Blog

CISO Brief: EU AI Act

Written by

Published on

Copy link

Table of contents

toc

How the EU AI Act is Reshaping Identity Strategy — and What CISOs Must Do Now

‍

What is the EU Artificial Intelligence Act and Why Does it Matter?

The EU Artificial Intelligence Act (AI Act) is poised to become the world’s most significant legal framework for AI. While much attention has been placed on generative AI and automation, the Act has a less obvious — but urgent — implication for identity and access management (IAM):
It classifies many AI-driven authentication methods as high-risk.

This includes systems using behavioral biometrics, facial recognition, keystroke dynamics, and even certain adaptive authentication techniques.

As a result, CISOs and identity leaders that do any business in the EU must now reassess the tools securing their workforce, customers, and critical infrastructure. Authentication systems once seen as cutting-edge may now introduce regulatory risk, operational complexity, and legal liability.

The Hidden Risks in “Smart” Authentication

AI-driven behavioral profiling and simple biometric authentication have become mainstays as companies attempt to shore up password-based systems. But under the AI Act, these technologies fall into the "high-risk" category, triggering a host of obligations:

Mandatory risk and impact assessments
Ongoing logging, transparency, and documentation
Human oversight and explainability mandates
Audit rights for EU regulators
Severe penalties for non-compliance (up to 7% of global revenue)

Bottom line: Identity systems using AI-based biometrics alone or behavior analysis are no longer just security tools — they’re regulatory liabilities.

‍

The AI Act + GDPR: A Perfect Storm

The AI Act isn’t working in a silo. It compliments and reinforces the foundational principles of GDPR — especially data minimization and privacy by design.

Here’s how traditional authentication methods stack up:

Method

Regulatory Concerns

Passwords

User friction, phishing risk, shared secrets, poor privacy hygiene

SMS/email 2FA

PII exposure, vulnerable to interception, poor user experience

Behavioral biometrics

Classified as high-risk AI, requires explainability and human oversight

Facial recognition

High-risk AI, consent complexity, major privacy red flags

‍

Beyond Identity: Built for the Post-AI Act World

Beyond Identity’s cryptographic, passwordless authentication was engineered to avoid these pitfalls from day one. It requires:

No passwords
No shared secrets
No AI-based risk scoring

We take a two pronged approach to biometrics that ensure privacy, compliance, and security.

‍

Additionally, we complement the local device biometric with a public private key pair using the TPN which provides a secure and cryptographically provable digital identity. And unlike passwords, the private key in the TPM is never exposed to the application or the OS.

Authentication is bound to the user’s device and verified with secure cryptographic keys — not personal data or opaque AI models.

That means no regulatory overhead, no invasive data collection, and no black-box algorithms. And it means you won’t be pulled back by evolving regulation and compliance thresholds.

Why This Matters for CISOs

The compliance cost of complacency is rising.

Every AI-powered component in your identity stack should now be evaluated — not just for security risk, but regulatory exposure. Risk-averse boards, procurement teams, and legal stakeholders are already shifting strategy.

CISOs who act now can: