EU AI Act · Identity Lens

EU AI Act

The AI Act is where AI-agent identity, biometric controls, and high-risk-system access become EU-supervised obligations — not just internal policy.

Back to Thinking

Full name: Regulation (EU) 2024/1689 — Artificial Intelligence Act
Region: European Union (extraterritorial)
Applies to: Providers, deployers, importers, and distributors of AI systems used in the EU, regardless of where they are established. Identity intersects strongest with biometric categorisation, remote identification, agentic AI workflows, and high-risk-system access controls.

The EU AI Act entered into force on 1 August 2024, with phased obligations applying through 2025-2027. It is the world's first comprehensive AI regulation and uses a risk-based tier (prohibited / high-risk / limited / minimal). For identity programmes the Act creates new obligations in three areas: biometric identification and categorisation systems, the access-control regime around high-risk AI systems, and the governance of AI agents that act on behalf of users.

What it asks for

The Identity Lens

The clauses that bite when identity architecture is weak, rewritten in plain English. Authoritative text is linked below.

Article 5 — Prohibited AI practices (incl. biometric categorisation)

Real-time remote biometric identification in publicly accessible spaces is prohibited for law-enforcement except in narrow cases. Biometric categorisation on sensitive attributes (race, beliefs, sexual orientation) is prohibited. CIAM and workforce-identity programmes using biometrics need to confirm they sit outside the prohibition tier.

Articles 6-15 — High-risk AI systems

Annex III categories (incl. critical infrastructure, employment, essential services, law enforcement, migration, justice) trigger high-risk obligations: risk management, data governance, technical documentation, human oversight, accuracy, robustness, and access controls on the system itself. Identity is the access-control surface that proves compliance.

Article 14 — Human oversight

High-risk AI systems must be designed so that natural persons can effectively oversee them. For agentic workflows this means identity-aware decision points where a human can intervene, override, or terminate — and identity-rich audit logs that make the oversight defensible.

Articles 49-50 — AI-system register and transparency

Public registration and disclosure obligations for high-risk systems and certain limited-risk categories. The identity team is typically the holder of the deployment audit trail that proves what the system did, when, on whose behalf.

Where teams miss it

Common Misses

Patterns we see again and again — usually because the identity programme runs in parallel to the compliance programme rather than inside it.

Biometric authentication (Face ID, fingerprint) used for CIAM without confirming the biometric-categorisation prohibition does not apply to the implementation.

AI agents acting on behalf of users with no identity binding back to the human principal — making the human-oversight obligation impossible to evidence.

Audit logs for AI-system actions that capture the action but not the identity context (which user, which delegation, which scope) needed under Article 14.

High-risk-system access governed through a parallel access path that does not flow through the corporate identity programme, breaking the evidence chain.

What works

Where Design Pays Off

Patterns we have seen survive supervisory review, audit, and the next change.

Identity architecture for AI agents that names the human principal, the delegation scope, and the time-bound nature of the agent's authority — readable by Article 14 reviewers.

Biometric programmes documented against the AI Act prohibition tier in advance, with the rationale and the data-protection-by-design measures spelled out.

Audit trails for high-risk-system access that combine identity context with action records, retained for the periods the Act requires.

Authoritative sources

Read the source

Every claim above is checkable. Start here.

EUR-Lex

Regulation (EU) 2024/1689 — AI Act (consolidated text)

European Commission

European AI Office — implementation and guidance

Related Services

Need a EU AI Act-ready identity baseline?

We start with an assessment that maps your identity controls to EU AI Act requirements, then design and operate the gaps.

Book a Conversation