How the EU AI Act applies to teams deploying AI agents, and how Blekline maps to its requirements.
Note: Blekline is infrastructure, not legal advice. Use this alongside qualified legal counsel for your specific compliance situation.
What the Act requires of agent deployments
The EU AI Act's obligations for teams building with AI agents fall into four areas directly relevant to MCP-based deployments:
Human oversight (Article 14) — High-risk AI systems must allow humans to intervene, override, or halt system operation. For agent deployments this means tool calls must be blockable by policy, not just observable after the fact.
Technical documentation and logging (Articles 12 and 17) — Providers must maintain records of AI system operation sufficient to assess compliance. This includes what decisions the system made, what data it processed, and what actions it took.
Data governance (Article 10) — Operational data must be subject to governance practices. For agent deployments, this includes what data enters model context windows during inference.
Transparency to users (Article 50) — AI interactions must be disclosed and synthetic content labeled. Enforceable from August 2026.
Enforcement timeline
| Date | What becomes enforceable |
|---|---|
| August 2, 2025 | GPAI model obligations — transparency, copyright, safety |
| August 2, 2026 | High-risk system requirements; Article 50 transparency obligations |
| December 2, 2027 | Annex III systems — recruitment, credit scoring, law enforcement, education |
Fines for non-compliance reach €35 million or 7% of global annual turnover for the most serious violations. High-risk system breaches carry up to €15 million or 3%.
How Blekline maps to these requirements
| Act requirement | Blekline capability |
|---|---|
| Human oversight / intervention (Art. 14) | blekline_evaluate_tool_call — allow, flag, or block before execution; workspace MCP tool policy via /operations/policies |
| Audit trail / technical documentation (Arts. 12, 17) | Tamper-evident event stream per call; sensorMetadata captures tool name, action, entity counts, client surface, model provider, requestId |
| Data governance / PII handling (Art. 10) | blekline_mask_prompt — Azure-backed authoritative PII masking; tokenMap for entity audit |
| Transparency / disclosure (Art. 50) | Audit events identify AI surface and model provider per interaction |
What Blekline does not cover
Blekline handles the infrastructure layer. It does not:
- Perform conformity assessments or generate CE marking documentation
- Classify whether your system falls under Annex III (requires legal analysis)
- Replace a Data Protection Impact Assessment (DPIA)
- Serve as your sole compliance record — export audit events to your SIEM and retain them per your data retention policy
For EU data residency, contact enterprise sales with dataResidency=EU. See Enterprise deployment.
Next steps: Why ingress governance · Trust boundaries · Telemetry spec · Enterprise deployment