The EU AI Act — Is Your University Ready?
A client recently reminded me that 2026 is going to be the year of agentic AI — autonomous systems capable of planning, adapting and acting on their own. 2026 (September) is also when the EU’s AI Act becomes fully relevant for organisations operating in Europe’s education sector. Education has already been designated a high-risk domain under the AI Act, which means that simply complying with GDPR will no longer be sufficient for universities that use advanced AI systems.
Let’s have a look at what this means.
What is the AI Act?
The EU AI Act is a comprehensive regulatory framework designed to govern AI systems deployed within the European Union. It categorises AI systems into four risk levels — unacceptable, high-risk, limited-risk, and minimal/no risk — and attaches specific legal requirements to each tier.
High-risk AI systems — the focus for education — are permitted but subject to strict obligations, including documentation, risk management, transparency, human oversight, and quality assurance.
The AI Act entered into force in 2024, and key provisions applicable to high-risk systems are expected to be enforceable by September 2026, making preparatory action urgent for universities. Both the system developer and the customer are liable for non-compliant AI uses.
Agentic AI and Why It Matters Now
Agentic AI refers to autonomous systems that perceive environments, formulate goals, and act with limited human direction. These differ from traditional AI tools such as simple classifiers or recommendation engines.
In higher education, institutions are increasingly integrating semi-autonomous agents — from workflow automation tools like Zapier and n8n to emerging institutional platforms like ChatGPT.edu, Gemini, and SuperhumanAI that manage workflows across applications. These developments signal how quickly agents are becoming integral to administrative and pedagogical processes.
The AI Act does not explicitly have a separate regulatory category labelled “agentic AI”. Instead, agentic systems are regulated through the broader AI risk framework, meaning that their classification (low-, limited-, or high-risk) is based on their intended use and impact. The key difference now is that instead of isolated usecases and clearly defined tools, agentic AI workflows are becoming more granular and cross-functional making it harder to maintain oversight.
Why Education is High-RIsk
The AI Act’s Annex III lists specific use cases that qualify an AI system as high-risk. Education and vocational training are among these sectors because of the potential effects on individuals’ rights, academic trajectories, and future opportunities.
In practical terms, an AI system used by a university will be classified as high-risk if it is involved in one or more of the following scenarios:
- Determining access or admission to academic programmes — e.g., algorithmic filtering of applicants that substantially affects decisions.
- Evaluating learning outcomes or academic performance — e.g., automated grading or competence assessment tools that influence academic progression.
- Pre-admission access assessments — such as AI-driven aptitude or readiness testing used for entry level evaluations.
- Monitoring behaviour in tests or learning environments — such as proctoring systems that influence academic integrity decisions or interview assessments looking for personality or attitude scoring.
If an AI system falls into any of these categories, it is subject to the high-risk compliance regime of the AI Act.
What High-Risk Means in Practice
For an AI system classified as high-risk under the AI Act, universities — as deployers (and in some cases providers) — must satisfy multiple regulatory requirements ahead of deployment:
1. Risk Management System:
Institutions must implement structured risk management processes linked to the lifecycle of each high-risk AI system, including identification, assessment, mitigation, and monitoring.
2. Quality Management:
Providers and deployers must have documented quality management procedures ensuring consistency, accuracy, and robustness. Specifically, protection against bias and hallucinations.
3. Documentation and Technical Records:
Systems must have detailed documentation, including logs, design specs, and rationale for key decisions, enabling auditing and traceability.
4. Human Oversight:
High-risk systems must be designed and deployed with clear human oversight mechanisms to prevent undue harm through automated decision-making without review.
5. Transparency and Communication:
Use of high-risk AI must be transparent, with clear disclosures to affected individuals about how decisions are made and what rights they have.
6. AI Literacy:
Article 4 of the EU AI Act requires that organisations using AI systems ensure a sufficient level of AI literacy among staff and others dealing with them — a compliance obligation that goes beyond technical controls.
Six Key Readiness Questions for your Institution:
- Have you inventoried all AI systems currently in use — including embedded modules and agent-style workflows?
- Do you have a centrally designated AI ‘Tsar’ who can maintain oversight?
- Which systems influence academic decisions, assessment, admissions, or behavioural monitoring?
- Do you have documented risk management and quality procedures for these systems?
- Can you evidence human oversight and transparency mechanisms for decision-influencing AI?
- Is your staff equipped with the training and literacy required to understand the regulatory obligations around AI?
In Summary
While there is some urgency to ensure compliance, the good news is that there won’t immediately be a wave of investigations and fines levied against universities across Europe. While the industry has been designated high-risk, regulators will have many potential targets in different industries. Even once universities are found in breach, there will be a series of steps and opportunities to correct the failings before larger fines are handed out.
In terms of efficiency and effectiveness though, now is exactly the time to install best practice. Most institutions have only fledgling AI deployments and tools are at an early stage of development. Agentic workflows are likely unrealised or isolated. It’s far easier to create a compliant environment at the start that correct the mess years later.