agent runtime are vendor-managed.
• Examples of how to frame executive ownership, procurement evidence, and incident response for agent deployments.

👉 Read Zenity's analysis of agentic AI governance under EU and UK regulations →

Agentic AI regulation in the EU and UK: what should teams do now?

Explore further

View Full Forum →  |  NHI Foundation Course →