Risk classes

Introduction

🎯 Learning goals

Understand how the AI Act classifies risk — and why “low risk” and “minimal risk” aren’t real categories
Know which AI systems are prohibited and which are high-risk
Understand transparency requirements and systemic risk for GPAIs
Understand the role of intended purpose and reasonably foreseeable misuse

A risk-based approach to protecting fundamental rights

The EU AI Act takes a risk-based approach, which is an important distinction from a lot of other regulations.

The point of the AI Act isn’t to classify all AI systems — it would be impossible to say anything about all text generation apps, or all machine learning algorithms. Rather, the point is to regulate the systems that most likely pose risks to people’s health, safety, and other fundamental rights.

Health and safety are easy to understand. Additional fundamental rights are laid out in the European Charter of Fundamental Rights. They include:

The right to good public administration, such as the right to be heard in matters that concern you
Protection of your personal data
The right to education and to access to vocational and continuing training
The right to work and to pursue an occupation you choose
The right to non-discrimination
Workers’ right to information and consultation

It is the protection of these rights, not the classification of AI systems, which is the intent of the Act.

The Act has decided that a few certain AI systems inherently pose more risk to these rights than others, and therefore they are directly regulated. In other cases, the Act specifically points to existing regulation that has to be followed in addition, such as GDPR.

There are only two categories of inherent, or pre-determined, risk classes: those with an unacceptable amount of risk, and those inherently high risk.

Unacceptable risk — prohibited systems

The very first sentence in Article 1 is, “Human dignity is inviolable. It must be respected and protected”. A fundamental right is respect for your physical and mental integrity. There are only a handful of AI systems that are deemed to have an unacceptably high level of risk, and are therefore prohibited — and many of them relate to manipulating or monitoring people them such that they can’t make decisions they otherwise would make, or restricting their access to opportunities to thrive.

Most forbidden AI systems aren’t relevant to how our customers use Intric. But it’s worth repeating the activities that would make an AI system prohibited:

Manipulate or deceive people in order to impair their decision-making
Exploit vulnerabilities
Evaluation or social scoring that leads to detrimental treatment of certain groups
Assess people’s risk of committing a crime
Create/expand facial recognition databases through untargeted scraping
Infer the emotions of people in workplaces or educational institutes
Biometric categorization used to infer things like race, political opinions, trade union membership, gender, religious beliefs
Some uses of real-time remote biometric monitoring by law enforcement

Inherently high-risk AI systems

The logic of this risk class is different from the unacceptable risk class. The above AI systems are prohibited based on the functions they perform. Here, AI systems are categorized as high-risk according to the area in which they perform.

The first three are most relevant to Intric’s customers.

Access to and enjoyment of essential private services and essential public services and benefits (high-risk area 1)

Not all AI systems used in important private or public services are high-risk — the emphasis is on whether the AI system impacts people’s ability to access or use these services.

High-risk use is:

When AI systems are involved in evaluating people’s eligibility for these services or give/change/remove these services. Healthcare is explicitly mentioned.
Establishing creditworthiness or credit score
Risk assessment or pricing related to life insurance or health insurance
Used within emergency calls or emergency first response services, including police, firefighters, medical aid, and emergency triage.

Example: An AI system that provides a narrative summary to case managers of applications for unemployment benefits would be high-risk.

Employment, workers management and access to self-employment (high-risk area 2)

Not all AI systems used in this area are high-risk. Only those used within recruitment or selection to jobs, to place targeted ads, analyze and filter applications, evaluate candidates. Another category is when used to make decisions affecting terms of work-related relationships, like promotions or terminations, task allocation based on behavior or characteristics, or to monitor and evaluate performance in the workplace.

Example: An AI system that ranks job candidates according to a numeric ‘workplace compatibility’ score would be high-risk. We have a strong evidence base about how recruiters are easily biased to candidate rankings within digital tools.

Education and vocational training (high-risk area 3)

Not all AI systems used in this area are high-risk. Only those that are:

used to determine access or admission,
to evaluate learning outcomes, including when outcomes are used to steer the learning process,
to assess the level of education someone will receive, or
to monitor or detect prohibited student behavior during tests.

