Table of Contents
AI governance is quickly becoming a business requirement. As AI agents gain the ability to access company systems, handle sensitive data, use APIs, automate tasks, and make decisions for users, organizations face new challenges in visibility, security, accountability, and oversight. According to Deloitte, 74% of organizations expect to use AI agents at least moderately by 2027, and almost a quarter plan to use them widely across their operations.
As AI systems become a bigger part of business applications and workflows, organizations need to know where AI is used, who can access it, what it can do, and how its decisions are managed and tracked. Regulators are starting to set clear rules. The EU AI Act sets out requirements for transparency, accountability, security, human oversight, and risk management for any organization that builds or uses AI systems.
The regulation does not just apply to AI providers, who develop AI systems. It also covers deployers, who use third-party AI models, copilots, or agents in their applications and workflows. Organizations that use outside AI platforms or API providers still have to meet governance and compliance rules. Like GDPR, the EU AI Act is expected to shape global standards for AI governance and security, not just in Europe.
As organizations get ready for these changes, identity is becoming a key part of responsible AI governance. Tools like authentication, authorization, delegated access controls, policy enforcement, and audit logging are now essential for keeping AI systems and agents secure.
What is the EU AI Act?
The EU AI Act is the world’s first comprehensive regulatory framework focused specifically on artificial intelligence systems. Rather than applying the same rules to every AI use case, the Act uses a risk-based model that places stricter requirements on systems capable of creating greater harm or operational risk.
The regulation applies to both AI providers building or supplying AI systems and deployers using AI systems internally or embedding them into customer-facing products and workflows. This distinction is important because many organizations assume they are exempt if they are only consuming third-party AI APIs or copilots. In reality, companies integrating AI into their own products, workflows, or operational processes may still carry responsibilities around transparency, oversight, security, logging, and governance.
At a high level, the EU AI Act focuses on:
Transparency and accountability
Human oversight
Security and risk management
Documentation and traceability
Protection of fundamental rights
Safe deployment and monitoring of AI systems
The EU AI Act takes a different approach for each type of AI system. It sets varying levels of oversight and compliance depending on the risk an AI system presents. The framework below lays out the four main risk categories in the EU AI Act as AI systems become more influential, independent, or sensitive.
EU AI Act timeline
The EU AI Act is already beginning to take effect, but the most significant compliance deadlines arrive in August 2026, when major requirements for high-risk AI systems become enforceable. Additional obligations for certain embedded and sector-specific systems continue into 2027.
For many organizations, building the governance, security, oversight, and operational controls necessary for compliance will take significant time and coordination across security, legal, engineering, compliance, IT, product, and identity teams.
How to determine whether the EU AI Act applies to your organization
Many organizations assume the EU AI Act only affects large AI labs or companies building foundation models. In reality, the regulation may apply to a broad range of organizations using AI internally or embedding AI functionality into products and workflows.
The following questions can help organizations assess whether they may be affected.
Question to ask | What to look for | Why it matters |
|---|---|---|
Are you doing business in the EU? | EU customers, EU users, EU-based operations, or EU resident data processing | The EU AI Act applies beyond organizations physically located in Europe. |
Are you deploying AI inside your organization? | AI copilots, internal assistants, AI search, workflow automation, or autonomous AI agents | Internal AI usage may still create governance, oversight, and compliance obligations. |
Are you embedding AI into products or customer experiences? | AI-generated content, recommendations, personalization, or agentic AI functionality | Organizations deploying AI systems may be considered “deployers” under the Act, even if they do not build the underlying models. |
Are AI systems accessing enterprise systems or sensitive data? | API access, internal system integrations, customer data access, or automated actions | Organizations increasingly need visibility into which AI system acted, which user approved it, and what data or systems were accessed. |
Are you relying on third-party AI providers or APIs? | OpenAI APIs, Anthropic, embedded AI SaaS tools, or foundation model integrations | Using external AI providers does not eliminate responsibility for governance, risk management, or oversight. |
Are you operating in a regulated industry? | Financial services, healthcare, insurance, HR, identity verification, or critical infrastructure | Certain AI use cases may qualify as high-risk systems with stricter compliance obligations. |
Are AI systems making decisions that impact users or customers? | Fraud detection, underwriting, lending, hiring, identity verification, or automated recommendations | Automated decision-making may require transparency, human oversight, logging, and auditability controls. |
Can you identify who approved or initiated AI actions? | User attribution, delegated approvals, consent records, or workflow accountability | Identity context and delegated authorization are becoming foundational to responsible AI governance. |
Can you monitor and audit AI activity? | Audit logging, policy enforcement, monitoring, or AI workflow visibility | Organizations increasingly need evidence of accountability, oversight, and security controls. |
Are you standardizing governance globally? | Unified compliance frameworks across regions and business units | Many multinational organizations are expected to align globally around EU AI governance standards, similar to GDPR. |
The biggest challenges organizations will face
The EU AI Act sets different rules for organizations based on how they use AI. If a company builds or supplies AI systems, it is considered a provider. If it uses AI systems internally or adds them to products and workflows, it is a deployer. Each role comes with its own set of requirements.
