How are high-risk AI systems identified under the EU AI Act?
High-risk identification under the EU AI Act depends on the system's intended use, its operational context, and whether it falls within one of the Annex III categories. Classification is not self-evident. It requires structured review of the use case, the actor role, and the specific regulatory criteria — and the result must be documented as a governed decision, not a label applied informally.
The same technical system may carry different risk implications depending on how it is used and by whom. A classification without documented use-case context and actor-role assessment is incomplete governance.
Key points
- Risk classification depends on the intended use and Annex III context — not on the technology alone. The same model can be high-risk in one deployment and not in another.
- Classification must be assessed together with actor role. A provider and a deployer face different obligations for the same system.
- Annex III lists specific domains — biometrics, critical infrastructure, employment, education, law enforcement, migration, justice — where AI systems are presumed high-risk unless an exception applies.
- The classification basis must be documented and reviewable. A risk label without a recorded reasoning is not defensible at audit.
- Article 6(3) allows providers to argue that a system in an Annex III area is not high-risk, but only with documented justification and notification to the authority.
Why it matters
Risk classification determines the scope of obligations. If the classification is wrong, the organization either overspends on compliance or — more critically — under-governs a high-risk system. If the classification process is undocumented, it cannot be defended regardless of whether the result was correct. Audit-ready governance requires a structured decision record that connects the classification to the use case, the actor role, and the evidence available at the time.
How EAB approaches this
EAB structures risk classification inside the screening process. The Risk Classification Engine evaluates the system against Annex III criteria. The Classification Wizard guides users through the structured assessment. The Actor Role Assessment establishes which obligations apply. The result feeds into the Obligation Matrix and becomes part of the versioned governance record.