Governing What the EU AI Act Excludes: Accountability for Autonomous AI Agents in Smart City Critical Infrastructure

A new academic paper from researchers Talal Ashraf Butt, Muhammad Iqbal, and Razi Iqbal uncovers a critical accountability deficit in the EU AI Act when it comes to autonomous AI agents managing smart city critical infrastructure. Published on arXiv and submitted to the Computer Law & Security Review, the paper points out that Annex III, point 2 of the Act excludes safety-component AI in critical infrastructure from Article 86 explanation rights and Article 27 fundamental-rights impact assessments. While provider and deployer duties under Articles 9-15 still apply, the Act's principal resident-facing instruments are narrowed for the very systems most likely to interact across agencies—like a traffic signal controller adjusting green phases and a grid manager curtailing power on the same corridor. The paper traces four residual accountability pathways under GDPR Article 22, GDPR transparency obligations, tortious liability, and NIS2, showing each is structurally bounded by individual-controller, individual-decision scope.

As a governance response, the authors present AgentGov-SC (Agent, Orchestration, City), a three-layer architecture specifying 25 governance measures with bidirectional traceability to the EU AI Act, ISO/IEC 42001, and the NIST AI Risk Management Framework. The design includes five conflict resolution rules and an autonomy-calibrated activation model to manage multi-agent interactions proportionately. The paper validates its approach through a scenario analysis of a multi-agent corridor cascade involving three documented UAE smart-city systems, with a contrasting single-system scenario demonstrating proportional activation. This work offers a concrete regulatory gap analysis and a governance architecture for an increasingly common class of urban AI deployment that existing frameworks treat as bounded and isolated—a timely contribution as cities worldwide deploy more autonomous, interconnected AI systems on critical infrastructure.