Providers usually have more responsibilities related to designing, documenting, monitoring, and managing AI systems. Deployers must still ensure safeguards like human oversight, transparency, security, and keeping logs for some high-risk AI systems. As more companies use third-party AI models and agents, they remain accountable under the regulation, even if they do not build the AI themselves.
Limited visibility into AI usage
To comply with the EU AI Act, organizations must know exactly where AI is being used. This includes approved tools, unofficial AI use, built-in SaaS features, or third-party AI providers.
This is important because deployers of high-risk AI systems may need to monitor how these systems work, keep logs, and act if there are risks. Providers also need clear visibility to meet their documentation, monitoring, and compliance duties.
Fragmented AI governance
The regulation gives responsibilities to many teams, including security, legal, compliance, engineering, IT, and product teams.
Providers might need to set up risk management systems, keep technical documentation, have processes for fixing issues, and monitor systems after launch. Deployers may need controls for operations, ongoing monitoring, human oversight, and ways to notify workers.
If it is not clear who is in charge, organizations may have trouble deciding who should approve, document, monitor, and handle AI-related risks.
Transparency and auditability requirements
The EU AI Act strongly focuses on traceability, documentation, and accountability.
For some high-risk AI systems, deployers may have to keep automatically generated logs for at least six months if they control those logs. Providers may also have extra duties for documentation, automatic logging, and working with authorities.
As a result, organizations increasingly need:
Audit trails
Approval records
Human oversight evidence
System documentation
Monitoring and reporting capabilities
Also Read: Monitoring and Auditing Agentic Identities With Descope
Securing AI systems and agents
The Act makes security and oversight key parts of governance, especially for high-risk AI systems. As AI agents get access to APIs, company systems, and sensitive data, organizations need more controls that:
Limit overprivileged access
Support delegated authorization
Enforce machine-to-machine authentication
Preserve human oversight
Monitor AI-driven actions
For deployers, these controls match their duties for technical safeguards and monitoring. For providers, these relate to alignment, security, risk management, logging, and issue resolution.
General-purpose AI governance
General-purpose AI brings a new type of operational and compliance risk.
The EU AI Act sets rules for providers of general-purpose AI models about transparency and copyright. It also expects extra steps for risk assessment and reducing risks for models that could have a big impact.
For organizations using third-party foundation models, the main challenge is understanding:
Where those models are embedded
What outputs they generate
How they are being used internally
Whether downstream workflows create deployer obligations
Checklist to prepare for the EU AI Act
What organizations should do | Why it matters | |
|---|---|---|
Inventory AI systems and usage | Identify internal AI tools, third-party AI vendors, embedded AI functionality, AI copilots, and autonomous AI workflows across the organization. | Organizations cannot govern or secure AI systems they do not know exist. Visibility is foundational for compliance and risk management. |
Perform AI risk classification | Determine whether AI systems fall into high-risk, regulated, customer-facing, or automated decision-making categories. | The EU AI Act applies different obligations depending on the level of AI risk and operational impact. |
Build AI governance policies | Establish ownership, accountability, approval processes, human oversight procedures, documentation standards, and reporting workflows. | AI governance requires coordinated operational controls across legal, security, engineering, compliance, IT, and product teams. |
Strengthen identity and access controls | Implement strong authentication, fine-grained authorization, least-privilege access, delegated permissions for AI agents, and scoped API access. | As AI systems access enterprise systems and sensitive data, identity becomes a foundational governance and security layer. |
Implement logging and monitoring | Capture AI actions, outputs, user approvals, access events, policy decisions, and security incidents. | Compliance increasingly depends on visibility, traceability, auditability, and operational accountability. |
Add human oversight for sensitive actions | Introduce approval workflows, step-up authentication, escalation paths, and risk-based intervention controls. | High-risk AI workflows may require meaningful human oversight and operational safeguards. |
Review third-party AI vendors | Evaluate vendor security posture, governance capabilities, transparency mechanisms, compliance readiness, and monitoring capabilities. | Organizations using third-party AI providers may still carry deployer obligations under the EU AI Act. |
Prepare for ongoing compliance | Continuously monitor evolving guidance, conformity assessments, industry standards, and regulatory updates. | AI governance is an ongoing operational discipline, not a one-time compliance project. |
Why identity is becoming central to AI compliance
While the EU AI Act does not explicitly require every identity and access management control, many of its core themes, including accountability, human oversight, traceability, and security, naturally push organizations toward stronger identity foundations. As AI agents and autonomous workflows gain access to enterprise systems, APIs, and sensitive data, organizations increasingly need visibility into which AI system performed an action, which user initiated or approved it, what permissions were granted, and what systems or data were accessed.
