Re: Draft EU Commission guidelines on the classification of high-risk AI system

Hi @Paola Di Maio<mailto:paoladimaio10@gmail.com>,

About your questions:

The EU AI Office has noted that updates to the Pillar II signatory list on their website may take some time. Once published, I will share the link.

Additionally, we have decided not to found a Community Group (CG) at the W3C. Instead, we prefer to contribute to existing groups. The information on our website will be updated soon with a new version.

The SDK (github.com/arsialabs/arsia-protocol-sdk) includes two end-to-end demos that show the protocol vocabulary in action:

1. Fintech Trade: 3 autonomous AI agents execute a MiFID-II regulated securities trade, with suitability assessment, human-in-the-loop oversight, order execution, and full audit trail. Structural data isolation ensures each agent sees only what it needs.

2. Healthcare Pipeline: 3 autonomous AI agents process health data through a regulated pipeline with strict PII isolation. The system generates clinical analyses from anonymized records, requires mandatory clinician approval, and produces a complete audit trail for GDPR Art. 9 and EU AI Act compliance.

The protocol repo (github.com/arsialabs/arsia-protocol) contains 30 JSON schemas and 7 compliance profiles that formalize the vocabulary.

What we do not have: a vocabulary artifact in W3C format. Our terms (agent_id, capability, intent, envelope, oversight, compliance_profile, audit_record, breach_notification, among others) are defined in the spec and formalized in JSON Schema, but we have not mapped them into a standalone vocabulary document or compared them term-by-term against other protocol vocabularies.

Regards,
Kirk

Sent from Outlook for Mac
From: Paola Di Maio <paoladimaio10@gmail.com>
Date: Friday, 3 July 2026 at 18:32
To: Isaac Mao <imao@neocarbone.ai>; Isaac M <isaac.mao@gmail.com>
Cc: Kirk Patrick <kirk@arsialabs.ai>; W3C AIKR CG <public-aikr@w3.org>; public-agentprotocol <public-agentprotocol@w3.org>
Subject: Re: Draft EU Commission guidelines on the classification of high-risk AI system

@kirk     Thanks for sharing about Arsia, good luck with the initiative.  I could not find Arsia among the Pillar II Signatories, nor as the founding members of the CG  It would help if you could support the claims with URLs  However
if you have examples of how the protocols are implemented and used it would be good to learn how its vocabulary compares to the other protocols in use. In the meantime, please feel free to
contribute to the vocabs here with input if you have any

@Isaac M<mailto:isaac.mao@gmail.com>     Thanks for sharing a perspective an about recursive emergence,  perhaps you would like to give a quick talk to give more background?  (personally I prefer pre recorded talks but if you like we can
host a call sometime)

Had i forgotten to attach the link to the draft vocab? if you ask edit access I'll promptly share
  https://docs.google.com/document/d/1g7qzRIFLY5jvAfPzT4aGsZ5QKY9F6EOnaeW7vAzVMFA/edit?usp=sharing


I am not sure if an MD doc can be edited on Github, or what is the mechanism to contribute the suggested edits there
https://github.com/w3c-cg/aikr/blob/main/high%20risk%20classification/AIKR_AI-Act-HighRisk-Classification_Glossary.md


Just let me know what works for you

You may also prepare your own draft and share it here so that we can merge them later
To sum up:
1.  contribute your input a group note toe the consultation here   https://digital-strategy.ec.europa.eu/en/library/draft-commission-guidelines-classification-high-risk-ai-systems


and   2. Elaborating a vocab based on that initiative to formalise and publish as group's report

Thank you!

Best

Paola

On Fri, Jul 3, 2026 at 1:51 AM Isaac Mao <imao@neocarbone.ai<mailto:imao@neocarbone.ai>> wrote:
Paola — thank you for distilling this and driving a group submission. One line in your notes is the hinge I'd build on: that high-risk is not a first-order property of the AI system but a derived property conditioned on sectoral law. For agentic systems that has sharp, concrete consequences and it's exactly where this group's in-flight work already speaks.

If "high-risk" is derived and relational rather than intrinsic, then for an agent it has to be represented, transported, and verified between independent parties: a classification that can't travel and be checked at the point of action isn't enforceable in practice. Two layers follow.

1. The classification as a signed, resolvable attribute bound to the agent's identity not asserted in prose with provider and deployer kept distinct, per the guidelines' own emphasis on intended purpose and role.
2. The obligations the derived class triggers (Article 12 record-keeping, Article 14 human oversight) as a portable, independently-verifiable evidentiary layer: what authority was evaluated, what was decided, and what was believed, with each element content-addressed and checkable without trusting the operator's logs. This is precisely the auditability + belief-state work already open in the AI Agent Protocol CG (https://github.com/w3c-cg/ai-agent-protocol/issues/34 issues #34/#36, PRs #40/#41). That layer is the machine-readable substance behind "a high-risk system must keep auditable records."

A principle worth stating explicitly in the submission: this evidentiary layer records admissibility—what was believed and decided, with provenance—not truth, and never a claim that the belief was correct. That is the honest and enforceable standard: a high-risk system demonstrates due process, not omniscience.

