Skip to main content
I_AM Fabio
EU AI Act Compliance: Addressing the Identity Layer
  1. Blog/

EU AI Act Compliance: Addressing the Identity Layer

·4544 words·22 mins·
Okta EU AI Act AI Artificial Intelligence AI Agents Compliance IAM Identity Governance Cybersecurity ISPM ITP Regulation NIS2 DORA NIST Non-Human Identity O4AA
Fabio Grasso
Author
Fabio Grasso
Solutions Engineer specializing in Identity & Access Management (IAM) and cybersecurity.
Table of Contents
O4AA - Okta for AI Agents - This article is part of a series.
Part 1: Securing AI: Okta's Blueprint for the Secure Agentic Enterprise
Part 2: Okta for AI Agents: Access Patterns
Part 3: Okta for AI Agents: Access Patterns Deep Dive
Part 4: This Article
Part 5: Times Square and AI in Cafés: What I Learned in New York

Introduction
#

A few weeks ago, my friend Matteo Bisi published an excellent post titled "August 2026 Countdown: K8s & AI Compliance" exploring how Kubernetes teams can prepare for EU AI Act enforcement through platform-level automation. Admission controllers, sidecar watermarking, AI-BOMs — the infrastructure angle is real and important.

Reading it, I found myself thinking: infrastructure is necessary, but not sufficient. Every AI agent that runs in a pod, calls an API, or makes a decision on behalf of a user is also an Identity. And identity governance — who the agent is, what it can access, who is accountable for it, and whether its behavior can be traced and overridden — is the compliance dimension that infrastructure tooling alone cannot cover.

That is the perspective I want to bring in this article, the fourth in the O4AA — Okta for AI Agents series:

  • In Part 1 we mapped the Agentic Enterprise Blueprint: why AI agents need to be treated as first-class identities, and what shadow AI costs organizations that do not.
  • In Part 2 we introduced the four access patterns that govern how agents authenticate to enterprise resources, going deep into each protocol details with Part 3.
  • Here, in Part 4, we map the EU AI Act — and its NIST and NIS2/DORA counterparts — article by article to Okta’s capabilities, showing how O4AA turns regulatory requirements into operational controls.

The European Union Artificial Intelligence Act1, which entered into force in August 2024 and reaches full applicability by August 2026, represents the world’s first broad, horizontal AI regulation. For organizations deploying AI agents, it creates specific compliance obligations that converge directly on identity and access management.

Disclaimer — Not Legal Advice

The regulatory mappings and compliance interpretations in this article reflect my personal reading of the relevant texts and publicly available guidance. I am not a lawyer. Nothing here constitutes legal advice. Always consult qualified legal counsel before making compliance decisions for your organization.

Additionally, some Okta capabilities referenced are in Early Access or on the product roadmap. Standards like ID-JAG/XAA are actively evolving, and Okta (like all vendors) is updating its AI-related features on a rapid cadence. Verify current availability with your Okta account team before planning production deployments.

The EU AI Act: A Risk-Based Framework
#

The EU AI Act takes a risk-based approach, categorizing AI systems into four tiers:

  1. 🚫 Unacceptable Risk: AI systems that threaten safety, livelihoods, or rights (e.g., social scoring, real-time biometric identification in public spaces) are prohibited
  2. ⚠️ High-Risk AI: Systems affecting critical infrastructure, employment, essential services, law enforcement, or democratic processes face strict requirements including:
    • 🔁 Risk management systems
    • 🗄️ Data governance and quality requirements
    • 📄 Technical documentation
    • 🔍 Record-keeping and traceability
    • 👁️ Transparency obligations
    • 🧑‍💼 Human oversight mechanisms
    • 🛡️ Accuracy, robustness, and cybersecurity requirements
  3. 💬 Limited Risk: AI systems with transparency obligations (e.g., chatbots must disclose they are AI)
  4. Minimal Risk: AI with no restrictions (e.g., spam filters)
Who is subject to the EU AI Act

The regulation applies to three main roles:

  • Provider (Art. 3(3)): anyone who develops or has developed an AI system and places it on the market or puts it into service under their own name or brand
  • Deployer (Art. 3(4)): anyone who uses an AI system under their authority in the course of a professional activity
  • Product Manufacturer (Art. 3(5)): anyone who manufactures a product that incorporates or is equipped with an AI system, and places it on the market under their own name or brand

For most enterprise organizations deploying AI agents, the relevant role is that of deployer. However, if an organization substantially modifies an existing AI system or redeploys it under its own brand, Art. 25 provides that it assumes the responsibilities of the provider, with all associated obligations.

