The EU AI Act Is an Identity Problem

Regulation (EU) 2024/1689, the EU AI Act, entered into force on 1 August 2024 and phases in through 2027. It is the first comprehensive AI law, and it classifies systems by risk: prohibited, high-risk, limited, and minimal. Most of the commentary has focused on what AI builders must do. Less has been said about where the obligations land inside an organisation, and a surprising amount of it lands on identity.

Start with high-risk systems. Annex III lists the categories that trigger the heavy obligations: critical infrastructure, employment decisions, access to essential services, law enforcement, migration, and justice. High-risk systems must carry risk management, data governance, technical documentation, human oversight, and access controls on the system itself. That last item is an identity control. The evidence that only the right people and the right services can reach a high-risk system is produced by your identity programme, not by the model. Several of these categories, critical infrastructure most of all, also fall under NIS2, so the same identity evidence does double duty.

Human oversight, Article 14, is the clearest example. High-risk systems must be designed so that a natural person can effectively oversee them, intervene, and stop them. For an agentic workflow that means identity-aware decision points where a human can step in, and audit logs rich enough to prove the oversight happened. You cannot evidence who was able to intervene, or who actually did, without identity.

Then there are AI agents. The Act assumes a human or an organisation is accountable for what a system does. Agentic AI breaks that assumption unless the agent's identity is bound to the human principal it acts for, with a defined scope and a time limit. An agent with standing, unscoped access and no link back to a person is an oversight obligation you cannot meet and an audit trail you cannot reconstruct.

Biometrics sit in the prohibited and high-risk tiers, Article 5 and Annex III. CIAM and workforce programmes that use Face ID, fingerprint, or any biometric factor need to confirm in advance that their implementation sits outside the biometric-categorisation prohibition, with the data-protection-by-design rationale written down. This is where the AI Act meets GDPR, and the two have to be argued together.

Finally, the documentation. Article 11 and Annex IV define the technical documentation a high-risk system must carry. Much of the access-control, logging, and identity-context evidence in that file is owned by the identity team. Most organisations map these controls against ISO/IEC 42001, the AI management-system standard, alongside the forthcoming harmonised European standards.

The practical point for identity leaders is that the AI Act is not a separate programme. It is a new set of evidence requirements that your identity architecture either already produces or quietly fails to. Name the principal behind every agent. Scope and time-bound delegated authority. Capture identity context, not just actions, in your logs. Document it against a recognised standard. Do that, and AI Act compliance becomes something you can show, not something you scramble to assemble.

We break the Act down article by article, with the identity requirements, in our EU AI Act framework guide. The sources below are the regulation and the official guidance themselves.