EU Regulations Are Not Ready for Multi-Agent AI Incidents
In August this year, the European Commission’s guidelines for Article 73 of the EU AI Act will come into force. The guidelines mandate deployers and providers to report serious incidents related to AI systems in high-risk environments such as critical infrastructure.
This is a timely release. Nick Moës, Executive Director of The Future Society, warned during the flagship Athens Roundtable in London last December:
“This may be one of the last years in which we can still prevent an AI disaster as defined by the OECD. The scale and growth of incidents we are witnessing is already concerning.”
Regulation Fit for Purpose?
Is the regulation we are developing fit for purpose? As expressed in a recent submission to the Commission’s consultation on draft guidance and reporting templates on serious AI incidents, the draft already contains a worrying loophole that must be addressed. It focuses on single-agent and single-occurrence failures and assumes a simplistic one-on-one causality map for AI-related incidents. Yet some of the most serious risks are already emerging from interactions between AI systems, where multiple occurrences can lead to cascading, cumulative effects.
An incident reporting framework that ensures accountability for these new risks must be part of the EU AI Act’s implementation. With Article 73 guidelines set to become binding in August, the clock is ticking for the European Commission to embed these changes.
Multi-Agent Dynamics
Not all incidents will be caused by a single agent. The current wording of Article 73 guidelines assumes that only one system will contribute to a high-risk incident. However, AI systems are becoming more agentic: capable of complex reasoning, goal decomposition, and proactive action without continuous human intervention. Once deployed, they are likely to interact with other AI agents and users, leading to complex dependencies. In such cases, assigning a single culprit in an incident becomes an outdated approach, particularly for diffuse or subtle incidents.
For example, when pricing algorithms in Germany’s fuel market began reacting to each other, prices rose without any explicit coordination. This outcome, known as algorithmic collusion, illustrates the broader accountability gap in current regulations. Similar phenomena have been reported among the largest online retailers in the Netherlands and Belgium.
Emergent Incidents
The core challenge is that the resulting incidents are emergent, stemming not from a failure in one system (and attributable to one actor), but from system-level interaction. To capture this reality, the Article 73 guidelines should explicitly recognize that unexpected system behavior can arise not only from an AI system acting in isolation but also from its interaction with other AI systems.
When automated trading systems reacted to each other during the “Flash Crash” of 2010, market prices collapsed by nearly a trillion dollars within minutes. This example illustrates how AI-related incidents can arise from multiple, rapid interactions between systems rather than a single occurrence. The sheer speed at which automated systems interact can also amplify the effects of each other’s outputs. This can trigger cascading effects across networks, quickly escalating one localized failure into a major incident or multiple major incidents.
To illustrate, cascading outages in the energy industry could be caused by the introduction of purposely falsified data into networked AI systems controlling the power grid. In simulated resource-sharing scenarios (fishery, pasture, and clean water), large language models have also been shown to accelerate resource depletion through interactions leading to a system-level collapse.
Cumulative Incidents
Other types of cumulative incidents must also be addressed by regulation. This November, Anthropic reported the largest cyberattack conducted using AI agents targeting critical industries. The state-linked threat actor broke down the attack into seemingly innocuous tasks that Claude would execute without being provided the full context of their malicious intent. The mounting effect of various tasks, rather than a single event, means this would not be a clearly reportable incident under today’s Article 73 draft guidelines.
Article 73 guidelines should expand their parameters to explicitly include cumulative, systemic, and non-physical forms of harm caused by multiple occurrences, such as compounding effects across digital infrastructure networks and multiple communities in society.
Threats to Collective Interest
Current loopholes in the draft guidelines for Article 73 create legal ambiguity in accountability and expose harms that extend beyond individual users. Business insurers are already protecting themselves, with Great American, AIG, and W.R. Berkeley looking to exclude coverage for AI-related liabilities caused by systemic risks.
As governments increasingly deploy AI systems to forecast economic trends, draft regulations, allocate public resources, or support administrative decision-making, errors can affect entire populations rather than discrete individuals. It is these shared, population-level stakes that Article 73 seeks to protect under the notion of “collective interests,” including environmental protection, public health, and the functioning of democratic institutions. Yet, its current framing does not capture how multi-agent interactions can erode these interests in new ways.
When the Russian network Pravda injected pro-Kremlin narratives into multiple AI models, the systems began repeating propaganda as legitimate information. This incident highlights the fragility of our epistemic security—the integrity of the information environment that forms the bedrock of our democratic processes—and shows how multi-agent interactions can erode collective interests without a single ‘harm’ occurring.
Missing Reporting Mechanisms
Because of the high-risk and diffused nature of these multi-agent incidents, and the difficulty of holding a single provider accountable, the importance of confidential reporting mechanisms (“whistleblowing”) is unnegotiable. Draft guidelines for Article 73 provide no structured pathways for third-party reporting (users, civil society, academia) and whistleblowers. There is also no clear link, for example, between the European Commission’s efforts to build a confidential whistleblower tool and how these relate to regulation.
Closing the Gap
Draft guidelines of Article 73 expose an alarming lack of preparedness in regulating agentic AI systems. These guidelines will be legally binding from August 2026, and as currently drafted, give us no tools to pin accountability for multi-agent incidents and prevent cumulative harm to our collective interests.
The European Commission should broaden how it understands and responds to AI-related incidents, starting with a more realistic definition of harm. Reportable incidents should not be limited to isolated system failures but expanded to include breakdowns that emerge when AI systems interact with one another—often in unpredictable and compounding ways. These multi-agent interactions can produce cumulative and systemic harms that do not always manifest as immediate physical damage but instead ripple across digital networks, critical infrastructure, and entire communities.
That broader lens is especially important when it comes to collective interests such as the integrity of democratic institutions. Multi-agent AI systems can misinform, manipulate, or subtly distort users’ ability to make informed decisions at scale, causing damage that is diffuse but deeply consequential.
To make such harms visible in practice, the Commission should also enable stronger reporting mechanisms. This includes allowing confidential and third-party reporting channels so whistleblowers, civil society organizations, and academic researchers can surface multi-agent failures without fear of retaliation. Without these pathways, many of the most serious and systemic AI incidents are likely to remain hidden, unexamined, and unaccountable.
Article 73 is a stepping stone. A stronger normative backbone is needed to account for transparent, cooperative, and accountable AI-to-AI interactions. EU legal experts also argue that monitoring needs explicit, system-level technical intervention mechanisms (i.e., kill switches or circuit breakers). Campaigning for the amendment of Article 73 is a positive step toward addressing high-risk incidents in Europe’s AI landscape.
