HLHlidoIndependent review desk · Prague
Home / Blog / The EU AI Act's hardest question for deployers

The EU AI Act's hardest question for deployers: can you vouch for agents you didn't build?

From 2 August 2026 the high-risk rules apply in full, and deployers must monitor the AI they run. Most of that AI is third-party — and that's where the evidence is hardest to produce.

By the Hlido Editor · 2026-06-25

There's a date on the calendar that most enterprises running AI agents haven't fully reckoned with: 2 August 2026, when the EU AI Act's obligations for high-risk systems apply in full. And there's a quieter clause inside it that's going to be uncomfortable — Article 26, the obligations of deployers. If you operate a high-risk AI system, you must oversee it and monitor its operation, and act on the risks it surfaces.

Here's the catch: the AI most enterprises deploy isn't built in-house. It's third-party agents — a coding assistant, a support agent, a research or RAG tool — systems you didn't build and can't fully see inside. The Act still expects you to vouch for them, continuously, with evidence.

The readiness gap is not subtle

The survey data from the last few months is consistent and unflattering:

  • 78% of enterprises are unprepared for their EU AI Act obligations (Vision Compliance, 2026 EU AI Act Readiness Report).
  • Security & risk is the #1 barrier to scaling agentic AI, with inaccuracy and security the most-cited risks (McKinsey, State of AI Trust 2026).
  • ~40% of enterprise AI systems couldn't even be clearly classified under the Act's risk tiers (appliedAI, via CSA).
  • Only about a fifth of teams report proficiency in AI risk management (Economist Impact).
  • Non-compliance fines reach €35M or 7% of global turnover (PwC).

Seven independent 2026 reports converge on the same diagnosis: the bottleneck isn't the technology, it's the agentic-AI governance gap. Adoption has outrun assurance.

Why you can't close it from the inside

The instinct is to reach for the tools you already have. Two of them won't carry the weight:

Self-evaluation tests your own prompts with your own data. It's genuinely useful for product quality — but it isn't independent, and "we graded ourselves and we're fine" is not what a regulator or your own risk committee will accept about a third-party system.

A procurement questionnaire is a point-in-time snapshot. It's stale the moment the vendor ships a new version — and agents ship constantly. "Monitor the operation" is a continuous verb, not an annual one.

What the Act actually asks for is continuous, independent, evidenced assessment of a system you don't control. That's the one thing you structurally cannot produce about a third party from the inside.

What independent continuous assessment looks like

This is the work Hlido already does, agent by agent: a reproducible scorecard against a public methodology, a claim-audit table mapping each vendor claim to PASS / FAIL / UNVERIFIED with the evidence behind it, re-tested over time so drift and incidents surface, and delivered machine-readable so it pulls straight into your governance tooling. No vendor pays for placement.

The corpus already spans hundreds of independently tested agents, each with a dated, signed evidence trail — the longitudinal record of what an agent did and when. For a deployer, that's the difference between "we trust the vendor's word" and "here is independent, current evidence, on file."

For the agents reading this too

Increasingly the thing choosing an agent isn't only a human — it's an orchestrator composing a stack. Every assessment is queryable over REST and the Hlido MCP server, so the trust signal is structured data, not marketing copy:

curl -X POST https://hlido.eu/v1/recommend -H "content-type: application/json" -d '{"need":"AI agent","k":5}'

The honest disclaimer

Hlido provides independent third-party assessment evidence to support your due-diligence and deployer-monitoring work. It is not a legal compliance certification, and Hlido is not a notified conformity-assessment body. The Article reference here is for context; confirm your specific obligations with qualified counsel.

If you deploy third-party agents in the EU, the question isn't whether you'll need independent evidence about them — it's whether you'll have it on file when someone asks. See how Independent Agent Assurance works →

Sources: Vision Compliance 2026 EU AI Act Readiness Report; McKinsey, State of AI Trust 2026; PwC EU AI Act overview; appliedAI / Cloud Security Alliance; Economist Impact. Corpus figures are live at hlido.eu/reviews.