Key Deadlines
#

The regulation’s applicability is phased. Organizations should not treat august 2026 as a distant horizon — several obligations are already in force:

Date What applies
August 1, 2024 Regulation enters into force
February 2, 2025 Chapter II – Prohibited AI practices apply
August 2, 2025 Chapters V & VI – GPAI model obligations, governance structures, notified bodies
August 2, 2026 Full application: high-risk AI systems, all deployer and provider obligations
August 2, 2027 Annex I/II high-risk AI (embedded in regulated products such as medical devices or vehicles) already on market before Aug 2026; Annex III systems (HR, credit, education) apply only upon any significant modification — no fixed 2027 cut-off for these

For most enterprise AI agents — those used in HR, customer service, credit scoring, fraud detection, or security monitoring — the critical deadline is August 2, 2027 for systems already deployed, and August 2, 2026 for new deployments. Neither horizon is distant.

Note

The EU AI Act is not alone. Multiple jurisdictions are moving in parallel: GDPR, SOX, CCPA, NIS2, and DORA are already enforceable. The Colorado AI Act takes effect on June 30, 2026, becoming the first US state-level law imposing developer and deployer obligations for high-risk AI systems. Organizations operating globally face a wave of overlapping deadlines, not a single one.

Warning

Potential timeline shift: On November 19, 2025, the European Commission proposed, as part of the Digital Omnibus package, to link the applicability of high-risk AI system requirements to the availability of harmonised standards and implementation guidelines. If adopted by the co-legislators, the August 2026 deadline for high-risk AI could shift. Monitor the EU AI Act FAQ for updates — but do not let this uncertainty delay governance work. The underlying compliance obligations remain, and identity architecture built now will serve the final regulation regardless of timing.

Penalty Tiers
#

Non-compliance carries tiered financial penalties based on the severity of the violation:

Violation type Maximum fine
Prohibited practices (unacceptable risk) €35 million or 7% of global annual turnover
High-risk AI systems / GPAI systemic risk €15 million or 3% of global annual turnover
Providing incorrect or misleading information €7.5 million or 1.5% of global annual turnover

For SMEs and startups, the percentage cap typically applies.

The regulation imposes fines up to €35 million or 7% of global annual turnover for the most severe violations. The board-level implication is clear: AI identity governance is a financial risk, not just a technical concern1.

Why AI Agents Trigger Compliance Obligations
#

Enterprise AI agents often fall into high-risk or limited risk categories, triggering substantial compliance obligations. Key requirements directly intersect with identity management:

  • Traceability: Organizations must maintain complete audit logs of AI system decisions and actions. Identity governance is a critical enabler — but not the only layer required: application-level logging, SIEM pipelines, and system tracing all contribute alongside it. This is precisely why protocols like XAA/ID-JAG embed a transaction ID in every token alongside agent and user identity, enabling cross-system log correlation.
  • Human Oversight: High-risk systems require “human-in-the-loop” or “human-on-the-loop” oversight, demanding mechanisms to pause, override, or revoke agent actions
  • Accountability: Organizations must demonstrate who authorized each agent, what data it accessed, and what actions it performed
  • Transparency: Users must know when they interact with AI systems, requiring clear agent identification

Examples of enterprise AI agents that trigger obligations:

