The Most Ambitious AI Law in the World
The EU AI Act, which entered into force in August 2024 with phased implementation through 2027, is the most comprehensive attempt by any jurisdiction to regulate artificial intelligence [1]. It is also, depending on your perspective, either a thoughtful framework for managing AI risk or a regulatory straitjacket that will drive innovation to friendlier shores.
For autonomous businesses, the AI Act is neither. It is something more interesting: a regulatory framework that was not designed with autonomous businesses in mind but that has profound implications for them nonetheless. The Act regulates AI systems, not AI businesses. But when the business itself is an AI system, the distinction collapses.
The Risk Tier System
The AI Act classifies AI systems into four risk categories, each with escalating regulatory requirements [2]:
Unacceptable Risk. Banned outright. This includes social scoring systems, real-time biometric identification in public spaces (with exceptions), and AI systems that exploit vulnerabilities of specific groups. An autonomous business that engaged in any of these activities would be prohibited, full stop.
High Risk. Subject to extensive requirements including conformity assessments, quality management systems, human oversight, transparency, accuracy and robustness standards, and registration in an EU database. High-risk categories include AI used in critical infrastructure, education, employment, essential services, law enforcement, and migration management.
Limited Risk. Subject to transparency obligations. Users must be informed that they are interacting with an AI system. This covers chatbots, deepfake generators, and emotion recognition systems.
Minimal Risk. No specific requirements beyond existing law. This includes spam filters, AI-powered video games, and most consumer-facing AI applications.
Where Autonomous Businesses Land
Here is the problem: an autonomous business does not fit cleanly into any single risk tier because it is not a single AI system. It is a collection of AI systems performing multiple functions, some of which may be high-risk and others minimal-risk.
Consider an autonomous business that operates a staffing platform. Its matching algorithm might be high-risk (employment decisions). Its customer service chatbot is limited-risk (transparency obligations). Its internal accounting system is minimal-risk. The business as a whole is not classifiable under the Act’s framework – each component must be assessed independently.
This component-by-component approach creates a compliance challenge that scales with the complexity of the business. A traditional company deploying one AI system needs to classify and comply with one set of requirements. An autonomous business that is constituted by dozens of AI systems needs to classify and comply with all of them simultaneously, without a human compliance officer to manage the process.
The Human Oversight Requirement
Article 14 of the AI Act requires that high-risk AI systems be “designed and developed in such a way that they can be effectively overseen by natural persons” [3]. This is the provision most directly in tension with autonomous business models.
The requirement is not merely that a human could theoretically intervene. The Act specifies that the human oversight must be meaningful – the person must be able to “fully understand the capacities and limitations of the high-risk AI system,” “properly monitor its operation,” and “be able to decide, in any particular situation, not to use the high-risk AI system or to otherwise disregard, override or reverse the output.”
For an autonomous business performing high-risk functions, this means full autonomy is not an option under EU law. There must be a human in the loop – not as a rubber stamp, but as a genuine decision-maker with the authority and capability to override the system.
This does not necessarily prevent autonomous businesses from operating in the EU. It does mean they cannot be fully autonomous for high-risk functions. A hybrid model – autonomous for routine operations, human-supervised for high-risk decisions – remains permissible. Whether this counts as “autonomous” is partly a definitional question and partly a design challenge.
Provider vs. Deployer Obligations
The AI Act distinguishes between “providers” (those who develop or place AI systems on the market) and “deployers” (those who use AI systems in a professional capacity) [4]. Each has different obligations.
For autonomous businesses, this distinction is deeply confusing. An autonomous business that builds and deploys its own AI systems is simultaneously the provider and the deployer. It must comply with both sets of obligations. More fundamentally, both sets of obligations assume that the responsible party is a legal person capable of bearing obligations – a company with directors, a compliance team, and the capacity to respond to regulatory inquiries.
If the autonomous business operates through a legal wrapper (a DAO LLC, for instance), the legal entity can theoretically bear these obligations. But the practical question remains: who within the organization actually ensures compliance? If the answer is “no one, the system is designed to be compliant,” regulators are unlikely to be satisfied. The AI Act’s enforcement mechanisms assume that there is someone to fine, someone to audit, and someone to hold accountable.
The US Comparison
The contrast with the US regulatory approach is stark. As of early 2026, the United States has no comprehensive federal AI legislation comparable to the EU AI Act. Instead, the US approach has been:
- Executive orders that provide guidance but lack enforcement teeth. The Biden-era Executive Order 14110 on AI Safety established reporting requirements for large AI models but did not create a risk-classification system [5].
- Sector-specific regulation through existing agencies. The FTC has used its existing authority over unfair and deceptive practices to address AI harms. The SEC has scrutinized AI in financial services. The EEOC has issued guidance on AI in hiring. But there is no unified framework.
- State-level action. Colorado passed an AI Act in 2024 focused on high-risk decisions in insurance, while California’s proposed AI safety bills have generated fierce debate. The patchwork continues to grow.
For autonomous businesses, the US environment is simultaneously more permissive and more uncertain than the EU. There is no explicit prohibition on autonomous operation, but there is also no safe harbor – no way to demonstrate compliance with a comprehensive framework and be confident of regulatory standing.
The practical consequence is that autonomous businesses face a choice: operate in the EU with clear but restrictive rules, or operate in the US with unclear but potentially more permissive rules. Neither is ideal. The EU approach has the advantage of predictability – you know what is required. The US approach has the advantage of flexibility – you can move fast and hope the regulators do not catch up.
Does the EU AI Act Prevent Autonomous Businesses?
The short answer: no, but it constrains them significantly.
The AI Act does not prohibit autonomous businesses as a category. It does not mention them at all. What it does is impose requirements on AI systems that, when aggregated across an entire autonomous business, create a compliance burden that may be impractical without human involvement.
Specifically:
- High-risk functions require human oversight. An autonomous business cannot fully automate decisions in employment, credit, insurance, law enforcement, or other high-risk domains within the EU.
- Transparency obligations apply broadly. Any customer-facing AI interaction must disclose that the customer is dealing with AI, which may affect business models that depend on perceived human interaction.
- Conformity assessments require documentation. High-risk AI systems must be accompanied by technical documentation, risk assessments, and quality management systems. These are not one-time requirements – they must be maintained and updated throughout the system’s lifecycle.
- Fines are substantial. Violations can result in fines of up to 35 million euros or 7% of global annual turnover, whichever is higher [6].
The most likely outcome is that autonomous businesses operating in the EU will adopt a hybrid architecture: autonomous for low-risk functions, human-supervised for high-risk ones, with robust documentation and monitoring systems to satisfy conformity assessment requirements. This is not full autonomy, but it may be enough autonomy to capture most of the efficiency gains while remaining on the right side of the law.
The deeper question is whether the AI Act’s framework, designed for AI as a tool used by human organizations, can meaningfully govern AI as the organization itself. The Act’s enforcement mechanisms assume the existence of responsible humans. If the responsible entity is another AI system, the enforcement model breaks down. This is not a gap the AI Act was designed to fill, and it remains the most significant unresolved question in the regulation of autonomous businesses.
References
[1] Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act).
[2] AI Act, Title III (High-Risk AI Systems), Articles 6-51.
[3] AI Act, Article 14 (Human Oversight).
[4] AI Act, Articles 16-29 (Obligations of Providers and Deployers).
[5] Executive Order 14110, “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence,” October 30, 2023.
[6] AI Act, Article 99 (Penalties).