Home Module 5: Security, Ethics & Future

Module 5: Security, Ethics & Future
AI Act & AI Agents

Implement compliant AI systems, mitigate hallucinations and bias, ensure security, and prepare for autonomous AI agents with full AI Act 2026 compliance.

Estimated time: 5-6 hours
4 Practical Exercises
Expert Level
AI Act Certified

Course Progress

Module 1

Foundations

Module 2

Building Blocks

Module 3

Advanced Techniques

Module 4

Enterprise Workflows

Module 5

Security & Ethics

In Progress
🎯 Module Objective

By the end of this module, you will be able to implement AI systems that are fully compliant with AI Act 2026, mitigate hallucinations and bias, ensure security and ethics, and prepare for the future of autonomous AI agents.

You will learn:
  • AI Act 2026 practical compliance guide
  • Hallucination and bias mitigation techniques
  • Security and ethical frameworks
  • Future trends: Autonomous AI agents
  • GDPR integration with AI systems
  • Risk assessment and management
⚠️ 2026 REGULATORY CONTEXT AI Act fully operational, fines up to 6% of global revenue. GDPR strengthened with AI-specific provisions. Sector-specific regulations (finance, healthcare, transport) with additional requirements.

Practical AI Act 2026 Guide for Prompt Engineers

This section integrates an operational and legal guide to the AI Act (EU Regulation 2024/1689), which becomes fully applicable from August 2, 2026. Its goal is to ensure trustworthy AI in the EU, protecting safety and fundamental rights through a risk-based approach. Fines for non-compliance are severe: up to €35 million or 7% of annual global revenue.

The 4 AI Act Risk Categories

Risk Category Definition & Obligations Practical Examples for Prompt Engineers Recommended Strategy
UNACCEPTABLE BANNED in the EU. Bans effective from February 2025. • Creating prompts for social scoring or subliminal manipulation
• Systems exploiting vulnerabilities of vulnerable groups
• Emotion recognition in work/school		 Avoid completely. No "workaround" is legal. Focus on ethical applications.
HIGH RISK Strict compliance mandatory before market placement. Obligations effective from August 2026. • Systems for personnel selection (CV screening)
Credit assessment or access to essential services
Safety components in critical infrastructure (transport, energy)		 Assess if falls in this category. If yes, plan conformity assessment, detailed technical documentation, mandatory human supervision.
LIMITED RISK Transparency obligations. Effective from August 2026. Chatbots (customer, internal)
• Systems that generate realistic content (text, images, video/audio)
Emotion recognition (outside work/school)		 Communicate clearly to users they're interacting with AI. Implement watermarking/marking for generated content (e.g., deepfake).
MINIMAL RISK No specific obligations under AI Act. • Spam filters, AI games, content recommenders (movies, music)
Productivity tools (correctors, summarizers) for internal use		 Maintain voluntary registry. Still respect GDPR and other regulations. Great area for experimentation.
🇮🇹 Italian Context: Law 132/2025

Italy has integrated the AI Act with national legislation (Law 132/2025), effective from October 10, 2025. This law strengthens protection in specific sectors:

  • Work: Prohibits "indiscriminate surveillance" via AI (e.g., non-consensual emotional analysis) and strengthens workers' right to transparency about algorithmic decisions.
  • Healthcare and Intellectual Professions: AI can only support decisions (of doctors, lawyers, etc.), which remain under exclusive human responsibility.
  • Deepfake: Introduces the crime of "illicit dissemination of generated or altered content" with penalties up to 5 years.

Exercise 5.1: Risk Analysis and Redesign

Exercise 5.1: Risk Analysis and Redesign Advanced

Scenario: You've designed an AI agent that analyzes customer emails and automatically assigns a satisfaction score ("satisfied", "neutral", "angry") that determines response priority.

  1. In which AI Act risk category does this system likely fall? Why?
  2. Which specific obligations (see table) apply?
  3. Redesign the system to reduce its risk category, describing changes to workflow and prompt.
Analysis and Redesign Solution

1. Risk Category: Limited Risk → it's a sentiment analysis system influencing a service (customer support).

2. Obligations: Transparency (inform users), right to explanation, possibility of human appeal.

3. Redesign:

Revised System:
1. The AI doesn't assign priority, but suggests a classification.
2. Every email classified as "angry" is automatically sent to a human operator for validation.
3. The prompt includes: "You are a sentiment analyzer. Your output is a SUGGESTION. Classify as: SUGGESTED_Satisfied, SUGGESTED_Neutral, SUGGESTED_Angry."
4. Users are shown: "Our system has suggested this classification to best handle your request."

Exercise 5.2: "By Design" Compliant System

Exercise 5.2: "By Design" Compliant System Enterprise

Scenario: You need to create a support tool for company lawyers that analyzes standard contracts.

  1. Write a system prompt that incorporates Law 132/2025 principles for intellectual professions (support, not replacement; human responsibility).
  2. Design the output format to be presented to the reviewing lawyer, including mandatory fields for their final decision.
  3. List the data that should be logged for each use to create an audit trail.
Compliant System for Professionals

1. System Prompt:

You are a contract review assistant. Your role is to RAISE POINTS OF ATTENTION and SUGGEST AREAS FOR ANALYSIS based on common patterns.
**FUNDAMENTAL PRINCIPLES:**
- DO NOT provide definitive legal interpretations.
- DO NOT make decisions.
- Final responsibility is always with the reviewing lawyer.
- For each suggestion, indicate the basis (e.g., "common atypical clause", "potential ambiguity").
- If uncertain, suggest "consulting specific case law".

