AI Agents, Vibe Coding and the EU AI Act

Speed is no longer the hard part of building software. Standing behind it when an auditor asks is. That gap was the starting point for the BVMW impulse on 8 June 2026 on AI agents, vibe coding and the EU AI Act: a checklist for responsible AI use in mid-sized companies, six decisions, each with its legal context.

You can download the slides and the full checklist, including the Lovable configuration guide, here:

Why rules: the checklist is what makes speed safe

For a pilot, a flight becomes safe through checklists, instruments and clear procedures; skill alone is not enough. The same holds for AI. The potential is large, the risk is real. The rules are the checklist that makes the potential usable.

Vibe coding: software described in plain language

With vibe coding¹¹ you describe in plain language what the software should do, and the AI writes the code. The downside is documented: around 45 percent of AI-generated code carries known vulnerabilities¹, and a Carnegie Mellon University benchmark rates only 10.5 percent of functioning code as secure².

Functioning and secure are two different things. Speed without review is dangerous.

AI agents and the agentic organisation

Autonomy rises from the assistant through the agent to autonomous multi-agent systems. The higher the level, the more oversight, logging and an emergency stop are needed; responsibility stays in-house. For leadership this means: from command and control to coordination and oversight, building your own AI competence¹⁰, a human override and clear accountability¹².

Centaur, Cyborg, Self-Automator

A study by MIT Sloan and HBS distinguishes three modes of working: Centaur (deliberate division of labour, 14 percent), Cyborg (close interweaving, 60 percent) and Self-Automator (full handover, 27 percent)³. Choose the mode per task: important work as a Centaur, routine as a Self-Automator. The higher the risk, the more human involvement.

EU AI Act: risk classes and deadlines

The EU AI Act regulates by risk: prohibited, high, limited (transparency) and minimal, plus a separate, stricter track for general-purpose models (GPAI). The AI-literacy duty (Art. 4) and the prohibitions (Art. 5) have applied since February 2025⁴. Following the provisional Digital Omnibus agreement, the marking duty for AI content (Art. 50(2)) moves to December 2026 and the obligations for standalone high-risk systems to December 2027⁵. These dates become binding only on formal adoption. Fines reach up to 35 million euros or 7 percent of global turnover (Art. 99).

The wider rulebook

Beyond the AI Act, the GDPR applies (legal basis, data processing agreement, data minimisation, accountability)⁶, NIS2 (in force in Germany since December 2025; management is personally liable)⁷, the new product liability rules (from December 2026 software counts as a product, liability without proof of fault)⁸ and copyright law (Regional Court of Munich I, 11 November 2025)⁹.

The six decisions of the checklist

A real decision is made at six points. The checklist walks through each:

Duty of evidence

An auditor checks not only whether a policy exists, but whether the proof from requirement to evidence is complete. A requirement becomes a policy, then a control, then evidence. If the evidence is missing, the risk arises automatically.

GDPR Art. 5(2): the controller must be able to demonstrate compliance (accountability)⁶.

Our Take

In practice the obstacle is rarely the tool and rarely the law. It is the missing ownership of the evidence layer. As long as no one in the company is responsible for turning requirement, policy and control into solid evidence, that evidence appears only once an incident forces it. Name that person before the first audit arrives, and half the checklist is already done.

Materials and contact

The slides and the full checklist are available for download above. For questions or support on responsible AI use, feel free to connect.

Sources

Have questions about this topic?