EU AI Act: Pre-Market Rules Don't Fit Runtime AI Agents (www.europeanlawblog.eu)

Legal scholar introduces "Agentic Tool Sovereignty" (ATS) to describe a growing gap between the EU AI Act’s static, pre‑market compliance model and modern AI agents that autonomously invoke third‑party tools at runtime. The piece argues that the Act—built on assumptions of fixed configurations, foreseen data flows and contractual relationships—cannot account for agents that dynamically select APIs, search services or other AI systems hosted across jurisdictions. That mismatch creates ambiguous jurisdictional exposure, breaks post‑market monitoring and logging obligations (Article 72(2)), complicates the “substantial modification” test (Art. 3(23) / Art. 25(1)), and undermines required written agreements with suppliers (Art. 25(4)). Regulators are already signaling consequences: recent GDPR fines (OpenAI €15m, Replika €5m) and forecasts (Gartner: 40% of AI breaches via cross‑border misuse by 2027) show the stakes. Technically and operationally, ATS centers on three tensions: agents pick tools from constantly updating registries so tool jurisdiction is unknown until runtime; responsibility fragments across model providers, system integrators, deployers and tool vendors; and providers lack mechanisms to compel disclosure, routing controls or audit access from ephemeral tool suppliers (Recital 88 offers only encouragement). The result is an “accountability vacuum”: neither conformity assessments nor post‑market duties can reliably track or constrain cross‑border data transfers under GDPR Chapter V or the AI Act, leaving legal responsibility and enforceability unresolved for agentic behaviors.