high risk ai denforth

High-Risk AI Under the EU AI Act: A Simple Decision Guide

/ Risk Classification & High Risk AI / By

One of the first questions teams ask about the EU AI Act is straightforward:

“Is our system considered high-risk?”

Unfortunately, many answers online make this question harder than it needs to be. Some jump straight to sector lists. Others reduce the decision to vague risk statements. Neither approach reflects how the Regulation actually works.

This article offers a simple, structured way to think about high-risk AI—without legal shortcuts or oversimplification.

High-Risk Does Not Mean “Dangerous”

Under the EU AI Act, high-risk is a legal classification, not a judgment about how good or bad a system is.

A system can be:

  • well-designed,
  • carefully monitored,
  • and genuinely useful,

and still be classified as high-risk.

The label exists because certain AI systems are used in contexts where errors, bias, or misuse can significantly affect people’s rights or access to essential services.

The Core Question the Act Asks

The Regulation does not start by asking:

“How advanced is the AI?”

Instead, it asks:

“What is this system intended to be used for, and where?”

This concept—intended purpose—is central.

Two systems using similar technology can fall into completely different categories depending on how and where they are deployed.

The Two Paths to High-Risk Classification

An AI system is considered high-risk under the EU AI Act if it falls into one of two categories.

1. AI Used as a Safety Component in Regulated Products

Some AI systems are embedded in products already regulated under EU product safety laws (for example, medical devices or machinery).

If AI plays a role in the safety function of such a product, the system is automatically treated as high-risk.

For many software teams, this path is less common—but it matters in industrial, medical, and hardware-adjacent contexts.

2. AI Used in Specific High-Impact Use Cases (Annex III)

The more common path for digital products is Annex III.

Annex III lists areas where AI use is presumed high-risk due to its societal impact. These include, among others:

  • employment and worker management,
  • access to education,
  • creditworthiness and access to financial services,
  • biometric identification,
  • law enforcement and migration contexts.

Importantly, the list is about use cases, not technologies.

A simple model can become high-risk if it is used to make or support decisions in these areas.

Why “Context” Matters More Than Code

A frequent mistake teams make is focusing on the model itself:

  • accuracy,
  • architecture,
  • training method.

While these matter later, they do not decide risk classification.

What matters first is:

  • Who is affected by the system’s output?
  • What decisions does it influence?
  • What happens if the system is wrong?

A recommendation engine for movies is unlikely to be high-risk.
A recommendation engine influencing hiring decisions might be.

Same technique. Very different regulatory treatment.

Who Makes the Classification Decision?

In most cases, the provider of the AI system is responsible for determining whether it is high-risk.

That said, deployers are not passive. If a system is repurposed or substantially modified, risk classification may change.

This is why documentation and clarity around intended purpose matter early—even before compliance steps formally apply.

A Practical Way to Self-Assess

Instead of asking “Are we high-risk?”, ask these questions in order:

  1. Is this system an AI system under the Act?
  2. What is its intended purpose?
  3. Is it used in a context listed in Annex III?
  4. Does it meaningfully influence decisions affecting people or access to services?

If the answer trends toward “yes,” the system likely requires deeper assessment.

This approach avoids both overreaction and false reassurance.

Why Early Clarity Helps

High-risk classification triggers additional obligations later, including risk management and technical documentation.

Teams that identify this early can:

  • design with constraints in mind,
  • avoid rework,
  • and plan compliance calmly instead of reactively.

Those who delay often discover that compliance is not about adding documents—but revisiting earlier design decisions.

Closing Thought

High-risk classification is not a verdict.
It’s a signal.

Understanding it early helps teams build AI systems that are not only compliant—but defensible, explainable, and resilient over time.

Related Posts