Category Example Classification Reference
Employment & HR management Systems that screen CVs, evaluate candidates, or determine employment terms ⚠️ High risk Annex III §4
Access to essential services Credit scoring, mortgage granting, insurance assessment systems ⚠️ High risk Annex III §5
Safety of critical infrastructure AI agents managing critical components of energy, water, or transport networks ⚠️ High risk Annex III §2
Law enforcement Systems assessing recidivism risk or profiling for public security purposes ⚠️ High risk Annex III §6
Chatbots and conversational agents AI assistants interacting with users 💬 Limited risk Art. 52
Chatbots impersonating humans (Art. 5(1)(a)) Agents designed to make the user believe they are interacting with a real person 🚫 Prohibited Art. 5(1)(a)
Emotion inference on employees (Art. 5(1)(f)) Systems that detect or infer emotions in workplace or educational environments 🚫 Prohibited Art. 5(1)(f)
Note

Even if Financial fraud detection is excluded from the EU AI Act high-risk obligations, a robust identity governance architecture is still recommended for these systems. The compliance requirements of other regulations (GDPR, PCI-DSS, SOX) and the need for traceability, accountability, and human oversight remain critical for any AI system that interacts with sensitive data or makes impactful decisions.

The Attribution Gap
#

Before diving into the regulatory details, it helps to name the underlying problem precisely. Okta’s own research team calls it the Attribution Gap2: the inability to trace an AI agent’s actions back to an authorized human decision-maker.

The Agent Accountability Gap: what agents execute vs. what you must demonstrate to regulators — a compliance matrix across EU AI Act, GDPR, SOX, SEC, CCPA, NIS2, DORA, and Colorado AI Act

When an AI agent approves a loan, generates legal advice, or modifies access permissions, the organization deploying it must be able to answer five questions:

  1. Which agent performed the action?
  2. What permissions did it have at that moment?
  3. Who authorized those permissions, and when?
  4. What data did it access?
  5. Where is the immutable record of all of the above?

If any of these questions cannot be answered, the organization has an attribution gap — and regulators are not the only ones asking. Courts are already establishing liability regardless of whether a formal compliance framework was violated, as seen in the Air Canada chatbot case3, Italy’s Replika fine4, Garcia v. Character Technologies5, and Nippon Life v. OpenAI6.

The pattern across all four cases is the same: when something goes wrong, regulators and courts ask who was responsible, and organizations without a clear chain of authorization cannot answer. That is the compliance gap Identity Governance must close.

Article-by-Article Compliance Mapping
#

The following sections map each identity-relevant EU AI Act obligation to the O4AA blueprint and the specific Okta capabilities that address it.

Disclaimer on regulatory mappings

The mappings below are interpretative and not officially validated by regulatory authorities. Identity addresses critical compliance dimensions, but does not cover all EU AI Act requirements on its own. Obligations related to AI model logging, training dataset governance, decision logic documentation, and conformity assessments require additional tooling beyond IAM — such as model registries and comprehensive SIEM pipelines.

Traceability (Article 12)
#

Requirement: Organizations must maintain logs enabling reconstruction of AI system behavior and decisions.

Blueprint reference:

  • Audit logs and telemetry — every agent action must produce a tamper-proof record forwarded to a central SIEM.
  • Agent lifecycle management — every agent must be a distinct identity with an associated human owner, so logs can attribute actions to authorized humans.
  • Agent Integration (MCP Server, SaaS Services, Agent-to-Agent Connections, Service Accounts, Valuted Credentials) — all access patterns must be logged with agent-specific identifiers, never generic service accounts.

Okta Solution:

  • Cross-App Access (XAA), thanks to the ID-JAG token, embeds both the authorizing user and the agent identity within the token context — making every action attributable to a specific human-agent pair. It also allows custom risk signals to be injected into the log stream, enriching the traceability data with context like risk scores or external threat intelligence indicators
  • Universal Directory ensures that every agent is a distinct identity with mandatory owner attributes, so logs can always attribute actions to a named human sponsor. O4AA agent identity model ensures every log entry is attributed to a named, non-human principal — never a shared account
  • Change history tracks every modification to agent policies or credentials
  • System Log provides a complete audit trail of agent registration, authentication, access, and deactivation events. Logs capture which resource each agent reached, what action was performed, and the exact timestamp, with a transaction reference that will help correlate with downstream application logs.
  • Native integration with SIEM platforms (like Splunk, or Datadog) for long-term retention and cross-system correlation
Technical note — Art. 12: logging capability vs. retention period

Art. 12(1) requires that high-risk AI systems have the technical capability to automatically generate logs throughout the system’s lifetime. This concerns the logging architecture, not the minimum retention period.

