High-Risk AI Systems — Annex III Categories Defined

Key Takeaway: High-risk AI systems face the EU AI Act's most demanding compliance requirements. If your organization uses AI for hiring, credit decisions, employee monitoring, or access to services, you are almost certainly a deployer of high-risk AI — and have binding legal obligations that apply from August 2026.

What Are High-Risk AI Systems?

This entry covers the category — what constitutes a high-risk AI system per Annex III of the EU AI Act. For the process of assigning a system to a risk tier, see AI Risk Classification.

Under the [link:/glossary/ai-act], a high-risk AI system is any AI system that poses a significant risk to health, safety, or the fundamental rights of individuals. The designation is not subjective — it is defined by two specific annexes to the regulation.

Annex I covers AI systems that function as safety components of products regulated under existing EU harmonized legislation: medical devices, machinery, civil aviation systems, motor vehicles, and similar categories. If AI is embedded in a regulated physical product, it is almost automatically high-risk.

Annex II (Annex III in the Act's final numbering) covers eight categories of standalone AI use cases that the EU legislator identified as posing significant risks to fundamental rights and safety:

  1. Biometric identification and categorization of natural persons
  2. Critical infrastructure management (water, energy, transport, digital)
  3. Education and vocational training (access decisions, assessment, monitoring)
  4. Employment and workers management — including AI used in recruitment, selection, promotion, task allocation, and monitoring of performance and behavior
  5. Access to essential private services and public services — credit scoring, insurance risk assessment, emergency services prioritization
  6. Law enforcement — predictive policing, evidence assessment, profiling
  7. Migration, asylum, and border control — risk assessment, document verification
  8. Administration of justice and democratic processes

Category 4 is the one most relevant to enterprise users of sales and HR AI platforms.

Key Compliance Obligations for High-Risk AI

Providers (those who develop or place high-risk AI on the market) and deployers (organizations that use high-risk AI in their own operations) both carry obligations, though they differ in scope.

Provider obligations (Articles 9–15):

  • Establish a risk management system covering the entire lifecycle of the AI system
  • Implement data governance and management practices (training data quality, bias testing)
  • Prepare technical documentation before placing the system on the market
  • Enable automatic logging of events (Article 12)
  • Ensure transparency to deployers (provide instructions for use, performance metrics)
  • Design human oversight measures into the system (Article 14)
  • Achieve the required levels of accuracy, robustness, and cybersecurity
  • Complete a conformity assessment — see [link:/glossary/ai-conformity-assessment]

Deployer obligations (Article 26):

  • Assign human oversight to appropriately trained individuals
  • Only use the AI system as intended by the provider (within the documented scope)
  • Monitor the system in operation and report incidents and near-misses to the provider
  • Conduct a [link:/glossary/ai-impact-assessment] (Fundamental Rights Impact Assessment) before deployment in certain contexts
  • Inform workers when AI is used for monitoring or decisions affecting them
  • Register use of high-risk AI systems in the EU AI public database (once operational)
  • Keep logs generated by the system for a minimum of six months (Article 26(5))

Why It Matters for Business

The high-risk designation has significant commercial implications beyond compliance costs:

HR and recruitment tools: Any AI system used to shortlist CVs, rank job applicants, assess interview performance, or monitor employee productivity is presumptively high-risk under Category 4. This affects most AI recruiting and people analytics platforms in the market today. Deployers of these tools need provider documentation and must implement human oversight — a hiring manager must be meaningfully involved in final decisions, not just rubber-stamping an algorithm's output.

Credit and insurance: AI-driven credit scoring, insurance underwriting, and loan decisions are high-risk under Category 5. Financial institutions must ensure their AI models are documented, tested for bias, and subject to human review on consequential decisions.

Procurement leverage: High-risk classification gives procurement teams strong grounds to demand conformity assessments, technical documentation, and contractual audit rights from AI vendors. Organizations that simply trust vendor marketing claims without documentation are absorbing regulatory risk that the Act places jointly on deployers.

Compliance Checklist: High-Risk AI Deployers

  • Identify all AI systems in use that fall into Annex III categories
  • Obtain conformity documentation from each AI provider
  • Verify that each system has undergone appropriate conformity assessment
  • Appoint human oversight personnel with the authority and ability to override AI decisions
  • Establish log retention processes (minimum six months for operational logs)
  • Conduct Fundamental Rights Impact Assessments for public sector or high-sensitivity deployments
  • Inform employees when AI is used to make or support decisions affecting them
  • Register high-risk AI use in the EU AI database when the registration portal is live

Related Terms

  • [link:/glossary/ai-act]
  • [link:/glossary/ai-risk-classification]
  • [link:/glossary/ai-conformity-assessment]
  • [link:/glossary/ai-impact-assessment]
  • [link:/glossary/ai-accountability]
  • [link:/glossary/algorithmic-bias]

How Knowlee Addresses High-Risk AI

Knowlee's recruitment and sales intelligence features operate in the high-risk zone defined by the EU AI Act's Annex III, Category 4 (employment and workers management). Knowlee has designed its platform to enable both provider-side and deployer-side compliance. On the provider side, Knowlee maintains technical documentation of its AI models, conducts bias testing, and provides deployers with the information required under Article 26. On the deployer side, Knowlee's human-in-the-loop interface ensures every AI-driven candidate ranking or lead score is reviewed and confirmed by a human before any consequential action — satisfying the human oversight requirement of Article 14. Audit trails log all AI-assisted actions with timestamps, user IDs, and decision context, meeting the logging requirements of Article 12.