Example: An AI system that uses historical test data to predict whether individual students have cheated on new exams, would be high-risk. As would an AI system that uses laptop cameras to scan students’ body language during home tests and assess whether the student is cheating.

Other high-risk areas

Of less relevance to Intric are these additional areas. The AI Act specifies that a prerequisite is if such systems are already permitted by EU law:

Law enforcement
Safety components of critical infrastructure, road traffic, or supply of water, gas, heating, or electricity
Biometrics
Migration, asylum, and border control management
Used by judicial authorities or on their behalf, dispute resolution
Used to influence voting or election results.

Already regulated products and systems

The second category of high-risk systems are those that are already regulated by various European laws: safety components of products, toys, medical devices, lifts, personal protective equipment, vehicles, rail systems, and so on.

Example: In late 2025, a teddy bear that used GPT-4o and speech recognition technology to chat to children was pulled off the American market after a consumer watchdog group ran safety tests and successfully got the teddy bear to talk about sexual topics and violence. In the EU, this toy would have been regulated by sectoral regulation in addition to the AI Act.

Claiming an exception to the high-risk classification

There are four clear exceptions, meaning if your AI system is classified as inherently high-risk, you can claim that in reality, it doesn’t pose a risk to health, safety, or fundamental human rights.

To be able to claim this exception, your system needs to meet one of the following criteria — and here we are copying the exact wording from the Act:

intended to perform a narrow procedural task;
intended to improve the result of a previously completed human activity;
intended to detect decision-making patterns or deviations from prior decision-making patterns and is not meant to replace or influence the previously completed human assessment, without proper human review; or
intended to perform a preparatory task to an assessment relevant for a high-risk system, excluding the systems that are already regulated.

Many machine learning algorithms to detect deviations in enormous datasets (due to human error or fraud), will be classified here. In fact, these exceptions primarily apply to AI systems that are not generative.

To claim an exception, you simply have to report this to an EU database. Aside from that, you don’t have any other requirements of high-risk system deployers or providers. If you claim an exception on false premises, your fine will be 750,000 EURO.

Note that if your AI system profiles people, you won’t be able to claim an exception.

Example: Your AI system analyzes completed case management times according to a selection of topic and case manager characteristics. No individuals are identifiable in this process, so the system is not a type of employee management. You use it to identify whether certain groups of citizens are receiving slower decisions, or whether certain topics seem more difficult for case managers, in order to prioritize future training. But! If you start to use this system to group certain employees are better or worse performing, it falls in the high-risk area.

Transparency requirements

Separate from whether your AI system is high-risk, is whether the system has specific transparency requirements. When there would be a risk to someone if transparency was lacking, transparency is required. This basically refers to making it very clear to a user that what they are seeing, hearing, or interacting with, is an AI system.

If a system does any of the following, there are transparency requirements:

Interacts with a person
Generates text, audio, image, or video
Generates or manipulates image, audio, or video to constitute a deep fake. (Text is not included here)
Recognizes emotions or conducts biometric categorization
Generates text that is published to inform the public on matters of public interest

In practice, most GPAIs and systems that use them will automatically carry transparency requirements.

Deep dive — chatbots: In early training material, “chatbots” were listed as an example of an AI system that only required transparency — this was before GPAI-powered chatbots became widespread. Now, a chatbot would require only transparency if it was powered by a simpler language model. Think about when you try to contact customer service through a chat window; you write your question and then the chatbot responds with, ‘is one of these six topics what you are asking about?’ This is an example of a non-GPAI chatbot. It can’t talk to you like a chatbot can, but it does have a limited ability to analyze your questions. The company only has to be transparent to you that it is an AI system.

Systemic risk of GPAIs

Rather than try to fit GPAIs into the above risk classification, the AI Act decided to use the idea of “systemic risks”. They write that some GPAIs could carry systemic risks if:

The GPAI is very capable, as indicated by a large amount of computation used in training,
The GPAI is widely used (as many hope to be) and therefore has a high impact on the market, or
The Commission determines that it has systemic risk.

In practice, most large language models classify as having systematic risk.

A model is not classified as having ‘low’ or ‘no’ systematic risk; the Act refers only to GPAIs and GPAIs with systemic risk.