Minimum retention requirements are defined separately:

  • Art. 19 (providers): at least 6 months from the system’s entry into service
  • Art. 26(6) (deployers): at least 6 months from the logged action

Sector-specific regulations (DORA, NIS2, GDPR, PCI-DSS) or contractual requirements may impose longer periods. Okta’s System Log and SIEM integrations satisfy the technical requirement of Art. 12; the retention policy in the SIEM must be configured based on your organization’s applicable obligations.

Human Oversight (Article 14)
#

Requirement: High-risk AI systems must enable human intervention, oversight, or deactivation.

Blueprint reference:

  • Human-in-the-loop — approval gates that pause agent operations pending human decision
  • Kill switch — immediate, global revocation of agent access
  • Agent lifecycle management — human sponsorship and periodic review of every agent ensures ongoing oversight

Okta Solution:

  • Universal Logout: single-action revocation terminates all active sessions and tokens for a given agent instantly, satisfying the “ability to deactivate” requirement
  • Lifecycle Management (LCM): can deactivate or suspend agents based on lifecycle events, risk signals, or manual triggers from a human sponsor
  • Identity Governance (OIG) — Access Requests: human approval workflows gate agent creation and any expansion of permissions; no agent gains access without a named human sponsor signing off
  • Identity Governance (OIG) — Certification Campaigns: scheduled or event-triggered reviews require human attestation that each agent’s access remains appropriate; non-attested agents are automatically deprovisioned
  • MFA step-up (CIBA) for sensitive agent operations adds a human verification checkpoint at runtime

Accountability & Governance (Article 17)
#

Requirement: Assign responsibility for AI system compliance and operation.

Blueprint reference:

  • Agent lifecycle management — governed onboarding, review, and retirement of every agent
  • AI agent risk detection — continuous assessment of agent privilege and behaviour risk
  • Browser based detection - visibility for shadow AI agents that bypass identity controls, with workflows to bring them into compliance

Okta Solution:

  • Universal Directory (UD): agents are provisioned as distinct identity types with mandatory owner attributes, ensuring accountability is built into the identity model. Every agent registered in Okta must have a named human owner — accountability is structural, not optional
  • Lifecycle Management (LCM): automated workflows — from creation to modification (change history tracked) to deactivation (automatic on lifecycle events or manual by owner)
  • Identity Governance (OIG) — Access Requests: documented approval chain for agent provisioning creates an auditable record of who authorized what, and when
  • Identity Governance (OIG) — Certification Campaigns: periodic human review enforces lifecycle discipline; agents that are no longer needed are deprovisioned on a regular cadence
  • Privileged Access (OPA): Service Accounts credentials are vaulted and rotated, eliminating the risk of orphaned or misused secrets that could lead to unaccountable agent actions
  • Identity Security Posture Management (ISPM): continuous scanning of the identity layer detects over-privileged agents, dormant credentials, and policy violations that could indicate a drift from the intended governance model - ISPM risk scoring surfaces agents accumulating excessive permissions for immediate remediation

Cybersecurity Requirements (Annex IV)
#

Requirement: AI systems must be resilient to attacks, adversarial manipulation, and unauthorized access.

