
Key facts.
- The EU AI Act imposes layered obligations on high-risk AI, logging, human oversight, risk management and conformity, that generic agent frameworks do not provide out of the box. source
- The Cloud Security Alliance's agentic AI guidance, including identity and threat-modeling frameworks, exists because sector deployment needs controls beyond a general-purpose framework. source
- On tau2-bench (arXiv:2506.07982), a dual-control benchmark, evaluated agents reached only around the mid-30s percent overall success across domains, evidence that regulated work needs the extra accountability layers. source
- Generic frameworks build for capability; regulators require record-keeping and human accountability, a gap resurfacing across finance and healthcare that a more capable model does not close. (arXiv:2506.07982)
Why don't generic frameworks cover regulated deployment?
Because they were built to give you general agent capability, orchestration, tool use, memory, not to satisfy a specific regulator. A framework will help you build an agent that can act; it will not, on its own, give you the lifetime audit logs the EU AI Act requires for high-risk systems, the human-accountability path that finance and healthcare regulation demand, the supervisory reporting that DORA imposes on financial entities or the conformity evidence a regulated deployment needs. Those are layers you add, sector by sector, on top of the framework and they are exactly the layers a generic tool leaves to you. The Cloud Security Alliance publishes agentic-specific guidance precisely because deploying into a regulated sector needs controls the general framework does not carry.
A more capable model does not supply the missing layers, because they are legal and procedural rather than technical. A regulator does not relax its record-keeping or human-accountability requirements because your model is stronger; if anything a more autonomous, more capable agent draws more scrutiny and a confident wrong decision is harder to catch and still attributable to you. tau2-bench, testing agents where both the agent and a user act on shared state, found overall success only around the mid-30s percent across domains, so a regulated agent acting without the extra accountability layers will be wrong often enough that the regulators' insistence on those layers is sound. The agents that ship in regulated industries are the ones built on a framework and then governed up to the sector's bar, not the ones that mistook the framework for the finish line.

What layers do regulated industries add?
Sector record-keeping and audit trails beyond default logging. Human-accountability gates where the regulation restricts autonomous decisions. Supervisory and incident reporting in the regulator's required form. Conformity and risk-management evidence the deployment can be assessed against. And data-handling controls specific to the sector's regime. None of these come from the agent framework; all of them are required to operate in the sector. They are the difference between an agent that can act and an agent that is allowed to.
| Generic framework provides | Regulated sector additionally requires |
|---|---|
| Default logging | Lifetime, auditable records |
| Optional human review | Mandated human accountability |
| App-level monitoring | Supervisory / incident reporting |
| General controls | Conformity and risk-management evidence |
The Pattern Intelligence Layer is where the regulated layers get added and enforced. Sector record-keeping, human-accountability gates and reporting requirements are tracked at the pattern level on top of whatever framework built the agent, so a regulated deployment meets the sector's bar by construction. Reliability at the pattern level is what carries an agent from generic capability to a deployment a regulator will allow.
Frequently asked questions
Doesn't a good agent framework handle compliance?
It handles capability, not sector compliance. Lifetime audit logs, mandated human accountability and supervisory reporting are layers you add on top for a regulated deployment.
Why doesn't a stronger model satisfy the regulator?
Because the requirements are legal and procedural. A regulator does not relax record-keeping or accountability for a better model and a confident wrong decision is worse under scrutiny.
What's the first regulated layer to add?
Auditable, lifetime record-keeping and a human-accountability gate where the regime restricts autonomous decisions. Those two are required almost everywhere a regulator is involved.