A lot of organizations hope that human-in-the-loop procedures, i.e. only AI decision-support and not full decision-making, can reduce the risk class. This isn’t how the logic of the Act works. High-risk designation doesn’t actually have anything to do with the decision-making and whether a human is involved or not. What matters more is whether your AI system is in an area considered to be inherently high-risk to health, safety, or fundamental rights.

But if you are the provider of a high-risk system, you must ensure that humans have the ability to understand the output, to intervene or stop the system — this is what is meant by “human oversight”.

In addition, if you are a public sector deployer of a high-risk system and your AI system is involved in decision support or decision-making that affects people, you have to inform the people affected.

What risks do you need to identify?

No. The AI Act doesn’t require a never-ending brainstorming of all possible risks — there would be hundreds, like whether your use of an assistant will contribute to Amazonian deforestation. MIT’s Risk Atlas currently contains nearly 2,000 AI risks: airisk.mit.edu

In fact, the AI Act specifically says that it shall not be a barrier for the public sector to use AI to innovate!

Rather, providers and deployers have to identify risks related to:

Use of the AI system according to its intended purpose
Reasonably foreseeable misuse of the AI system
Minors or other vulnerable groups.

They have to account for both the context of intended use or misuse and the users themselves: their technical knowledge, their experiences and expectations, their ability to read and understand guidance.

High-risk systems have specific guidance for this risk management process. Again, the focus is on risks to health, safety, and fundamental rights.

Intended purpose

Intended purpose is an important concept in the AI Act. Providers have the responsibility of making the intended purpose of their AI systems clear to deployers. The riskier a system it is, the more detailed the instructions for use have to be.

As we have seen, GPAIs throw a wrench in this, because they don’t have just one intended purpose. But it is still the provider’s responsibility to clearly state the range of purposes of the AI system or GPAI, and what it is not intended to do.

Reasonably foreseeable misuse

This refers to the use of an AI system that is not as intended, but which may result from reasonably foreseeable human behavior, or with reasonably foreseeable interaction with other systems. Interaction with other AI systems or agentic systems is also included here.

“Foreseeable” means that not only known risks have to be handled — you have to imagine new ones. And “reasonable” means that you don’t have to think about every possible long-term risk.

Example: A municipality has recently downsized their communications department from four people to one. They create an assistant for the remaining advisor to use. It would be reasonably foreseeable to imagine that this one person uses the assistant to create citizen-facing text and stops checking the output before publishing it online, simply because she is trying to do the work of four people.

See our documentation on assessing your assistant’s risk class: help.intric.ai/en/docs/security-compliance/ai-act/risk-class/

AI systems that are out of scope

After reading this session, if you can think of an AI system that meets none of the inherent risk classifications, that has no transparency requirements, is not a GPAI, and you can’t think of any way that intended use or misuse could threaten health, safety, or fundamental rights — then that system may be out of scope of the AI Act. Neither the provider nor the deployer has any requirements.

Remember that the European Commission does not intend to present an exhaustive list of all AI systems. The Commission expects that all actors will use their own reasoning.

Many examples of out-of-scope systems are ‘traditional’ machine learning algorithms:

Recommender algorithms on a streaming platform. The output is the order that content is presented to you.
An AI system used to control a non-player character in a game, or to generate dynamic game behavior.
The spam filter used by your email provider is a classic example of a machine learning algorithm using natural language processing. It doesn’t fall in any of the unacceptable or high risk areas. It is also not generating text, only a decision of whether an email is sent to your spam folder or your inbox, and no one is interacting with it, so there are no transparency requirements.

Key takeaways

There are only two pre-determined risk classes in the Act: unacceptable risk (prohibited) and inherently high risk. “Low risk” and “minimal risk” are not categories in the Act.
High-risk classification is based on the area of operation, not the function performed or whether a human is in the loop.
Most GPAIs and systems built on them carry transparency requirements automatically.
Providers and deployers must identify risks related to intended purpose, reasonably foreseeable misuse, and vulnerable groups — but not every possible risk.
If a system is out of scope, neither the provider nor the deployer has any requirements.

Test your knowledge

6 questions · 100% correct to pass · Review your answers when done