AI Risk Classification — How to Categorize an AI System (AI Act Process)

Key Takeaway: The EU AI Act classifies every AI system into one of four risk tiers — unacceptable, high, limited, and minimal. Your compliance obligations depend entirely on which tier your AI use cases fall into. Getting this classification wrong is the most common and costly compliance mistake organizations make.

What Is AI Risk Classification?

This entry covers the process — the EU AI Act methodology for assigning an AI system to a risk tier. For the category definition of what constitutes a high-risk AI system per Annex III, see High-Risk AI Systems.

AI risk classification is the process of categorizing AI systems according to the potential harm they can cause, as defined by the [link:/glossary/ai-act]. The classification determines which legal obligations apply to organizations that develop, place on the market, or deploy those systems.

The EU AI Act's risk-based approach was deliberately chosen over a blanket regulatory framework. Rather than regulating all AI equally, the Act focuses compliance obligations on AI uses where the stakes for individuals and society are highest — those affecting employment, access to services, safety, and fundamental rights.

For compliance teams, risk classification is the mandatory first step in any EU AI Act readiness program. Until you know which tier each of your AI systems falls into, you cannot know what you are required to do.

The Four Risk Tiers Explained

Tier 1: Unacceptable Risk (Prohibited)

These AI applications are banned outright under Article 5 of the EU AI Act, with prohibitions effective from February 2025. They include:

  • Social scoring systems by public authorities that rank citizens based on behavior
  • AI that exploits vulnerabilities (age, disability, social situation) to manipulate people in ways that harm them
  • Real-time remote biometric identification in public spaces by law enforcement (with narrow exceptions for serious crime investigation)
  • Emotion recognition in workplaces and educational institutions (with limited exceptions)
  • AI systems that create or expand facial recognition databases through untargeted scraping
  • Predictive policing based solely on profiling

Any organization found operating a prohibited AI system faces fines of up to €35 million or 7% of global annual turnover.

Tier 2: High Risk

High-risk AI systems are permitted but subject to extensive compliance obligations before and during deployment. They are defined in Annex I (safety-critical products) and Annex III (specific sensitive use cases) of the Act. See [link:/glossary/high-risk-ai-systems] for the full list.

Key examples from Annex III include: AI used in recruitment and employment decisions, AI that determines access to education, AI used in credit scoring and insurance risk assessment, AI used in law enforcement, AI deployed in critical infrastructure, and AI that influences access to essential public services.

Compliance obligations for high-risk AI include conformity assessments, technical documentation, logging requirements, human oversight mechanisms, accuracy and robustness testing, and registration in the EU AI database.

Tier 3: Limited Risk

These systems carry specific transparency obligations but no conformity assessment requirements. The primary examples are:

  • Chatbots: Users must be informed they are talking to an AI, not a human
  • AI-generated synthetic content (deepfakes): Must be labeled as AI-generated
  • AI systems that generate or manipulate images, audio, or video for emotional recognition or biometric categorization

Organizations using chatbots in customer service, HR, or sales contexts must ensure appropriate disclosure is in place.

Tier 4: Minimal Risk

The vast majority of AI systems fall here — spam filters, recommendation engines, AI-powered search, and most generative AI tools used for internal productivity. No mandatory obligations apply, though the Act encourages voluntary adherence to codes of conduct.

Why It Matters for Business

Risk classification is not a one-time exercise. It must be repeated:

  • When new AI systems are acquired or built
  • When existing systems are substantially modified (which can elevate their risk tier)
  • When AI systems are deployed in new use cases or contexts not originally assessed

Organizations that fail to classify their AI systems correctly expose themselves to enforcement action under the wrong tier. Equally, over-classifying systems as high-risk wastes significant compliance resources. Accurate classification requires cross-functional input from legal, IT, HR, and operations.

The classification also affects supplier relationships. Deployers of high-risk AI systems have obligations under Article 26 that include verifying the provider's conformity documentation — you cannot assume your AI vendor has done the work for you.

Compliance Checklist: Risk Classification

  • Inventory all AI systems currently in use or in development across the organization
  • Apply the prohibited AI checklist (Article 5) to eliminate any unacceptable risk uses immediately
  • Check each remaining system against Annex I (safety component AI in regulated products) and Annex III (sensitive use cases) for high-risk classification
  • For limited-risk systems, verify disclosure and transparency mechanisms are in place
  • Document the classification rationale for each system — regulators may request this
  • Establish a process for re-classification when systems or use cases change
  • Brief senior leadership on the classification outcomes and resulting compliance obligations

Related Terms

  • [link:/glossary/ai-act]
  • [link:/glossary/high-risk-ai-systems]
  • [link:/glossary/ai-conformity-assessment]
  • [link:/glossary/ai-impact-assessment]
  • [link:/glossary/trustworthy-ai]

How Knowlee Addresses AI Risk Classification

Knowlee's use cases in sales and recruitment (lead scoring, candidate matching, outreach personalization) require careful risk classification under Annex III of the EU AI Act. Knowlee has conducted this classification analysis and designed its platform controls accordingly. For customers using Knowlee in employment-related contexts — such as screening candidates or ranking applicants — Knowlee provides the technical documentation and audit trail capabilities required to satisfy high-risk AI deployer obligations under Article 26. The platform's human-in-the-loop architecture ensures that AI outputs function as decision support rather than automated determination, which is a material factor in risk tier assessment and in demonstrating the human oversight required by Article 14.