AI system risk classification
Under the EU AI Act, every AI system is classified into one of four risk tiers: unacceptable risk (prohibited under Article 5), high risk (listed in Annex III and subject to Articles 9-15), limited risk (transparency obligations under Article 50), and minimal risk (no obligations). The tier determines the documentation and controls required.
The four tiers
- Unacceptable risk - banned outright (e.g. social scoring, most real-time biometric identification in public spaces).
- High risk - permitted but heavily regulated; listed in Annex III (e.g. recruitment, credit scoring, biometrics) or as a safety component of a regulated product.
- Limited risk - transparency duties only (e.g. telling users they are interacting with an AI system or that content is AI-generated).
- Minimal risk - the majority of AI systems; no mandatory obligations under the Act.
Why classification matters first
Classification determines everything downstream: a high-risk system needs a risk-management system, data governance, technical documentation, human oversight, and a conformity declaration, while a minimal-risk system needs none of that. Getting the tier right early is the difference between roughly $10k of work and exposure to penalties of up to €15M or 3% of global turnover.
Last reviewed June 2026 by the ComplyAgent team.
See also our EU AI Act compliance guide, ISO/IEC 42001 and NIST AI RMF, or browse the full glossary.