Re: Draft EU Commission guidelines on the classification of high-risk AI system

@kirk     Thanks for sharing about Arsia, good luck with the initiative.  I
could not find Arsia among the Pillar II Signatories, nor as the founding
members of the CG  It would help if you could support the claims with URLs
However
if you have examples of how the protocols are implemented and used it would
be good to learn how its vocabulary compares to the other protocols in use.
In the meantime, please feel free to
contribute to the vocabs here with input if you have any

@Isaac M <isaac.mao@gmail.com>     Thanks for sharing a perspective
an about recursive emergence,  perhaps you would like to give a quick talk
to give more background?  (personally I prefer pre recorded talks but if
you like we can
host a call sometime)

Had i forgotten to attach the link to the draft vocab? if you ask edit
access I'll promptly share

https://docs.google.com/document/d/1g7qzRIFLY5jvAfPzT4aGsZ5QKY9F6EOnaeW7vAzVMFA/edit?usp=sharing

I am not sure if an MD doc can be edited on Github, or what is the
mechanism to contribute the suggested edits there
https://github.com/w3c-cg/aikr/blob/main/high%20risk%20classification/AIKR_AI-Act-HighRisk-Classification_Glossary.md

Just let me know what works for you

You may also prepare your own draft and share it here so that we can merge
them later
To sum up:
1.  contribute your input a group note toe the consultation here
https://digital-strategy.ec.europa.eu/en/library/draft-commission-guidelines-classification-high-risk-ai-systems

and   2. Elaborating a vocab based on that initiative to formalise and
publish as group's report

Thank you!

Best

Paola

On Fri, Jul 3, 2026 at 1:51 AM Isaac Mao <imao@neocarbone.ai> wrote:

> Paola — thank you for distilling this and driving a group submission. One
> line in your notes is the hinge I'd build on: that high-risk is not a
> first-order property of the AI system but a derived property conditioned on
> sectoral law. For agentic systems that has sharp, concrete consequences and
> it's exactly where this group's in-flight work already speaks.
>
> If "high-risk" is derived and relational rather than intrinsic, then for
> an agent it has to be represented, transported, and verified between
> independent parties: a classification that can't travel and be checked at
> the point of action isn't enforceable in practice. Two layers follow.
>
> 1. The classification as a signed, resolvable attribute bound to the
> agent's identity not asserted in prose with provider and deployer kept
> distinct, per the guidelines' own emphasis on intended purpose and role.
> 2. The obligations the derived class triggers (Article 12 record-keeping,
> Article 14 human oversight) as a portable, independently-verifiable
> evidentiary layer: what authority was evaluated, what was decided, and what
> was believed, with each element content-addressed and checkable without
> trusting the operator's logs. This is precisely the auditability +
> belief-state work already open in the AI Agent Protocol CG (
> https://github.com/w3c-cg/ai-agent-protocol/issues/34 issues #34/#36, PRs
> #40/#41). That layer is the machine-readable substance behind "a high-risk
> system must keep auditable records."
>
> A principle worth stating explicitly in the submission: this evidentiary
> layer records admissibility—what was believed and decided, with
> provenance—not truth, and never a claim that the belief was correct. That
> is the honest and enforceable standard: a high-risk system demonstrates due
> process, not omniscience.
>
> One gap the draft guidelines don't address, and that agents force:
> classification persistence across lifecycle events. The guidelines treat a
> system as classified once; but agents are copied, fine-tuned, forked, and
> checkpoint-restored so to which instance does a high-risk classification
> and its obligations attach after a fork, and who is accountable? There is
> literature-grounded reasoning here: the "which is the real one" question is
> metaphysically empty (Parfit's fission), while who acts as the deployed
> high-risk service is a decidable speaks-for delegation (Abadi/Lampson).
> We've written it up (LINEAGE.md), and it composes with the post-quantum
> identity-as-accountability-chain formalization my colleague Sylvain Cormier
> deposited on Zenodo (doi:10.5281/zenodo.20328038, Lean-verified). I'd
> recommend the submission flag lifecycle-persistence as an open question the
> guidelines should anticipate for agentic systems.
> https://github.com/Recursive-Emergence/bella/blob/0e3a1c75c6fa7865e6397098149e8c85670d1834/LINEAGE.md
> (up to be merged to main)
>
> Regarding the glossary itself, I'm glad to contribute definitions in your
> doc; candidates this work needs and the guidelines leave implicit:
>
> - derived classification: a risk class conditioned on external
> law/context, not an intrinsic property; for agents, must be a resolvable,
> signed attribute rather than a static label.
> - evidentiary record: content-addressed commitment / decision / receipt
> (plus a belief-state reference) that makes Article 12/14 obligations
> independently verifiable.
> - classification persistence: whether and how a derived class and its
> obligations survive copy, fork, fine-tune, and restore, and which instance
> carries them.
> - speaks-for authority: the delegation deciding which instance acts as the
> classified service, distinct from the metaphysical identity question.
>
> Send me edit access, or I'll drop these on the list,  whichever is easier
> to collate. One running implementation of the evidentiary/belief layer is
> open source (Bella, Recursive-Emergence/bella) if a concrete tract of terms
> is testable.
>
> Thanks again for organizing this.
>
> Isaac Mao
> github.com/immartian github.com/immelleable · W3C AI Agent Protocol CG
>
> On Thu, Jul 2, 2026 at 6:50 PM Kirk Patrick <kirk@arsialabs.ai> wrote:
> >
> > Dear Paola, and fellow participants,
> >
> > Thank you for distilling the key terms from the draft guidelines. I want
> to put something concrete on the table, because it is directly relevant to
> how this group represents high-risk classification for agentic systems.
> >
> > I maintain the Arsia Protocol, an open specification (Apache-2.0 / CC
> BY-SA 4.0) for AI agent identity, communication, and governance. It
> addresses a question the guidelines raise but do not resolve for agents:
> once a system is classified, how does that classification travel with the
> agent across service boundaries, and how is it enforced at the point of
> action?
> >
> > To be clear on positioning: Arsia does not compete with agent protocols
> such as MCP or A2A. It sits on top of them, protocol agnostic.
> >
> > This is not a paper proposal. The protocol is specified, implemented,
> and running in production. It has a published SDK, with multiple
> implementations built on it.
> >
> > On the substance relevant to the key terms work:
> >
> > 1. Classification is a signed field. Every agent carries a signed
> identity record with an ai_system_classification value from a fixed
> vocabulary (minimal-risk, limited-risk, high-risk, unacceptable-risk),
> bound to its cryptographic identity, not asserted in prose. Provider and
> deployer are kept distinct, with jurisdiction encoded as ISO 3166.
> >
> > 2. Classification drives enforcement, not just disclosure.
> Unacceptable-risk agents are rejected at onboarding, high-risk agents must
> present a compliance profile before admission, and a runtime policy
> pipeline enforces human oversight (Article 14), tamper evident audit trails
> (Article 12), and capability level authorization.
> >
> > 3. Obligations travel as data, through machine readable compliance
> profiles including EU-AI-ACT-HIGH-RISK and EU-AI-ACT-LIMITED-RISK,
> alongside GDPR, DORA, MiFID II, and DSA.
> >
> > So the group knows where this effort sits: Arsia Labs is part of NVIDIA
> Inception and the Cloudflare for Startups program, and Arsia Labs is a
> signatory to the EU AI Pact Pillar II voluntary pledges. We will be at Web
> Summit Lisbon demonstrating the protocol, and we are in discussions with
> cloud providers about implementing it natively, including early
> conversations with Microsoft.
> >
> > The reason I raise this here is that, for agentic AI, a classification
> that cannot be represented, transported, and verified between independent
> parties is not enforceable in practice. That is a knowledge representation
> problem, and it is this group's remit. Arsia is one open implementation of
> this running in production.
> >
> > If useful, the specification and the SDK are open to read, along with
> demos that implement the protocol end to end. Seeing how these terms behave
> in a system that actually runs in production may help the group make the
> abstract concrete. I am happy to point to the relevant parts or answer
> questions.
> >
> > You can find more about Arsia Protocol at:
> >
> > https://arsiaprotocol.org
> > https://github.com/arsialabs/arsia-protocol
> > https://github.com/arsialabs/arsia-protocol-sdk
> >
> >
> > Best regards,
> > Kirk Patrick
> > arsiaprotocol.org
> >
> > Sent from Outlook for Mac
> > From: Paola Di Maio <paola.dimaio@gmail.com>
> > Date: Wednesday, 1 July 2026 at 14:46
> > To: W3C AIKR CG <public-aikr@w3.org>; public-agentprotocol <
> public-agentprotocol@w3.org>
> > Subject: Draft EU Commission guidelines on the classification of
> high-risk AI system
> >
> >
> > Greetings AI KR CG Participants
> >
> > Draft Commission guidelines on the classification of high-risk AI system
>
> >
> >
> https://digital-strategy.ec.europa.eu/en/library/draft-commission-guidelines-classification-high-risk-ai-systems
> >
> > The Annexes in the page are faulty (as of July 1st both links download
>  the same document, which is a DRAFT  with blank placeholder slots)
> >
> > Errors notwithstanding, here is a distilled  a draft of   key terms
> representing an important initiative here for  review and discussion
> >
> > Please send  comments  and discussions if any to the public mailing list
> *this list  or to the Chair *me, or request edit access to the doc
> > so that inputs can be aggregated and included in the group's submission.
> *contributors will be acknowledged  unless they wish to remain anonymous
> >
> > Thanking everyone in advance for the interest and participation in
> shaping representation for agentic AI
> >
> >
> > Paola Di Maio, PhD
> >
> >
> >
> >
>

Received on Friday, 3 July 2026 17:31:47 UTC