At the same time, agentic AI introduces new risks around tool and API invocation, delegated authority, autonomous workflows, and automated decision-making. As a result, authentication, authorization, delegated access controls, policy enforcement, and audit logging are becoming foundational controls for securing AI systems and supporting long-term AI governance.
How Descope helps organizations prepare for the EU AI Act
The EU AI Act emphasizes accountability, transparency, human oversight, security, auditability, and governance for AI systems. The Descope Agentic Identity Hub helps organizations operationalize many of these requirements through identity, access management, and workflow orchestration capabilities designed for modern AI applications and autonomous systems.
Agent directory
Through its Agentic Identity Hub, Descope provides a directory of agents hitting an organization’s APIs or MCP servers, as well as internal agents being used by the organization’s employees.
Each agent–whether autonomous or user-delegated–gets a dedicated OAuth Client ID, authorization records that bind the agent to specific principals (e.g. two users using the same agent for different tasks), a list of scopes and tools it has access to, and a complete annotated audit trail of actions the agent has performed.
This maps directly to the “Inventory AI systems and usage” best practice in the readiness checklist.
Auth and access control for AI agents
Descope enables organizations to define their MCP servers and APIs as OAuth-protected resource servers, define scopes these resources will expose, and securely grant scoped access to AI agents requesting access to these resources.
In practice, whether an organization is building MCP servers (external or internal-facing) or directly exposing their API endpoints to AI agents, they get:
Complete OAuth 2.1 and PKCE support
User auth and consent
Agent review flows to check IP reputation, geo, other risk factors
Scope-based delegated access control
Short-lived credentials issued the moment the agent needs them
Policy-based governance
This directly maps to the “Strengthen identity and access controls” best practice in the readiness checklist through a dedicated identity provider for AI agents.
Human-in-the-loop
Descope supports the CIBA flow, enabling agents running sensitive workflows to ask human users for out-of-band approvals (e.g. email, phone notification). This ensures agents can start projects with minimum viable scopes and initiate step-up auth flows when they require elevated permissions.
This directly maps to the “Add human oversight for sensitive actions” best practice in the readiness checklist.
Policy-based governance
Using Descope, security teams can create granular authorization policies for AI agents accessing MCP servers, downstream services, or backend APIs. These policies run at the token boundary (i.e. whenever a token is created or exchanged) by taking context from the user, tenant, AI agent, MCP server, and downstream service to ensure least privilege, tightly scoped access.
This directly maps to the “Build AI governance policies” best practice in the readiness checklist.
Auditing and observability
Descope provides detailed audit logs that capture every agent registration, token issuance, policy decision, delegation chain, and credential access. These audits are streamable to external SIEM solutions and ensure that there is a clear, step-wise paper trail for every action an agent, any sub-agents or delegation chaining involved, the principal on behalf of whom the agent is operating (user or itself), and the policies under which it is governed.
This directly maps to the “Implement logging and monitoring” best practice in the readiness checklist.
Additional CIAM capabilities for long-term AI and identity maturity
Beyond direct EU AI Act requirements, many organizations are modernizing CIAM infrastructure to support future AI adoption, enterprise scalability, and evolving governance needs.
With Descope, teams can support long-term AI and identity maturity through:
Frictionless authentication experiences including passkeys, OTP, magic links, and social login, and passwordless authentication
Multi-tenancy and self-service enterprise SSO onboarding for B2B SaaS applications
Delegated admin management through embeddable UI widgets and a hosted admin portal
Adaptive MFA and risk-based authentication with integrations across fraud and security ecosystems
As AI governance requirements continue evolving, organizations increasingly need identity infrastructure designed for autonomous systems, AI-driven workflows, and centralized visibility across users, agents, APIs, and enterprise applications.
AI governance is becoming a business requirement
The EU AI Act marks a major shift toward accountable and regulated AI systems. While parts of the regulation are already taking effect, most major requirements for high-risk AI systems become enforceable in August 2026, with additional obligations continuing into 2027. Similar to GDPR, its influence is expected to extend far beyond Europe.
The regulation applies not only to AI providers, but also to organizations deploying third-party AI models, copilots, and AI agents inside their products and operations. Enforcement is expected to increase gradually through conformity assessments, self-auditing expectations, and growing scrutiny around governance, transparency, and oversight. Penalties can reach up to €35 million or 7% of global annual turnover for certain violations.
As AI becomes more embedded into enterprise workflows, organizations increasingly need visibility into where AI is being used, who has access to it, what actions it can perform, and how decisions are monitored and governed.
Identity is becoming foundational to responsible AI governance. Authentication, authorization, delegated access controls, policy enforcement, and audit logging are becoming essential for securing AI systems and autonomous agents at scale. As organizations prepare for evolving compliance requirements, now is the time to assess AI governance readiness and strengthen identity and access controls for AI systems.
Learn how Descope helps secure AI applications, agents, and workflows with modern identity and governance controls. Sign up for a Free Forever account to get started or book a demo with our experts.