Blueprint reference:

  • Runtime enforcement — scope and policy enforcement at the moment of execution
  • AI agent risk detection — real-time anomaly and threat signals
  • Agent Integration (MCP Server, SaaS Services, Agent-to-Agent Connections) — secure authentication and least-privilege access patterns
  • Service Accounts and Valuted Credentials — secrets managed outside the agent, never embedded
  • Kill Switch — immediate revocation of agent access

Okta Solution:

  • Privileged Access (OPA): credential vaulting eliminates static secrets embedded in agent code; automated rotation minimises the exposure window for any credential
  • API Access Management: OAuth 2.0 scopes enforce least-privilege at the API gateway — an agent can only call what its token explicitly permits
  • Identity Security Posture Management (ISPM): continuous scanning of the identity layer detects misconfigurations, over-privileged agents, dormant credentials, and drift from policy baselines
  • Identity Threat Protection (ITP): real-time behavioural analytics detect anomalous agent activity (unusual data volumes, off-hours access, lateral movement) and can trigger automated remediation or Universal Logout
  • MFA on agent credential issuance adds an additional authentication layer for privileged operations

Risk Management (Article 9)
#

Requirement: Establish and maintain a risk management system throughout the AI system lifecycle.

Blueprint reference:

  • AI agent risk detection — inventory and risk-score every agent
  • Runtime enforcement — apply risk-based controls dynamically

Okta Solution:

  • ISPM posture analysis produces a continuous risk inventory: which agents exist, what they can access, and where policy violations exist
  • ITP risk signals feed dynamic risk scoring — privilege level, access frequency, data sensitivity, and behavioural anomalies all contribute to a per-agent risk score
  • O4AA risk signals pipeline aggregates inputs from ISPM, ITP, and external threat intelligence into a unified view of agent risk
  • Governance workflows in OIG translate risk scores into automated actions: flag for review, trigger certification, or initiate deprovisioning
  • Continuous monitoring and alerting close the loop between detection and response across the agent lifecycle

Data Governance (Article 10)
#

Requirement: Implement data governance practices covering which data AI systems can access and how it is processed.

Blueprint reference:

  • Vaulted credentials — agents never hold persistent data access credentials
  • Runtime enforcement — data permissions enforced at call time, not embedded in the agent

Okta Solution:

  • API Access Management: scope-based OAuth 2.0 tokens restrict each agent to the exact data endpoints it is authorised to call — no implicit or inherited access
  • Fine-grained authorization (FGA): relationship-based access control enforces data access at the object level, ensuring agents can only read or write records they are explicitly permitted to touch
  • Privileged Access (OPA): data store credentials (database passwords, API keys) are vaulted and injected at runtime — agents never have standing access to sensitive data
  • System Log produces a complete record of every data access event by every agent, meeting the documentation requirements of Article 10 for training, validation, and production datasets

NIST AI RMF Alignment
#

For organizations that operate globally — or that already follow NIST frameworks for cybersecurity or software development — the NIST AI Risk Management Framework (AI RMF 1.0)7, published in January 2023, provides a voluntary but widely adopted companion to the EU AI Act’s mandatory requirements.

The AI RMF is organized around four core functions:

NIST AI RMF Function Purpose Okta O4AA Capability
GOVERN Establish accountability, culture, and policies for responsible AI OIG ownership attribution, approval workflows, lifecycle governance
MAP Identify and categorize AI risks in context Shadow AI Discovery, ISPM posture analysis, agent inventory
MEASURE Quantify, analyze, and track AI risks Risk scoring, ITP behavioral analytics, audit log metrics
MANAGE Respond to, mitigate, and monitor AI risks Universal Logout, certification campaigns, credential rotation

Although the NIST AI RMF is a US framework and voluntary in nature, it is increasingly referenced by EU regulators and auditors as a recognized best practice methodology. It also aligns structurally with EU AI Act Article 9 (risk management systems), providing a useful bridge for multinational organizations that must satisfy both frameworks.

Complementary references:

  • NIST SP 800-218A — Secure Software Development Practices for Generative AI and Dual-Use Foundation Models8
  • NIST AI RMF Playbook — Practical implementation guidance mapped to each core function

Regulatory Convergence: NIS2 and DORA
#

The EU AI Act does not operate in isolation. Organizations in regulated sectors face stacked obligations: EU AI Act compliance intersects with NIS2 and DORA in ways that share a common denominator — identity governance.

