The EU AI Act does not ask what your system is built from — it asks how much risk it poses to people. Every obligation, from documentation to human oversight, flows from one decision: which risk tier each system falls into. Get the tiering right and the rest of the work becomes predictable.
Most organisations have more AI in scope than they think — not just models they trained, but third-party systems embedded in hiring, support, fraud and operations. The first job is an honest inventory; the second is placing each entry in a tier.
Four risk tiers
The Act sorts AI systems into four bands of increasing obligation:
- Unacceptable risk — prohibited outright.
- High risk — permitted, but heavily regulated.
- Limited risk — permitted with transparency duties.
- Minimal risk — largely unregulated.
Unacceptable risk
A small set of uses is banned because the risk to fundamental rights is considered too high — for example social scoring by public authorities, untargeted scraping for facial-recognition databases, and certain manipulative or exploitative systems. If a use falls here, the answer is not mitigation; it is do not deploy.
High risk
This is where most of the compliance work lives. High-risk systems include AI used in areas such as employment and worker management, access to essential services, critical infrastructure, education, and certain safety components. If you are high risk, expect obligations around:
- A risk-management system across the lifecycle.
- Data governance and quality for training and testing.
- Technical documentation and record-keeping (logging).
- Human oversight, accuracy, robustness and cybersecurity.
Teams assume “we didn’t build the model, so we’re not in scope.” Deployers of high-risk systems carry obligations too. Your role — provider or deployer — changes which duties apply, but rarely removes them entirely.
Limited and minimal risk
Limited-risk systems — chatbots, emotion recognition, generated or manipulated content — mainly trigger transparency: people must know they are interacting with AI or seeing synthetic content. Minimal-risk systems, such as spam filters or AI in games, carry no specific obligations, though voluntary codes of conduct are encouraged.
How to classify a system
- Describe the use case, not the model — who is affected and in what decision.
- Check it against the prohibited list first. If it fits, stop.
- Check whether the use falls in a high-risk area or is a regulated safety component.
- If neither, determine whether transparency duties apply (limited risk); otherwise it is minimal.
- Record the reasoning — your classification decision is itself evidence.
Once you know the tier
Tiering is the gate to everything else: documentation, oversight design and conformity work all scale with it. Because much of the high-risk control set overlaps with security and governance you may already run, it pays to treat the AI Act as part of one compliance program rather than a standalone project.
Key takeaways
- The AI Act regulates by risk tier, decided by use case — not by the underlying technology.
- Four tiers: unacceptable (banned), high (heavily regulated), limited (transparency), minimal (free).
- Deployers, not just providers, can carry obligations.
- Document the classification decision — it is part of your evidence.
Need to tier a real portfolio of systems? Book a 30-minute demo and we will classify your first systems together.
This article is general guidance, not legal advice. Verify obligations and deadlines for your organisation with qualified counsel.