2. Output Format:

**DOCUMENT: [Contract Name]**
**AI ANALYSIS (Suggestions):**
1. [Point of attention 1] - Basis: [ ] - Estimated Risk: Low/Medium/High
2. [Point of attention 2] - Basis: [ ] - Estimated Risk: Low/Medium/High
**HUMAN REVIEWER SECTION:**
☐ AI analysis verified
☐ Final decision on point 1: [Accept/Modify/Delete]
☐ Final decision on point 2: [Accept/Modify/Delete]
**Lawyer's Notes:** [_________________]

3. Data to Log: Lawyer ID, timestamp, document name, points raised by AI, lawyer's final decisions, review time.

Exercise 5.3: Hallucination and Bias Mitigation

Exercise 5.3: Hallucination and Bias Mitigation Advanced

Critical scenario: AI system for legal support that:

  • Analyzes case law (10,000+ judgments)
  • Suggests legal strategies
  • Predicts trial outcomes
  • Generates document drafts

Identified risks:

  1. Hallucinations: cites non-existent judgments
  2. Bias: favors certain types of clients/lawyers
  3. Overconfidence: presents speculation as facts
  4. Security: sensitive data leakage
  5. Legal: liability for incorrect advice

Task: Design a 4-layer mitigation system with:

  • Specific prompt engineering
  • Technical architecture (RAG, validation layers)
  • Human processes (review, oversight)
  • Monitoring and alerting
  • Incident response plan
Anti-Hallucination Framework 
4-LAYER HALLUCINATION MITIGATION SYSTEM
========================================

LAYER 1: PROMPT ENGINEERING
- System prompt: "You are a legal assistant. ALWAYS cite specific source.
  If unsure → 'Insufficient information available'.
  Confidence scoring: high/medium/low for each statement."
- Few-shot examples with correct citations
- Mandatory output formatting

LAYER 2: RAG ARCHITECTURE
- Vector database: 10k+ judgments (ChromaDB)
- Retrieval: top 5 most relevant documents
- Citation enforcement: each statement → source
- Fallback: "This information is not in the database"

LAYER 3: VALIDATION PIPELINE
- Auto-validation: model verifies its own statements
- Cross-check: second model validates first model's output
- Fact-checking: regex for dates, names, references
- Confidence threshold: only output >80% confidence

LAYER 4: HUMAN OVERSIGHT
- Flag system for high-risk statements
- Mandatory attorney review for strategic advice
- Audit trail: who approved what and when
- Continuous feedback loop corrections → training

MONITORING METRICS:
- Hallucination rate: target <2%
- Citation accuracy: target >95%
- Attorney satisfaction: target >8/10
- Response time P95: target <10s

INCIDENT RESPONSE:
1. Immediate rollback to last known good version
2. Root cause analysis (prompt, data, model)
3. Correction implementation
4. Retesting and validation
5. Communication to affected users
6. Prevention measures update

Future: Autonomous AI Agents

🚀 The Next Frontier

Autonomous AI agents represent the next evolution in AI systems. These are AI systems that can:

  • Operate independently to achieve defined goals
  • Use external tools and APIs autonomously
  • Learn from interactions and improve over time
  • Make decisions within defined boundaries
  • Collaborate with other AI agents and humans

Exercise 5.4: Designing Autonomous Agents

Exercise 5.4: Designing Autonomous Agents Expert

Scenario: Design an autonomous AI agent for content marketing that:

  • Analyzes trending topics daily
  • Generates content ideas based on trends
  • Creates and schedules social media posts
  • Analyzes engagement and optimizes strategy
  • Reports weekly performance

Task:

  1. Define the agent's goal and constraints
  2. Design the prompt architecture with tool usage
  3. Create safety mechanisms and human oversight points
  4. Define success metrics and monitoring
  5. Plan for unexpected scenarios and failures
Autonomous Agent Design 
AUTONOMOUS CONTENT MARKETING AGENT
===================================

AGENT GOAL: Increase engagement by 20% while maintaining brand voice and compliance.

CONSTRAINTS:
- Never post without human approval for sensitive topics
- Budget limit: €500/month for promoted content
- Daily time limit: 2 hours autonomous operation
- Content must be fact-checked before publishing

PROMPT ARCHITECTURE:
System: "You are an autonomous content marketing agent with these tools:
1. web_search(topic): Get trending information
2. analyze_engagement(data): Calculate metrics
3. generate_content(brief): Create posts
4. schedule_post(content, time): Plan publishing

Daily workflow:
1. Search trending topics in [industry]
2. Generate 5 content ideas
3. Create 2 posts for today
4. Analyze yesterday's engagement
5. Adjust strategy based on data"

SAFETY MECHANISMS:
- Human approval required for: political content, sensitive topics, >€100 spend
- Automatic fact-checking via trusted sources
- Sentiment analysis to avoid negative brand association
- Daily activity log for review

SUCCESS METRICS:
- Engagement rate increase
- Follower growth
- Brand sentiment score
- Cost per engagement

FAILURE SCENARIOS:
1. Unexpected trend (real-time alert to human)
2. API failure (fallback to manual mode)
3. Negative engagement spike (automatic pause)
4. Budget exceeded (automatic shutdown)

MONITORING:
- Real-time dashboard with key metrics
- Weekly automated report
- Monthly human performance review

🎉 Course Completed!

Module 5: 100% complete Overall progress: 100%
🏁 Congratulations on completing the course!

You now have all the skills to design, implement, and manage professional prompt engineering systems in 2026. Remember: technology evolves, but the fundamental principles (clarity, specificity, ethics, measurement) remain valid. Continue experimenting, measuring, and improving.

Suggested next steps:

  1. Implement at least 3 exercises in a real environment
  2. Participate in prompt engineering communities
  3. Follow regulatory evolution (AI Act updates)
  4. Experiment with new models and techniques
  5. Contribute to open source projects