I’m Violeta Klein.
AI agents are already running in your enterprise. Selecting their own tools. Chaining their own actions. Making decisions that affect people in domains the EU AI Act classifies as high-risk. Most organizations don’t know how many agents they have, who deployed them, or what data they touch.
The EU AI Act requires a documented risk determination before any AI system is put into service. For agents that were never inventoried, that obligation is already breached. But the regulatory gap is only the first layer.
The deeper problem is structural. The regulation’s compliance architecture — classification, documentation, conformity assessment, post-market monitoring — assumes a system’s behavior can be described before it runs. Agentic AI breaks that assumption at runtime. The governance infrastructure has not caught up.
I find the convergence point where cybersecurity exposure meets regulatory liability. Where the same agent creates a privilege escalation your security team flags, a classification failure your compliance team missed, and a data protection breach your legal team hasn’t scoped. Three teams. One agent. No single function with the complete picture.
I also find the structural failures expensive compliance programs miss — where certification doesn’t align with what the regulation requires, where deployers inherit provider obligations they never anticipated, and where geography is not the shield organizations assume it is.
ISO/IEC 42001 & 27001 Lead Auditor. CISSP. CEFA. Former European Patent Office Examiner. I’ve been on both sides of the conformity assessment table — and the gap between what auditors check and what regulators ask is where compliance programs fail.
This newsletter is for leaders who need to make decisions about AI governance — not delegate them to consultants who won’t be in the room when the regulator arrives.
No legal advice. No consulting. Methodology you own.
Mondays. 8:00 AM EET.
