Why your agentic stack is one high-risk system

This is part of the Agentic AI element of the GovCompass-7.

The architecture instinct that fails

When a team designs an agentic system, the natural move is decomposition. One agent retrieves data, another reasons over it, a third drafts an action, an orchestratororchestratorThe agent that coordinates other agents and tools toward a combined goal. It is the integration point where stack-level accountability and classification sit.Open full entry → coordinates them, and a final agent executes. Each component looks narrow. Each, taken alone, seems to do something procedural and low-stakes. The tempting conclusion is that no single component is high-risk, so the system as a whole escapes the high-risk regime.

The Commission's draft guidelines close that door. They state that where multiple AI systems form part of a more complex system whose combined purpose or joint outputs materially influence a decision, the combined configuration is treated as a single AI systemAI systemA machine-based system that, for explicit or implicit objectives, infers from input how to generate outputs — predictions, content, recommendations or decisions — that can influence physical or virtual environments. The OECD-style definition followed by the EU AI Act.Open full entry → for classification purposes. Split architectures are assessed as a whole, precisely to prevent classification being circumvented by design. The guidelines extend this explicitly to interconnected and agentic systems coordinating linked actions where those actions serve a high-risk purpose.

What this means in practice

The practical implication is direct. If your agentic stackagentic stackThe orchestrator, sub-agents, and tools that together perform an autonomous workflow. Under the EU AI Act it is classified and governed as one system, not as separate parts.Open full entry →, taken end to end, materially influences a decision that falls within one of the Annex IIIAnnex IIIThe EU AI Act's list of high-risk use-case areas — biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice.Open full entry → high-risk areas, employment, credit, essential services, education, biometrics, critical infrastructure, migration, or law enforcement, then the entire stack is high-risk. The narrow scope of any individual agent does not save it. Even a component performing only a preparatory or procedural task may be classified as high-risk where, as part of an agentic system, it contributes to outputs that materially influence an Annex III use case.

This means the obligations attach to the stack as a whole: a risk management system under Article 9, data governance under Article 10, technical documentation under Article 11, record-keeping under Article 12, transparencytransparencyOpenness about the fact that AI is used and how it operates in general: disclosures, documentation, notices. Pairs with explainability, which addresses individual outcomes.Open full entry → under Article 13, human oversighthuman oversightDesigned-in human ability to monitor, intervene in, override or shut down an AI system — meaningful only when the human has authority, information and time to act.Open full entry → under Article 14, accuracy and robustnessrobustnessA system's ability to perform reliably under realistic conditions including noise, edge cases and adversarial pressure — the engineering core of the safety-and-reliability principle.Open full entry → under Article 15, and a conformity assessmentconformity assessmentThe pre-market process demonstrating a high-risk AI system meets the EU AI Act's requirements, leading to CE marking and registration.Open full entry → before the system is placed on the market or put into service.

The classification has to be done at the stack level

For an AI Officer, the consequence is a change in how classification is performed. You cannot classify agent by agent and sum the results. You have to identify the stack, define its combined intended purpose, and classify the whole against Annex III. If the combined output materially influences a high-risk decision, the stack is in scope, and every agent within it inherits the obligations that follow.

This also means your AI inventoryAI inventoryA register of all AI systems an organization builds, buys or embeds, with owners and risk tiers — the prerequisite for governing any of them.Open full entry → needs to record agentic stacks as units, not just individual models. An inventory that lists five "low-risk" agents and misses that together they form one high-risk hiring system is an inventory that has misclassified its single most significant exposure.

Timing

The draft guidelines remain in consultation until 23 July 2026 and are non-binding, with authoritative interpretation ultimately resting with the Court of Justice of the European Union. The high-risk obligation dates have shifted under the AI Omnibus, with rules for designated high-risk areas now expected to apply from December 2027 and product-embedded systems from August 2028. That extension is not a reason to wait. Classifying an agentic stack, building its technical documentation, and preparing a conformity assessment is eighteen months of work for a complex deployment, and the interpretive position the guidelines set out is the baseline regulators will use. Capture the classification now, document it against the draft guidelines, and refine at final adoption.

The practical step

Take each agentic deployment in your inventory. Draw the stack boundary: every agent, orchestrator, and tool that contributes to a single combined purpose. Define that combined purpose in the language of Annex III. Classify the whole. Where the stack is high-risk, the obligations are the standard Chapter III obligations, and they are owned at the stack level, with a single accountable party for the whole, not distributed across the agents in a way that leaves the integration ungoverned.