Marcin PajdzikCISOADVISORY
AI GovernanceAI Act4-minute read·Marcin Pajdzik·February 2026

AI Agents and the Deployer Oversight Obligation

For high-risk AI systems, the AI Act requires effective human oversight and places specific obligations on deployers to assign that oversight to competent and authorised individuals.

When an AI system takes a consequential decision, the organisation needs to be able to demonstrate who held oversight accountability and what that meant in practice. Approving AI deployment without that structure in place creates a compliance position that may be difficult to defend.

High-risk classification and the scope question

The AI Act does not regulate AI agents as a separate category, but many agentic systems may fall within existing high-risk categories depending on how they are used. Those categories cover employment decisions, recruitment and performance assessment, access to essential services, creditworthiness, credit scoring, certain insurance use cases and the management of critical infrastructure. For organisations deploying AI agents in those areas, specific deployer obligations under the AI Act apply.

Deployers still need to know whether their use case is high risk, and that question requires active assessment. Vendor documentation may support that assessment, but it rarely resolves the deployer's own use case, operating context and governance responsibilities.

What the oversight obligation requires

In practice, the deployer oversight obligation requires at least four organisational decisions.

Designation
Named individuals with the technical literacy to understand the system's capabilities and limitations, assigned to specific systems and documented accordingly.
Authority
Oversight personnel must have the authority to challenge, override or halt the system when needed. Formal assignment must be matched with the competence and support to act on it.
Documentation
The organisation must maintain its own governance record. Vendor logs record system activity; the governance record should capture oversight assignments, escalations, interventions and decisions.
Accountability
Senior management should be able to demonstrate that the oversight structure is functional, through a reporting mechanism that brings oversight activity to board level.

What the management body needs

The management body needs a governance record covering three things: which AI systems within the organisation are high risk under the AI Act, who holds assigned human oversight for each, and how that oversight is reviewed and reported at board level.

AI governance gaps at the board level typically arise from an assumption that oversight was embedded in the AI product or the team operating it. An assurance letter from the vendor confirms the system's design. The organisation still needs its own governance record.

The practical starting point is an inventory of AI systems in operational use, assessed against the high-risk categories, with oversight roles formally assigned for those that qualify.

How this affects your organisation

For organisations deploying AI agents in high-risk use cases, the AI Act places compliance obligations directly on deployers. If the system is high risk, deployment requires governance, oversight, monitoring and evidence.

A board that has approved AI deployment without formally assigning oversight holds a position that is difficult to defend under supervisory scrutiny.

Which AI systems in your organisation are high risk under the AI Act, and who holds assigned human oversight for each?

Speak with Marcin Pajdzik:Book a 20 minute advisory callSend an enquiryBrowse all briefings