EU AI Act and AI agents: what IAM teams need to prepare for

TL;DR: The EU AI Act is pushing organizations to treat AI agents as governed actors, with requirements for transparency, human oversight, logging, risk management, and delegated access across providers and deployers, according to Descope. Identity controls now sit at the center of AI compliance because visibility, authorization, and auditability determine whether agent actions can be explained and controlled.

NHIMG editorial — based on content published by Descope: The EU AI Act: Map Agentic Identity Controls For AI-Readiness

By the numbers:

• 74% of organizations expect to use AI agents at least moderately by 2027, and almost a quarter plan to use them widely across their operations.
• The EU AI Act can impose penalties of up to €35 million or 7% of global annual turnover for certain violations.

Questions worth separating out

Q: How should security teams govern AI agents that access enterprise systems?

A: Security teams should treat AI agents as governed identities, not just applications.

Q: Why do third-party AI models still create compliance obligations?

A: Third-party AI does not remove deployer responsibility.

Q: What breaks when AI actions cannot be traced to a user or policy decision?

A: When AI actions cannot be traced, the organisation loses auditability, incident reconstruction, and accountability.

Practitioner guidance

• Inventory every AI entry point Map internal copilots, embedded SaaS features, API-connected agents, and shadow AI workflows so you know where AI can act, what it can reach, and which business owner is accountable for each deployment.
• Bind agent actions to explicit principals Require user attribution, delegated authorization, and scoped token issuance for each agent session so auditors can reconstruct who approved the action and under what authority it occurred.
• Enforce step-up controls for sensitive operations Route data access, external API calls, and customer-impacting decisions through a human approval path or escalation gate before the action completes.

What's in the full article

Descope's full article covers the operational detail this post intentionally leaves for the source:

• The article’s practical checklist for determining whether the EU AI Act applies to your organisation across deployer and provider scenarios.
• The capability mapping between identity controls, delegated authorization, human oversight, and auditability for AI workflows.
• The implementation-oriented discussion of logging, traceability, and policy enforcement for agent access to enterprise systems.
• The product examples for AI registration, step-up approval, and policy-based governance at the token boundary.

👉 Read Descope's analysis of EU AI Act controls for AI agents →

EU AI Act and AI agents: what IAM teams need to prepare for?

Explore further

View Full Forum →  |  NHI Foundation Course →