NIS2 (Directive 2022/2555)
#

The NIS2 Directive applies to essential and important entities across critical sectors: energy, finance, health, transport, digital infrastructure, and public administration. AI agents operating in these sectors trigger NIS2 obligations that are inseparable from identity:

  • Article 21 — Mandatory risk management measures including access control, authentication, and asset management for all ICT systems
  • Supply chain security — Organizations must govern third-party AI components and the identities they carry
  • Incident reporting — Significant incidents must be reported within 24 hours (early warning) and 72 hours (full report); an AI agent malfunction can qualify if it causes a security breach or significant disruption to services — though NIS2 does not reference AI explicitly, and not every agent malfunction meets the reporting threshold

Identity intersection: An AI agent that bypasses MFA, acts outside its authorized scope, or cannot be traced in an audit log is a NIS2 compliance failure, not just a security incident.

DORA (Regulation 2022/2554)
#

The Digital Operational Resilience Act applies to financial entities — banks, insurers, payment institutions, crypto-asset service providers, and their critical ICT third-party providers. AI agents in FinTech and FinServ must meet:

  • Article 9 — Information security requirements including identity and access management, strong authentication, and privileged access controls
  • Article 28 — Third-party ICT risk management: documented access governance, audit rights, and contractual oversight for any AI provider with access to financial systems
  • Resilience testing — DORA requires regular testing of ICT systems, including AI agent behaviors under stress or adversarial conditions

Identity intersection: DORA’s requirements for documented access control, immutable audit trails, and contractual accountability for third-party access map directly to what O4AA provides through OIG, System Log, and API Access Management.

A coordinated investment in O4AA-based AI identity governance addresses the shared identity-layer requirements across EU AI Act, NIS2, and DORA — reducing duplication and avoiding siloed compliance initiatives. Identity governance is a necessary component across all three frameworks; it does not replace the organisational governance, process documentation, and additional technical controls that each regulation also requires.

GDPR and Data Processed by Agents
#

AI agents that process personal data trigger GDPR obligations independently of their AI Act classification — making it the one framework every agent, at any risk level, must verify compliance with:

  • Lawfulness of processing: every agent action on personal data must have a legal basis
  • Data minimization: agents must access only the data strictly necessary for the task — O4AA’s least-privilege principle is directly aligned with this obligation
  • Data subject rights: the organization must be able to respond to access, rectification, and erasure requests even for data processed by AI systems — which requires the traceability that O4AA provides

Implementation Roadmap for EU AI Act Compliance
#

You don’t have to wait until August 2026 to start closing the attribution gap. The compliance requirements outlined above are not just future obligations — they are current best practices for responsible AI deployment. Organizations that delay risk falling into the “shadow AI” trap, where agents proliferate without governance, creating a ticking time bomb of non-compliance.

  1. Discovery & AssessmentEstablish baseline visibility and identify compliance gaps

    • Enable Shadow AI Discovery to catalog all AI agents
    • Assess each agent against EU AI Act risk categories
    • Identify high-risk agents requiring immediate governance
    • Document current audit and logging capabilities
    Okta Tools

    Shadow AI Agent Discovery, ISPM, Universal Directory

  2. Governance & AccountabilityEstablish ownership and oversight mechanisms

    • Assign human sponsors to all AI agents
    • Implement OIG Access Request workflows for agent creation and any permission expansion
    • Launch OIG Certification Campaigns for existing agents to attest or deprovision
    • Establish Universal Logout procedures
    Okta Tools

    OIG, Workflows, Universal Directory, Universal Logout

  3. Runtime Controls & MonitoringEnforce least-privilege and enable real-time oversight

    • Implement scope-based API Access Management with XAA / ID-JAG
    • Deploy ITP for behavioral analytics and anomaly detection
    • Configure SIEM integration for audit log retention
    • Establish alerting for policy violations
    Okta Tools

    XAA, API Access Management, ITP, ISPM, System Log

  4. Continuous ComplianceMaintain posture and adapt to regulatory updates

    • Schedule regular OIG Certification Campaigns to catch drift
    • Monitor ISPM dashboards for over-privileged agents and dormant credentials
    • Conduct periodic compliance audits
    • Update policies based on regulatory guidance
    Okta Tools

