Blog Governance & Regulation July 14, 2026 5 min read

xAI Shipped Its Most Agentic Model Yet With No Safety Card. On August 2, the EU AI Act Starts Fining That.

On July 8, xAI launched Grok 4.5 - built to run agentic tasks for hours - with benchmark scores and no safety card. It is blocked in all 27 EU states. On August 2, the EU AI Act explains why.

By the AuthorityGate Architect Team

On July 8, xAI launched Grok 4.5, the strongest model the company has shipped. It is built for sustained autonomy - xAI says its agentic rollouts "can run for many hours" - it is co-trained with the Cursor code editor, and it is aimed squarely at coding, knowledge work, and agentic tasks at enterprise scale. The launch came with benchmark comparisons. It did not come with a safety card, a model card, or a red-team disclosure. And in all 27 EU member states, you cannot use it at all.

Those two facts are the same fact. Grok 4.5 is blocked across the EU not as a commercial choice but because of what takes effect on August 2, 2026: the penalty regime of the EU AI Act for providers of general-purpose AI models. A model that arrives with no structured safety evidence is a model that is not yet ready to answer the questions the AI Office is about to be able to ask.

19days until the EU AI Act's GPAI penalty regime goes live
27EU member states where Grok 4.5 is blocked at launch
3%of global turnover: the GPAI fine ceiling (or EUR 15M)
0safety cards or red-team disclosures in the launch

What August 2 actually turns on

The obligations for general-purpose AI models have been on the books since August 2025. What flips on August 2, 2026 is the enforcement. From that date the European Commission and its AI Office can request a model's technical documentation, run their own technical evaluations, demand risk-mitigation measures, restrict or withdraw a model from the EU market, and issue fines of up to 3 percent of global annual turnover or EUR 15 million, whichever is higher, under Article 101. For prohibited uses the ceiling is higher still.

The teeth arrive on schedule EU AI Act fine ceilings, as a share of global annual turnover
0%
GPAI obligations (Art. 101)
0%
Prohibited practices (Art. 99)

Or a flat EUR 15M / EUR 35M, whichever is higher. The AI Office can also pull a model from the EU market entirely.

None of that requires a bad outcome first. The trigger is a request for evidence the provider cannot answer: architecture and training documentation, a published summary of training-data content using the AI Office's template, documentation handed down to the enterprises that build on the model, and a defensible account of how it was evaluated for risk. A launch post full of benchmark wins clears none of those bars.

Benchmarks are not evidence

A benchmark score tells you what a model can do on a fixed test on a good day. It tells you nothing about what an autonomous version of that model will do when it is wired into your data, holding your credentials, and taking real actions in your production environment. That is the gap the deadline is aimed at, and the incident record has been filling it in all year.

Why "trust the benchmarks" is not a control Agentic-AI exposure in enterprise environments, 2026
Firms hit by an AI-agent security incident in the past year
65%
Of those incidents, share that exposed sensitive data
61%
Production agents mixing private data, untrusted input, and outbound actions
98%

Sources: Kiteworks / Cloud Security Alliance, 2026. The last row is the profile of an agent that can be talked into anything.

A powerful new engine on a test-bench dynamometer with every sensor cable disconnected, dark workshop, warm gold instrument glow
A frontier model shipped on benchmark numbers alone is an engine on a dyno with the safety sensors unplugged.

What a governable launch looks like

Put the AI Act's GPAI checklist next to what Grok 4.5 disclosed on day one and the shape of the problem is plain. The requirements are not exotic. They are the paper trail that lets a downstream enterprise - or a regulator - reconstruct what the model is, how it was built, and how it was tested before it is pointed at anything that matters.

EU AI Act GPAI requirement Grok 4.5 at launch
Technical documentation of architecture and training Benchmark comparisons only
Published summary of training-data content Not disclosed
Documentation for downstream deployers Not provided at launch
Structured safety / red-team assessment No safety card or model card
Statement of copyright compliance Not disclosed

A model you cannot inspect is a model you cannot govern. In 19 days, in the EU, that stops being a philosophical point and becomes a finable position.

This is not an argument that Grok 4.5 is unsafe. It may be excellent. The point is narrower and harder to wriggle out of: nobody outside xAI can currently tell, because the evidence that would let them was not shipped. "It scores well" is a claim. Governance runs on verification.

The AuthorityGate take

The EU AI Act is, underneath the legal language, a validation layer written into statute. It says a general-purpose model may not simply assert that it is fit to deploy; it has to produce documentation, submit to evaluation, and remain subject to being pulled if the evidence does not hold. That is exactly the posture we argue every enterprise should take toward the models and agents inside its own walls - long before a regulator makes it mandatory.

Because the provider's paperwork is only half the problem. Even a fully documented, EU-cleared model becomes a live risk the moment it acts autonomously in your environment with your data and your credentials. That is where the second gate belongs: every consequential action an agent takes - a config change, a deployment, an access grant - checked against policy, scored for risk, and routed to a named human before it takes effect. That is the augmented model: the agent proposes, the gates verify, a person stays accountable. Brussels is about to require the evidence at the front door. The validation layer is what keeps the house standing once the model is inside.

August 2 will not stop capable models from shipping. Grok 4.5 will almost certainly reach the EU with the documentation the Act demands, and enterprises everywhere will keep adopting frontier models on day one. What changes is the default. "Here are the benchmarks, trust us" stops being a complete launch. The question the deadline forces - show me the evidence, and show me the gate between this model and my production - is the one worth asking of every model you run, whether or not a regulator is standing behind you when you ask it.

Share this post: LinkedIn

Go deeper

Every agent action, validated before it takes effect

AuthorityGate's newsletter breaks down real AI incidents and the governance failures behind them. Our configurable 8-gate validation model is how organizations keep a named human accountable for what their AI actually does.