Guides·Guide
What the EU AI Act and the NIST AI Risk Management Framework mean for enterprises running autonomous agents, and how the right runtime supports your compliance and data-residency posture.
TL;DR
Two frameworks shape how enterprises run AI agents: the EU AI Act (binding law, risk-tiered, rolling out through 2026 and 2027) and the NIST AI Risk Management Framework (voluntary, US-origin, widely adopted). Neither is satisfied by a vendor checkbox. Molted is infrastructure: a managed runtime for long-running agents that helps you meet data-residency and security requirements through on-premise and Swiss-cluster deployment, encryption at rest, and per-client isolation. It does not make you compliant, and it is not a legal or certification product.
The EU AI Act is the first comprehensive, binding AI law. It sorts systems into tiers by risk. Unacceptable-risk practices (for example, social scoring) have been prohibited since 2 February 2025. High-risk systems (used in areas such as hiring, credit, or biometrics) carry the heaviest duties. Limited-risk systems mainly owe transparency: users must be told when they are interacting with AI or seeing AI-generated content. Most everyday software is minimal-risk and largely untouched. Penalties for the most serious breaches can reach into the tens of millions of euros or a percentage of global turnover, so classification matters before deployment.
The Act splits obligations by role. Providers (those who build or place a system on the market) handle conformity assessments, quality management, technical documentation, registration, and post-market monitoring for high-risk systems. Deployers (organizations using a high-risk system) carry their own duties: human oversight, keeping automated logs for a defined retention period, and, in some cases, a fundamental-rights impact assessment. Separately, providers of general-purpose AI (GPAI) models have had obligations applying since 2 August 2025, including transparency and documentation, with stricter rules for models posing systemic risk. If you build agents on top of a foundation model, you are typically a deployer of the model and may be a provider of your own system. This is the core of EU AI Act obligations timeline 2026 general purpose AI deployers high risk AI systems, and getting your role right is step one.
The Act entered into force in 2024 and applies in phases. Prohibited-practice rules applied from February 2025; GPAI provider obligations from August 2025. High-risk obligations were originally set for August 2026 (use-case based, Annex III) and August 2027 (product-regulated, Annex I). Important and current as of mid-2026: EU institutions reached a provisional agreement in May 2026 (the Digital Omnibus) to postpone the high-risk deadlines, with Annex III obligations proposed to move to December 2027. These changes take legal effect only once formally adopted and published in the Official Journal, so dates can still shift. Treat any specific date as subject to confirmation, and track the official sources rather than a vendor blog. None of this changes the prohibited practices already in force.
The NIST AI Risk Management Framework (AI RMF 1.0), published in January 2023, is voluntary, technology-agnostic guidance for organizations that build, buy, or operate AI. It is not a law and confers no certification, but it has become a common shared language for AI governance, including in enterprise procurement. Its core is four functions applied iteratively across the lifecycle: Govern (culture, policy, accountability), Map (context and impacts), Measure (assess and monitor risk), and Manage (respond and track). In July 2024 NIST added the Generative AI Profile (AI 600-1), which names risk categories specific to or amplified by generative and increasingly agentic systems and maps suggested actions back to the four functions. For teams running autonomous agents, the NIST AI Risk Management Framework generative AI profile AI compliance agents enterprise is a practical scaffold for documenting how you control a system that acts on its own.
Both frameworks push toward knowing where your data lives and who can touch it. Long-running autonomous agents make this acute: they hold credentials, read internal systems, and act continuously, so every external round-trip is a new place data can leak or fall under another jurisdiction. The cleanest answer is often to keep the agent and its data in-house or in a chosen region. That is the heart of enterprise AI agents self hosted data privacy compliance on premises: when the runtime sits inside your own infrastructure, there are no third-party cloud round-trips for the orchestration layer, and your data-residency story becomes a statement of fact rather than a vendor promise. This is a posture decision, not a substitute for legal review.
Be clear on what Molted is: a managed runtime for long-running autonomous agents (OpenClaw today, Hermes on request), not a legal or compliance-certification product. It helps you meet data-residency and security requirements, it does not make you compliant and it issues no attestations. Where it helps: deploy on-premise so data and agents stay inside your own infrastructure, or use the Swiss cluster option to keep data in-region. Credentials are encrypted at rest with AES-256-GCM, never exposed to the workloads themselves. Each client runs in per-instance isolation. A four-tier self-healing system recovers crashed agents and writes post-mortems, giving you the kind of operational audit trail governance reviewers ask for. On-premise means no third-party cloud round-trips for the runtime. Note on scale: the same team runs molted.cloud for 300+ clients; molted.net is currently the canary channel, so judge maturity by molted.cloud and the team, not by molted.net alone.
None of this is legal advice, and a checklist is no replacement for counsel. But before putting autonomous agents into production, most enterprises work through the same questions. Use this to start the conversation with your legal, security, and data-protection teams.
Q.01
No. Molted is infrastructure, not a legal or certification product, and it makes no compliance attestations. It helps you meet data-residency and security requirements through on-premise and Swiss-cluster deployment, encryption at rest, and per-instance isolation. Compliance itself depends on how you classify, govern, document, and operate your systems, with your own legal and data-protection teams.
Q.02
On the EU AI Act obligations timeline 2026 general purpose AI deployers high risk AI systems: prohibited practices have applied since February 2025 and general-purpose AI provider obligations since August 2025. High-risk obligations were set for 2026/2027 but a delay was provisionally agreed in May 2026 (Annex III proposed to move to December 2027), effective only once published in the Official Journal. Deployers of high-risk systems owe human oversight, log retention, and impact assessments where required. Always confirm current dates against official EU sources.
Q.03
The NIST AI Risk Management Framework generative AI profile AI compliance agents enterprise gives you a voluntary, structured way to manage AI risk through four functions: Govern, Map, Measure, Manage. The Generative AI Profile (AI 600-1, July 2024) extends it to generative and agentic systems and maps suggested actions to those functions. It is not a certification, but it is a practical scaffold for documenting how you control agents that act autonomously.
Q.04
Yes. This is the core of enterprise AI agents self hosted data privacy compliance on premises. You can deploy Molted on-premise so agents and data stay inside your own infrastructure, or use the Swiss cluster option to keep data in-region. When you run on-premise, there are no third-party cloud round-trips for the runtime itself, which makes your data-residency story a statement of fact.
Q.05
The EU AI Act is binding law for AI placed on the market or used in the EU, with phased obligations and real penalties. The NIST AI Risk Management Framework is voluntary US-origin guidance with no legal force or certification, though it is widely adopted as a governance baseline and shows up in procurement. Many enterprises use NIST as the operational discipline that helps them work toward obligations like the EU AI Act's.
Keep reading