AI-agent workflows: compliance is architecture
Several AI agents working together is state-of-the-art — but legally demanding. You combine AI Act duties (Art. 26 human oversight, Art. 50 labelling) with GDPR Art. 22 (no fully automated individual decisions). Without an audit trail, no compliance proof.
What it's about
Multi-agent systems are programs in which several AI agents split tasks — for example a 'CEO agent' planning strategy, an 'engineer agent' writing code, a 'reviewer agent' checking it. Sounds elegant; legally tricky. Which agent saw which data? Who made the decision? Who is responsible? The AI Act requires human oversight at critical decision points (Art. 26), GDPR forbids fully automated individual decisions without opt-in (Art. 22). Both together: approval gates wherever money, people or customer-facing content is involved.
What is mandatory
- Per agent run: full log (input, model, output, timestamp, tool calls)
- Approval gates at critical decisions (hiring, budget, code deploy, customer contact)
- Memory system for the audit trail (continuous-learning pattern, insights, improvements)
- Rollback option for every agent action (no 'irreversible by design')
- EU-hosted models for sensitive workloads (Scaleway Paris, no US provider)
- Tool rules per agent: which APIs may it call, which data read, which actions take
- Human oversight dashboard for admin review of agent outputs before production
- Retention: delete AI prompts and logs after 30 days (unless legal retention applies)
What I take care of
- Architecture with clear agent roles (e.g. CEO/CTO/engineer pattern), tool rules per role
- Memory system (insights/improvements as separate collections with audit reference)
- Approval workflow before production actions (admin UI, email notification)
- Audit logging in Postgres with search UI: agent, run, input, model, output, time
- EU-hosted models by default (Scaleway Mistral, Pixtral) — US LLMs only on opt-in
- AiBadge integration on every AI output (DE+EN, visible to end users)
- Dashboard with agent run history and filters (by agent, date, status)
Legal basis
Regulation (EU) 2024/1689 (AI Act) · GDPR Art. 22 · GDPR Art. 30 (records of processing) · GDPR Art. 35 (DPIA for profiling)
Frequently asked
- Is a simple log file enough as an audit trail for AI agents?
- In theory yes, in practice no. A flat log file is not searchable, not auditable, not access-controlled. In the worst case the supervisory authority wants to know per run: which agent? what input? which model? what output? which tools? Structured logging in Postgres with a search UI is the minimum standard for compliance proof.
- When exactly do I need an approval gate?
- Before any action with external impact: customer-facing content (blog post, email, invoice), money movement, HR decision, code deploy to production. Rule of thumb: 'Would I let an inexperienced employee do this without review?' — if no, then not an AI agent either. Approval can be a one-click UI, but must be documented (who, when, what).
- Why EU-hosted models when OpenAI offers contracts too?
- Three reasons. (1) Third-country transfer costs compliance effort (TIA, SCCs, risk weighing — repeated on every change of business basis). (2) Schrems II risk: US authorities can compel US providers. (3) Data sovereignty: for sensitive workloads (HR files, health, strategy papers) 'stay in the EU' is gold standard. Scaleway Mistral costs about the same and avoids the entire third-country topic.
Need support?
Let's talk for 30 minutes. I'll look at your situation and tell you what makes sense as a next step.
Book a slot