EU AI Act Article 9 and what it means for agent builders
The EU AI Act entered into force in August 2024. The risk management obligations under Article 9 become enforceable in August 2026. If you are building or deploying AI agents in the EU or for EU users, this affects you directly.
Article 9 requires a risk management system that operates throughout the lifecycle of a high-risk AI system. The system must identify and analyze known and foreseeable risks. It must estimate and evaluate the risks that may emerge when the system is used in accordance with its intended purpose and under conditions of reasonably foreseeable misuse. It must adopt suitable risk management measures. And it must be documented.
For agent builders, the challenge is practical. How do you identify the risks of an agent configuration? How do you document them in a way that satisfies a regulatory audit? Most teams know their agents have risks but do not have a systematic way to enumerate and categorize them.
This is why we built the attack surface mapper with Article 9 compliance as an explicit design goal. The mapper takes an agent configuration and produces a risk assessment that aligns with Article 9 structure.
The mapping works as follows. The mapper identifies dangerous capability combinations in the agent's tool set. Each combination maps to one or more risk categories from the AI Act's Annex III classification. The mapper estimates severity based on the potential impact of each risk. And it recommends mitigations with references to the specific Article 9 requirements they address.
The output is not legal advice. It is a technical risk assessment that gives your legal team concrete material to work with. Instead of a vague statement like "the agent may misuse tools," the mapper produces specific findings like "the combination of filesystem write access and external network access enables data exfiltration with severity HIGH, addressable by restricting network access to an allowlist per Article 9(2)(b)."
We have seen teams approach Article 9 compliance in three ways. Some hire consultants who produce documents that satisfy the letter of the law but contain little technical substance. Some ignore it and hope enforcement will be slow. And some build compliance into their engineering process so that risk assessment happens automatically as part of development.
The third approach is what we are trying to enable. The mapper runs in CI/CD pipelines. Every configuration change triggers a new risk assessment. The assessment diff shows what risks were introduced or mitigated by the change. Over time, this produces a documented history of risk management decisions that directly addresses the Article 9 requirement for lifecycle management.
One detail that catches people off guard: Article 9 applies to "providers" and "deployers" differently. If you build agent frameworks that others use, you are a provider. If you use agent frameworks to build applications, you are a deployer. Both have obligations, but the scope differs. Providers must ensure the risk management system exists. Deployers must use it and verify it covers their specific deployment context.
The attack surface mapper is available now. The Article 9 compliance templates are part of the standard output format. We update the regulatory mappings as enforcement guidance evolves.