AI Act Governance

What are prohibited AI practices under Article 5?

Article 5 defines the absolute boundary of the EU AI Act. It lists eight categories of AI practices that are prohibited regardless of risk classification, actor role, or mitigation measures. Before any risk classification begins, every AI system must pass a prohibited-practice gate.

A system that raises Article 5 concerns cannot be handled as a standard risk-classification case. It requires immediate escalation, documented review, and accountable decision-making before the governance process continues.

Key points

  • Prohibited practices include manipulative or deceptive techniques that distort behaviour, exploitation of age or disability vulnerabilities, social scoring by public authorities, and certain forms of real-time biometric identification.
  • Emotion recognition in workplaces and educational institutions is prohibited, as is untargeted scraping of internet or CCTV images for facial recognition databases.
  • The prohibited-practice check is the first substantive governance step — it must happen before risk classification, not after.
  • A documented prohibited-practice review is required even when the system is clearly not prohibited. The absence of a check is an audit gap.
  • Narrow exceptions exist for some categories (e.g., law enforcement biometrics), but these require specific legal basis and documented justification.

Why it matters

Prohibited practices represent an absolute regulatory line. Unlike high-risk systems, which can be governed through obligations and evidence, a prohibited system cannot be made compliant through additional measures. Organizations that skip the prohibited-practice gate risk operating a system that no amount of governance can legitimise. A structured, documented check protects against this exposure.

How EAB approaches this

EAB includes a Prohibited Practices Check as the first gate in the screening process. The check evaluates the system against all eight Article 5 categories with structured prompts. The result is documented, attributed, and stored as part of the versioned screening record. Systems that raise potential Article 5 concerns are flagged for escalation before any further governance steps proceed.

Get in Touch
Request More Information

Tell us about your organization and what you’re looking to address. We’ll follow up with the relevant information.