One gap the draft guidelines don't address, and that agents force: classification persistence across lifecycle events. The guidelines treat a system as classified once; but agents are copied, fine-tuned, forked, and checkpoint-restored so to which instance does a high-risk classification and its obligations attach after a fork, and who is accountable? There is literature-grounded reasoning here: the "which is the real one" question is metaphysically empty (Parfit's fission), while who acts as the deployed high-risk service is a decidable speaks-for delegation (Abadi/Lampson). We've written it up (LINEAGE.md), and it composes with the post-quantum identity-as-accountability-chain formalization my colleague Sylvain Cormier deposited on Zenodo (doi:10.5281/zenodo.20328038, Lean-verified). I'd recommend the submission flag lifecycle-persistence as an open question the guidelines should anticipate for agentic systems.  https://github.com/Recursive-Emergence/bella/blob/0e3a1c75c6fa7865e6397098149e8c85670d1834/LINEAGE.md  (up to be merged to main)

Regarding the glossary itself, I'm glad to contribute definitions in your doc; candidates this work needs and the guidelines leave implicit:

- derived classification: a risk class conditioned on external law/context, not an intrinsic property; for agents, must be a resolvable, signed attribute rather than a static label.
- evidentiary record: content-addressed commitment / decision / receipt (plus a belief-state reference) that makes Article 12/14 obligations independently verifiable.
- classification persistence: whether and how a derived class and its obligations survive copy, fork, fine-tune, and restore, and which instance carries them.
- speaks-for authority: the delegation deciding which instance acts as the classified service, distinct from the metaphysical identity question.

Send me edit access, or I'll drop these on the list,  whichever is easier to collate. One running implementation of the evidentiary/belief layer is open source (Bella, Recursive-Emergence/bella) if a concrete tract of terms is testable.

Thanks again for organizing this.

Isaac Mao
github.com/immartian<http://github.com/immartian> github.com/immelleable<http://github.com/immelleable> · W3C AI Agent Protocol CG

On Thu, Jul 2, 2026 at 6:50 PM Kirk Patrick <kirk@arsialabs.ai<mailto:kirk@arsialabs.ai>> wrote:
>
> Dear Paola, and fellow participants,
>
> Thank you for distilling the key terms from the draft guidelines. I want to put something concrete on the table, because it is directly relevant to how this group represents high-risk classification for agentic systems.
>
> I maintain the Arsia Protocol, an open specification (Apache-2.0 / CC BY-SA 4.0) for AI agent identity, communication, and governance. It addresses a question the guidelines raise but do not resolve for agents: once a system is classified, how does that classification travel with the agent across service boundaries, and how is it enforced at the point of action?
>
> To be clear on positioning: Arsia does not compete with agent protocols such as MCP or A2A. It sits on top of them, protocol agnostic.
>
> This is not a paper proposal. The protocol is specified, implemented, and running in production. It has a published SDK, with multiple implementations built on it.
>
> On the substance relevant to the key terms work:
>
> 1. Classification is a signed field. Every agent carries a signed identity record with an ai_system_classification value from a fixed vocabulary (minimal-risk, limited-risk, high-risk, unacceptable-risk), bound to its cryptographic identity, not asserted in prose. Provider and deployer are kept distinct, with jurisdiction encoded as ISO 3166.
>
> 2. Classification drives enforcement, not just disclosure. Unacceptable-risk agents are rejected at onboarding, high-risk agents must present a compliance profile before admission, and a runtime policy pipeline enforces human oversight (Article 14), tamper evident audit trails (Article 12), and capability level authorization.
>
> 3. Obligations travel as data, through machine readable compliance profiles including EU-AI-ACT-HIGH-RISK and EU-AI-ACT-LIMITED-RISK, alongside GDPR, DORA, MiFID II, and DSA.
>
> So the group knows where this effort sits: Arsia Labs is part of NVIDIA Inception and the Cloudflare for Startups program, and Arsia Labs is a signatory to the EU AI Pact Pillar II voluntary pledges. We will be at Web Summit Lisbon demonstrating the protocol, and we are in discussions with cloud providers about implementing it natively, including early conversations with Microsoft.
>
> The reason I raise this here is that, for agentic AI, a classification that cannot be represented, transported, and verified between independent parties is not enforceable in practice. That is a knowledge representation problem, and it is this group's remit. Arsia is one open implementation of this running in production.
>
> If useful, the specification and the SDK are open to read, along with demos that implement the protocol end to end. Seeing how these terms behave in a system that actually runs in production may help the group make the abstract concrete. I am happy to point to the relevant parts or answer questions.
>
> You can find more about Arsia Protocol at:
>
> https://arsiaprotocol.org

> https://github.com/arsialabs/arsia-protocol

> https://github.com/arsialabs/arsia-protocol-sdk

>
>
> Best regards,
> Kirk Patrick
> arsiaprotocol.org<http://arsiaprotocol.org>
>
> Sent from Outlook for Mac
> From: Paola Di Maio <paola.dimaio@gmail.com<mailto:paola.dimaio@gmail.com>>
> Date: Wednesday, 1 July 2026 at 14:46
> To: W3C AIKR CG <public-aikr@w3.org<mailto:public-aikr@w3.org>>; public-agentprotocol <public-agentprotocol@w3.org<mailto:public-agentprotocol@w3.org>>
> Subject: Draft EU Commission guidelines on the classification of high-risk AI system
>
>
> Greetings AI KR CG Participants
>
> Draft Commission guidelines on the classification of high-risk AI system
>
> https://digital-strategy.ec.europa.eu/en/library/draft-commission-guidelines-classification-high-risk-ai-systems

>
> The Annexes in the page are faulty (as of July 1st both links download  the same document, which is a DRAFT  with blank placeholder slots)
>
> Errors notwithstanding, here is a distilled  a draft of   key terms representing an important initiative here for  review and discussion
>
> Please send  comments  and discussions if any to the public mailing list *this list  or to the Chair *me, or request edit access to the doc
> so that inputs can be aggregated and included in the group's submission. *contributors will be acknowledged  unless they wish to remain anonymous
>
> Thanking everyone in advance for the interest and participation in shaping representation for agentic AI
>
>
> Paola Di Maio, PhD
>
>
>
>

Received on Sunday, 5 July 2026 19:02:25 UTC