Feature Request: EU AI Act compliance checks for multi-agent workflows

[shotwellj]

Summary

With the EU AI Act enforcement deadline on August 2, 2026, multi-agent frameworks like MetaGPT face unique compliance requirements. When multiple AI agents collaborate (product managers, architects, engineers), the compliance surface area multiplies: every agent action, every inter-agent message, and every output needs to be auditable.

What this could look like

• Art. 9 (Risk Management): Risk classification per agent role, error handling across the agent pipeline
• Art. 12 (Record-Keeping): Tamper-evident audit trails of inter-agent communication and decision chains
• Art. 14 (Human Oversight): Approval gates between agent phases (e.g., human review before code generation begins), budget controls per agent
• Art. 15 (Security): Prompt injection defense at agent boundaries, output validation between agents

Context

I ran MetaGPT through AIR Blackbox, an open-source EU AI Act compliance scanner (Apache 2.0). You can run it yourselves:

pip install air-blackbox
air-blackbox comply --scan . --no-llm --format table --verbose

Everything runs locally, no data leaves your machine.

Why this matters

Multi-agent systems are a rapidly growing category, and MetaGPT is one of the most prominent. The EU AI Act specifically targets autonomous AI systems, and multi-agent workflows where agents delegate to other agents are exactly the kind of system regulators are focused on. Getting compliance patterns in early positions MetaGPT well for enterprise adoption in regulated markets.

The EU AI Act carries penalties of up to €35M or 7% of global turnover.

[arian-gogani]

the Art. 12 requirement (tamper-evident audit trails for inter-agent communication) is the hardest part of this to get right. most logging approaches break down in multi-agent workflows because each agent writes its own logs — there's no unified chain of evidence that a third party can verify independently.

we built nobulex to solve this specific problem. the approach:

• covenant: each agent commits to a set of behavioral rules before execution (what it's allowed to do)
• enforcement: every action is evaluated against those rules pre-execution, not post-hoc
• receipt: every action produces a bilateral receipt — hash-chained with Ed25519 signatures — binding the authorization decision to the execution result
• cross-agent verification: when agent A delegates to agent B, B's receipt chain references A's authorization. any auditor can walk the full delegation path without trusting any single agent's self-reported logs

for Art. 14 (human oversight), the covenant DSL supports require human_approval for statements that block execution until a human signs off. the approval becomes part of the receipt chain.

the CLI already generates compliance reports for EU AI Act, SOC2, ISO 42001, and Colorado AI Act from the receipt data.

this could integrate with MetaGPT as a callback layer — each role (ProductManager, Architect, Engineer) gets its own covenant, and the inter-role message passing produces the audit trail Art. 12 requires. happy to help scope what an integration PR would look like.