    OIG, ISPM, Workflows

---
config:
  theme: 'base'
---
timeline
    title EU AI Act Compliance Roadmap — Identity Layer
    Phase 1 · Discovery : Shadow AI Discovery : ISPM posture scan : Agent inventory
    Phase 2 · Governance : OIG Access Requests : Certification Campaigns : Universal Logout
    Phase 3 · Runtime : XAA / ID-JAG : API Access Management : ITP + SIEM
    Phase 4 · Continuous : Scheduled certifications : ISPM drift monitoring : Policy updates

Conclusions
#

What Matteo’s article and this one share — despite their different angles — is the same underlying message: compliance doesn’t happen by accident. It requires deliberate architecture, and for AI agents that architecture starts with Identity.

The EU AI Act creates clear obligations, but organizations in regulated sectors face more than one framework. A bank deploying an AI agent for credit risk is simultaneously subject to EU AI Act (if high-risk), NIS2 (as a financial entity managing ICT risk), and DORA (for ICT resilience and third-party oversight). The identity requirements embedded in each regulation overlap significantly. Solving them once — at the identity layer — is more efficient and more durable than addressing each regulation in isolation.

Okta’s O4AA — Agentic Enterprise Blueprint provides that unified foundation:

  • Comprehensive traceability via audit logs and SIEM integration (EU AI Act Art. 12, NIS2 Art. 21, DORA Art. 9)
  • Human oversight through approval workflows and Universal Logout (EU AI Act Art. 14, NIST MANAGE)
  • Clear accountability with mandatory ownership attribution (EU AI Act Art. 17, DORA Art. 28, NIST GOVERN)
  • Cybersecurity resilience through ISPM, ITP, and credential management (EU AI Act Annex IV, NIS2/DORA Art. 9)

The August 2026 deadline is not far. For organizations still in the shadow AI phase — where agents are deployed without governance — the gap between current state and compliance readiness is significant. The frameworks covered here (EU AI Act, NIST AI RMF, NIS2, DORA) are not bureaucratic overhead. They are a blueprint for the kind of AI deployment that organizations, regulators, and end users can actually trust.

What’s your organization’s compliance posture today? Are you ahead of the curve — or still mapping which agents you even have? 👇

✋ Next Steps
#

Learn More
#

💬 Join the Conversation
#

How is your organization preparing for EU AI Act compliance? What challenges are you facing with AI agent governance?

Share your experience in the comments below or connect with me on LinkedIn to continue the discussion.

  1. Regulation (EU) 2024/1689 of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act), Official Journal of the European Union, August 2024 ↩︎ ↩︎

  2. The Attribution Gap: AI Regulation, Okta Blog — defining the compliance exposure created when AI agent actions cannot be traced to authorized human decision-makers ↩︎

  3. Air Canada Ordered to Pay After Chatbot Gave Wrong Information About Bereavement Fares, CBC News, February 2024 ↩︎

  4. AI: Italian Supervisory Authority Fines Company Behind Chatbot Replika, European Data Protection Board, 2025 ↩︎

  5. Character AI Lawsuit: Garcia v. Character Technologies, Darrow AI Legal Resources ↩︎

  6. Lawsuit Alleges AI Chatbot Engages in Unauthorized Practice of Law, National Law Review ↩︎

  7. NIST AI Risk Management Framework (AI RMF 1.0), National Institute of Standards and Technology, January 2023 ↩︎

  8. NIST SP 800-218A: Secure Software Development Practices for Generative AI and Dual-Use Foundation Models, National Institute of Standards and Technology, 2024 ↩︎

O4AA - Okta for AI Agents - This article is part of a series.
Part 1: Securing AI: Okta's Blueprint for the Secure Agentic Enterprise
Part 2: Okta for AI Agents: Access Patterns
Part 3: Okta for AI Agents: Access Patterns Deep Dive
Part 4: This Article
Part 5: Times Square and AI in Cafés: What I Learned in New York

Powered by Hugo Streamline Icon: https://streamlinehq.com Hugo Hugo & Blowfish