Listen to this article
On July 8, xAI launched Grok 4.5, the strongest model the company has shipped. It is built for sustained autonomy - xAI says its agentic rollouts "can run for many hours" - it is co-trained with the Cursor code editor, and it is aimed squarely at coding, knowledge work, and agentic tasks at enterprise scale. The launch came with benchmark comparisons. It did not come with a safety card, a model card, or a red-team disclosure. And in all 27 EU member states, you cannot use it at all.
Those two facts are the same fact. Grok 4.5 is blocked across the EU not as a commercial choice but because of what takes effect on August 2, 2026: the penalty regime of the EU AI Act for providers of general-purpose AI models. A model that arrives with no structured safety evidence is a model that is not yet ready to answer the questions the AI Office is about to be able to ask.
What August 2 actually turns on
The obligations for general-purpose AI models have been on the books since August 2025. What flips on August 2, 2026 is the enforcement. From that date the European Commission and its AI Office can request a model's technical documentation, run their own technical evaluations, demand risk-mitigation measures, restrict or withdraw a model from the EU market, and issue fines of up to 3 percent of global annual turnover or EUR 15 million, whichever is higher, under Article 101. For prohibited uses the ceiling is higher still.
Or a flat EUR 15M / EUR 35M, whichever is higher. The AI Office can also pull a model from the EU market entirely.
None of that requires a bad outcome first. The trigger is a request for evidence the provider cannot answer: architecture and training documentation, a published summary of training-data content using the AI Office's template, documentation handed down to the enterprises that build on the model, and a defensible account of how it was evaluated for risk. A launch post full of benchmark wins clears none of those bars.
Benchmarks are not evidence
A benchmark score tells you what a model can do on a fixed test on a good day. It tells you nothing about what an autonomous version of that model will do when it is wired into your data, holding your credentials, and taking real actions in your production environment. That is the gap the deadline is aimed at, and the incident record has been filling it in all year.
Sources: Kiteworks / Cloud Security Alliance, 2026. The last row is the profile of an agent that can be talked into anything.
What a governable launch looks like
Put the AI Act's GPAI checklist next to what Grok 4.5 disclosed on day one and the shape of the problem is plain. The requirements are not exotic. They are the paper trail that lets a downstream enterprise - or a regulator - reconstruct what the model is, how it was built, and how it was tested before it is pointed at anything that matters.
| EU AI Act GPAI requirement | Grok 4.5 at launch |
|---|---|
| Technical documentation of architecture and training | Benchmark comparisons only |
| Published summary of training-data content | Not disclosed |
| Documentation for downstream deployers | Not provided at launch |
| Structured safety / red-team assessment | No safety card or model card |
| Statement of copyright compliance | Not disclosed |
A model you cannot inspect is a model you cannot govern. In 19 days, in the EU, that stops being a philosophical point and becomes a finable position.
This is not an argument that Grok 4.5 is unsafe. It may be excellent. The point is narrower and harder to wriggle out of: nobody outside xAI can currently tell, because the evidence that would let them was not shipped. "It scores well" is a claim. Governance runs on verification.
The AuthorityGate take
The EU AI Act is, underneath the legal language, a validation layer written into statute. It says a general-purpose model may not simply assert that it is fit to deploy; it has to produce documentation, submit to evaluation, and remain subject to being pulled if the evidence does not hold. That is exactly the posture we argue every enterprise should take toward the models and agents inside its own walls - long before a regulator makes it mandatory.
Because the provider's paperwork is only half the problem. Even a fully documented, EU-cleared model becomes a live risk the moment it acts autonomously in your environment with your data and your credentials. That is where the second gate belongs: every consequential action an agent takes - a config change, a deployment, an access grant - checked against policy, scored for risk, and routed to a named human before it takes effect. That is the augmented model: the agent proposes, the gates verify, a person stays accountable. Brussels is about to require the evidence at the front door. The validation layer is what keeps the house standing once the model is inside.
August 2 will not stop capable models from shipping. Grok 4.5 will almost certainly reach the EU with the documentation the Act demands, and enterprises everywhere will keep adopting frontier models on day one. What changes is the default. "Here are the benchmarks, trust us" stops being a complete launch. The question the deadline forces - show me the evidence, and show me the gate between this model and my production - is the one worth asking of every model you run, whether or not a regulator is standing behind you when you ask it.
Sources
- Axios, Scoop: SpaceXAI releases new model, Grok 4.5 (July 8, 2026)
- AI Governance Institute, xAI Launches Grok 4.5 With Deep Agentic Capabilities (July 2026)
- heise online, SpaceXAI introduces Grok 4.5 - EU users must wait (July 2026)
- European Commission, AI Act governance and enforcement
- Kiteworks / Cloud Security Alliance, AI Agent Security Incidents 2026
Go deeper
Every agent action, validated before it takes effect
AuthorityGate's newsletter breaks down real AI incidents and the governance failures behind them. Our configurable 8-gate validation model is how organizations keep a named human accountable for what their AI actually does.