What Is High-Risk AI?
Under the EU AI Act, high-risk AI refers to AI systems listed in Annex III of the regulation: systems used in areas where errors or biased outcomes could cause serious harm to individuals' health, safety, or fundamental rights. They require the most demanding compliance obligations under the Act.
Key distinction: A system is high-risk based on its use, not its technical architecture. A facial recognition model used for photo organisation is minimal-risk. The same model used for law enforcement identification is high-risk. Classification depends on context of deployment.
Annex III: the full high-risk list
1. Biometric identification
Real-time or post-remote biometric identification systems; biometric categorisation by sensitive characteristics; emotion recognition
2. Critical infrastructure
AI used in management and operation of road traffic, water, gas, heating, or electrical critical infrastructure
3. Education and training
AI determining access or admission to educational institutions; evaluating learning outcomes; assessing students; monitoring students during tests
4. Employment and HR
AI for recruitment, CV screening and filtering; decisions affecting promotion, termination, task allocation, and monitoring
5. Essential services access
AI used in creditworthiness assessment and credit scoring; life and health insurance risk assessment; emergency service routing
6. Law enforcement
Polygraphs and similar tools; risk assessment of individuals; predictive policing; analysis of evidence; crime analytics profiling
7. Migration, asylum, border control
Lie detection tools; risk assessment for entry; examination of applications for asylum or visa; border surveillance
8. Justice and democratic processes
AI assisting courts in researching, interpreting law, or applying it to facts; AI influencing elections or voting behaviour
Obligations for high-risk AI
Risk management system
Ongoing risk identification, analysis, and mitigation throughout the AI lifecycle.
Data governance
Training, validation, and testing data must meet quality criteria; bias assessment required.
Technical documentation
Comprehensive documentation of system design, development, and performance maintained.
Record-keeping
Automatic logging of operations where technically feasible, retained for minimum periods.
Transparency to deployers
Instructions for use provided; deployers informed of capabilities, limitations, and human oversight requirements.
Human oversight
Mechanisms enabling humans to monitor, intervene, override, and where necessary halt the system.
Accuracy, robustness, cybersecurity
Performance validation across defined metrics; resilience to attempts to alter outputs.
EU database registration
Registration in the publicly accessible EU AI database before placing on market (except for law enforcement).