AI agents - i.e. AI systems that autonomously plan, invoke external tools, and execute multi-step action chains with reduced human involvement - are being deployed at scale across enterprise functions ranging from customer service and recruitment to clinical decision support and critical infrastructure management. The EU AI Act (Regulation 2024/1689) regulates these systems through a risk-based framework, but it does not operate in isolation: providers face simultaneous obligations under the GDPR, the Cyber Resilience Act, the Digital Services Act, the Data Act, the Data Governance Act, sector-specific legislation, the NIS2 Directive, and the revised Product Liability Directive. This paper provides the first systematic regulatory mapping for AI agent providers integrating (a) draft harmonised standards under Standardisation Request M/613 to CEN/CENELEC JTC 21 as of January 2026, (b) the GPAI Code of Practice published in July 2025, (c) the CRA harmonised standards programme under Mandate M/606 accepted in April 2025, and (d) the Digital Omnibus proposals of November 2025. We present a practical taxonomy of nine agent deployment categories mapping concrete actions to regulatory triggers, identify agent-specific compliance challenges in cybersecurity, human oversight, transparency across multi-party action chains, and runtime behavioral drift. We propose a twelve-step compliance architecture and a regulatory trigger mapping connecting agent actions to applicable legislation. We conclude that high-risk agentic systems with untraceable behavioral drift cannot currently satisfy the AI Act's essential requirements, and that the provider's foundational compliance task is an exhaustive inventory of the agent's external actions, data flows, connected systems, and affected persons.

翻译：人工智能Agent——即能够自主规划、调用外部工具并执行多步骤行动链条且减少人类参与的AI系统——正大规模部署于各类企业职能，涵盖客户服务、招聘、临床决策支持及关键基础设施管理等领域。《欧盟人工智能法案》（第2024/1689号条例）通过基于风险的分级框架对这些系统进行监管，但该法案并非独立运作：提供商同时需履行《通用数据保护条例》《网络韧性法案》《数字服务法案》《数据法案》《数据治理法案》、行业专项法规、《NIS2指令》及修订版《产品责任指令》中的义务。本文首次为AI Agent提供商构建系统性监管图谱，整合了：(a) 截至2026年1月依据标准化请求M/613向CEN/CENELEC JTC 21提交的协调标准草案；(b) 2025年7月发布的通用人工智能行为准则；(c) 2025年4月依据M/606授权启动的CRA协调标准计划；(d) 2025年11月的数字综合提案。我们提出包含九类Agent部署场景的实用分类法，将具体行为映射至监管触发条件，识别Agent在网络安全、人类监督、多主体行动链条透明度及运行时行为漂移方面的特殊合规挑战。我们设计了一套十二步合规架构及监管触发条件映射表，将Agent行为关联至适用法规。结论表明，存在不可追溯行为漂移的高风险Agent系统目前无法满足《人工智能法案》核心要求，提供商的根本合规任务在于对Agent的外部行动、数据流、关联系统及受影响主体进行详尽清册编制。