← All primers

Primer

Governance

Helmwart is a tool for engineers and architects, not regulators. But the people who use it often need to defend their work to a CISO, a GRC team, or a legal counsel, and that audience asks "what regulatory frame does this fit into?" This primer answers that question with a single source: the ACM Europe Technology Policy Committee's May 2025 policy brief "Systemic Risks Associated with Agentic AI" (Bellogín, Giudici, Larsson, Pang, Schimpf, Sengupta, Solmaz). The brief is short (8 pages) and Europe-anchored, but its framing of what makes agentic AI a different regulatory object is widely usable.

The core argument

The brief's thesis: the EU AI Act, while a strong foundation, only partially addresses agentic AI. The Act was designed to regulate AI systems as products that pass through a one-time conformity assessment. Agentic systems don't sit still: they generate and deploy code, change behaviour faster than regulatory cycles, interact with other agents to produce emergent harm, and remove humans (and computing professionals) from the oversight loop. The brief calls for a shift from static, product-focused regulation to a dynamic governance regime: oversight that operates during the system's life, not just at certification.

That framing is congenial to Helmwart: this tool exists because static checklists also fail at the engineering level for the same reason. The catalog adapts to the architecture; the architecture is what's actually in production.

Three autonomy tiers

The brief proposes that the AI Act's generic "human oversight" requirement (Article 14) be replaced with risk-tiered autonomy:

• Autonomous. Full autonomy; only allowed in low-risk applications (entertainment, scheduling).
• Supervised. Real-time monitoring required; suitable for moderate risk in regulated industries (e.g. AI-driven customer service in finance or healthcare).
• Advisory (human-in-the-loop). Mandatory for high-risk systems (medical diagnostics, financial decisions of material consequence); the agent proposes and a human approves before action.

These three labels are the values of Helmwart's AutonomyLevel field on every agent node: autonomous, supervised, advisory. When you set an agent to autonomous, you are effectively claiming the brief's "full autonomy" tier; that claim should be defensible against the application's risk class.

The brief also pushes a stronger version of oversight: alignment oversight: verifying not just that a human is present, but that the agent's actual behaviour tracks its declared objectives. This is what T10 Overwhelming Human-in-the-Loop breaks: when humans rubber-stamp because they're saturated, alignment drift is undetectable.

The EU AI Act gaps it identifies

The brief calls out specific articles where the AI Act needs amendment for agentic systems:

• Article 9 (risk management): should add multi-agent interaction risk assessment.
• Article 14 (human oversight): generic as written; needs the autonomy-tier model and "alignment oversight."
• Article 15 (robustness and cybersecurity): audits should be multi-agent-specific.
• Article 5 (prohibitions): extend to tacit collusion and covert channels between agents.
• Article 55(1) (GPAI providers): providers must address how their models could enable harmful agentic behaviour.
• A new category for "systemic macroeconomic risks" (job displacement, monopolisation, market distortion). The AI Act's documentation-focused GPAI obligations don't cover this; the brief acknowledges the EU Treaty may not give clear legal basis to regulate such risks within the existing framework.
• A new liability clause for collective accountability for emergent harm.

When this is useful in Helmwart

You're presenting a Helmwart canvas to internal compliance, security, or legal:

• Use the autonomy-tier mapping to defend (or challenge) the AutonomyLevel setting on each agent against the application's risk class.
• Use the alignment oversight distinction when justifying why simple "human approval" controls (mitigating T10) aren't sufficient. Engineering controls have to make the agent's behaviour legible to the human, not just gate-able.
• Use the multi-agent risk framing (the brief's proposed "Ecosystem Safety and Multi-Agent System Testing" article) when the canvas has more than one agent. Helmwart's MAS Threat Overview and Cross-Layer band map directly to what the brief argues regulation should require.

What this is not

• Not law. The brief is an advocacy document by ACM Europe's policy subcommittee; it identifies gaps and proposes amendments. Nothing here is binding.
• Not a security taxonomy. Helmwart's threats, mitigations, and detection rules come from OWASP / MAESTRO / MITRE ATLAS, not from this brief.
• Not US-focused. NIST's AI RMF and the UK AI Safety Institute's guidance occupy similar ground from different starting points; both belong on this page when we add them. For now this primer is one source.

Concrete example: why Article 14 gaps matter

A supervised-tier AI agent in a bank's loan-decision workflow is set to autonomous in the Helmwart canvas. The trifecta badge fires: the agent reads customer financial records (private), accepts applicant-supplied documents (untrusted), and emails decisions (outbound). A deployer might claim that a periodic human review log meets its Article 14 oversight obligations; this primer does not make that legal determination. In this scenario, no individual reviewer ever sees a full decision trace, only aggregated statistics. The ACM brief's proposed alignment oversight approach would demand stronger evidence that the agent's actual behaviour tracks its declared objectives. In Helmwart terms, that means pairing T10 Overwhelming HITL mitigations (structured review queues) with tamper-evident audit logs so reviewers can reconstruct individual agent reasoning traces, not just summary counts.

Where to go next

• T10 Overwhelming Human-in-the-Loop: the specific threat the brief's alignment-oversight requirement is designed to prevent.
• Human-in-the-Loop programme: Helmwart's structured approach to meaningful human oversight.
• Tamper-evident accountability: audit-log design that supports alignment oversight.
• Security principles: how the three engineering principles (DiD, ZT, LP) compose with governance requirements.
• Threat-modelling methodologies primer: NIST AI RMF and NIST AI 600-1 as the governance scaffolds that sit above the technical catalogue.

Source: ACM Europe Technology Policy Committee, Autonomous Systems Subcommittee, Systemic Risks Associated with Agentic AI: A Policy Brief (May 2025).