Agent-based AI: The Risk of Neglected Compliance

A financial firm decides to transform its back office using agent-based artificial intelligence. The use cases pile up on the slides: automatic data extraction from documents, automated process execution, intelligent business controls, anomaly detection in data flows, algorithmic prioritization...

The stated goal is ambitious, and it would be tempting to view compliance as a millstone we can drag along tomorrow (but not right now, please).

This is a strategic mistake, as performance goals can be permanently hindered if automation isn’t accompanied by an ethical and regulatory framework.

What’s the point of gaining a 60% productivity boost on processes if it means paying millions in recurring penalties tomorrow?

The regulatory framework isn’t waiting

The European AI Act came into force in August 2024. Since February 2025, AI systems posing an unacceptable risk have been banned.

Since August 2025, obligations regarding general-purpose AI models have been in effect. And in August 2026, all requirements for high-risk systems will become fully enforceable with penalties of up to €35 million or 7% of global revenue. Good faith is not enough.

However, in a banking or insurance context, for example, an agent may make or influence decisions that directly affect individuals based on sensitive personal data. In the AI Act’s risk taxonomy, this falls squarely into “high-risk” territory. Most organizations we encounter understand this intellectually. The challenge remains to translate this into concrete governance actions.

The AI Act sets the framework. ISO 42001 provides the method.

It is this integration that most transformation programs lack. The two frameworks are complementary, not interchangeable.

The AI Act is a binding legal regulation. It defines four risk levels, prescribes specific obligations: transparency, human oversight, technical documentation, retention of logs for at least six months, and establishes enforcement mechanisms. It tells organizations what is required and what is prohibited.

ISO/IEC 42001, published in December 2023, is the first international standard dedicated to artificial intelligence management systems. It provides a structured and auditable framework for governing AI responsibly: management commitment, formalized AI policy, lifecycle risk management, performance evaluation, and continuous improvement. It tells organizations how to build the governance framework.

There is substantial overlap between the two: approximately 80% of the AI Act’s requirements for high-risk systems are reflected in the clauses of ISO 42001. Risk management (clause 8.2), data governance, documentation, transparency, and human oversight are addressed by both standards. The remaining 15 to 20% pertain to administrative obligations specific to the European Union: CE marking, EU declaration of conformity, registration in the European database, and cooperation with national authorities.

But be careful: ISO 42001 certification does not automatically guarantee compliance with the AI Act. It provides the organizational foundation. Regulatory specifics must be built on top of it. Conversely, attempting to comply with the AI Act without a structured management system turns each obligation into a one-off bureaucratic exercise, disconnected from operational reality and impossible to sustain over the long term.

The ethical dimension: what neither the law nor standards fully cover

Beyond legal and regulatory considerations, a third dimension emerges: operational ethics.

The question is not merely “Is this compliant?” It is: Does this system introduce biases in the processing of cases?

When an AI agent prioritizes, is it fair? When it flags an anomaly and this impacts an individual (for example, the suspension of insurance coverage), can we explain why? When the agent pre-fills a response, does the human operator retain genuine decision-making autonomy, or does he become merely a validator of algorithmic suggestions?

These are not philosophical questions. They are design choices that must be decided before the first agent goes live.

Our approach is based on a principle we call “Suggest, Facilitate, Support”. The AI suggests actions by cross-referencing relevant data (risk profile, history, life events) but never makes decisions in place of the business.

It facilitates work by pre-filling forms and preparing personalized arguments, freeing up time for human judgment. It supports by providing advanced analytical insights and ensuring regulatory traceability, while keeping humans in the loop at every stage where a decision impacts a real person.

This philosophy is not an ethical luxury. It is a risk management framework. A system designed according to these principles is inherently more explainable, more auditable, and more aligned with the requirements of the AI Act as well as the expectations of ISO 42001.

The Cost of Inaction

Organizations that wait to structure their compliance will face three converging risks:

• Regulatory risk, with significant fines and national authorities ramping up their capabilities.

  
  

• Operational risk: retrofitting compliance into an already deployed system costs exponentially more than integrating it from the design phase. Untraceable records, undocumented decisions, and ungoverned data pipelines become technical debt that accumulates every day.

  
  

• Reputational risk: unwavering trust and flawless relationships are the direct implications of increased automation. An algorithmic bias scandal or a health data breach can destroy years of brand equity in an instant.

  
  

Final Thoughts

Agent-based AI is not a technological field. It is a governance issue. Innovation is nothing without a framework of trust. One must be competent in both areas.

The organizations that will succeed are not those that deploy the most agents the fastest, but those that do so within a framework where every automated decision is explainable, every data flow is governed, and every human operator retains real decision-making authority.

The AI Act provides the legal safeguards. ISO 42001 provides the management system.

Ethical design principles provide the operational philosophy. All three are necessary. None alone is sufficient.

If you are planning a transformation using agent-based AI, the time to build this governance architecture is now, not after the first agent goes live.