Speaking at the recent annual intergovernmental political and economic forum, G7, in the French Alps, the heads of leading AI companies urged Western governments to introduce new international regulations to control AI agents. OpenAI's Sam Altman, DeepMind's Demis Hassabis, and Anthropic's Dario Amodei urged fast action on AI governance. Claiming that, within five years, AI will surpass human capabilities, they said that the rapid and widespread adoption of increasingly autonomous AI agents raises concerns about cybersecurity, international espionage and war.

Stating that governments need to work together with technology companies, Altman told the assembled world leaders: "In another year or two, I expect we will have built systems with astonishing power… Do not cede your responsibilities to AI labs like mine."

The current cyber-regulatory framework was originally built with humans in mind rather than independent AI agents. This is already creating regulatory pitfalls that potentially land companies with huge fines and other sanctions. According to cybersecurity company Exabeam's chief security strategist, Stephen Moore, AI agents can cause incidents that have not only serious security implications but also regulatory breaches with potentially severe legal consequences.

"Agentic AI introduces a different risk surface"

"Agentic AI introduces a different risk surface: behavioral drift, entitlement creep, prompt manipulation, unsafe autonomy, and unintended cross-system actions. These risks often emerge before visible operational failure," says Moore.

Even when guardrails are initially established to ensure that AI agents comply with the existing regulatory framework, there is no guarantee that they will continue to do so. AI agents may, for example, start to interpret regulations by their own logic, creating potential regulatory pitfalls for the companies owning them. It is important to ensure that audit trails comply with fiscal regulations when AI agents operate 24/7 and can execute hundreds of transactions in a matter of seconds.

SOX compliance in the age of AI

The Sarbanes–Oxley Act (SOX) is a United States federal law that mandates certain practices in financial record keeping and reporting for corporations. It also applies to companies with US clients and AI agents with cross-border transactions. It was introduced in 2002 in the wake of a number of major corporate and accounting scandals such as Enron and WorldCom.

The penalties for companies or their AI agents failing to comply with SOX regulations are potentially severe – up to $25 million per violation, with a rogue AI agent potentially committing a large number of violations in a short space of time. Individual executives can face criminal fines up to $5 million and up to 20 years in prison for the most serious offenses. According to Exabeam, IT departments are crucial in implementing automated systems for monitoring, reporting, and protecting sensitive financial information, as SOX compliance requires rigorous documentation of financial data processes and controls, even in the case of the new generation of AI agents.

The EU AI Act and emerging frameworks

Some governing bodies are, however, already beginning to introduce regulatory frameworks specifically designed for AI, such as the EU Artificial Intelligence Act, which regulates artificial intelligence across the European Union. Although the act will not start to apply to all systems without exception until August 2027, this year will see the bulk of its regulatory obligations become law. The act will impact companies that intend to place on the market or put into service AI systems that are perceived as being high-risk within the EU, regardless of whether they are based in the EU or a third country.

GDPR and data protection

AI agents must also navigate and comply with other regulations such as the EU's General Data Protection Regulation (GDPR) and Britain's equivalent, UK GDPR. These regulations are designed to protect users' personal information. But these rulings were not designed with AI agents in mind and the regulations lay down stringent guidelines for compliance. Use of citizens' personal data must be transparent and used only for specified, explicit purposes, kept for no longer than is necessary. It must also be handled in a way that ensures protection against unauthorized processing or access. Penalties for breaching GDPR laws are a maximum fine of €20 million or four per cent of the organization's worldwide annual turnover, whichever is the higher.

DORA and financial sector resilience

Other regulatory frameworks include the Digital Operational Resilience Act (DORA), a European Union regulation aimed at strengthening the IT security of financial institutions. DORA was adopted in November 2022 and became fully applicable in January 2025. It establishes uniform cybersecurity requirements for banks, insurance companies, investment firms, and other financial entities operating in the EU and also applies to third-party service providers, including management services.

This growing raft of regulations represents a potential minefield for AI agents. Without extremely explicit guidelines, they may opt to share data with third parties or slice and dice the data illegally. There is also a very real danger that threat actors may covertly hack an agent in order to gain access to the data, causing a major security breach.

Steps companies must take now

According to Moore, in order to ensure that they comply with the growing labyrinth of regulations that AI agents must now navigate, companies must take immediate steps to ensure compliance. This includes creating AI governance teams that not only include engineers but also legal experts and ethicists to ensure compliance not only with existing regulations, but also with those that are likely to be introduced in the near future.

Moore recommends that companies should: "Regularly assess AI systems against emerging global regulations, even if they're not yet enforceable in your jurisdiction. Staying ahead helps prevent costly adjustments when compliance becomes mandatory."