All insights

    AI Act risk classification: how to decide if your AI workflow needs more control

    Max Västhav
    aieu-ai-actrisk-classificationgovernance

    The dangerous AI system isn't always the most advanced one.

    It's often the system that affects a person without anyone in the company having classified the risk.

    The AI Act makes risk classification a practical management task. You need to know which AI systems you use and which decisions they affect.

    Start with impact, not technology

    Don't first ask which model you use.

    Ask what the system affects.

    Does AI affect:

    • who gets an interview?
    • how employees are evaluated or assigned work?
    • credit, pricing, insurance, or access to service?
    • educational assessment?
    • customer cases where a wrong decision can affect rights?
    • biometric identification or categorization?

    If the answer is yes, you shouldn't treat the system as "just an AI tool."

    Four practical risk levels

    1. Stop and investigate

    Usage near prohibited practices: social scoring, harmful manipulation, certain biometric uses, or emotion recognition in workplace/education.

    Here you should pause before building further.

    2. High risk

    AI in recruitment, workforce management, education, credit, insurance, critical infrastructure, or other areas where output can affect individuals' opportunities and rights.

    Here you need documentation, human oversight, vendor control, logs, and often legal advice.

    3. Transparency risk

    Chatbots, AI-generated content, synthetic image, audio, or video.

    Here the recipient needs to understand when AI is involved.

    4. Minimal risk

    Internal support tools that don't affect people externally or make decisions about them.

    Here you still need AI literacy, data rules, and sound approval.

    The vendor doesn't solve everything

    Many SMBs use AI via SaaS.

    That often makes you a deployer: you use the system in your operations. The vendor has its own obligations, but you still need to know how the system is used in your context.

    Ask the vendor:

    • Is the feature classified under the AI Act?
    • Is it intended for a high-risk area?
    • What instructions for use apply?
    • What logs are available?
    • How does human oversight work?
    • Can we get documentation for our own risk assessment?

    If the vendor can't answer, you have an internal risk problem.

    Document even when the answer is "not high risk"

    A common mistake is to only document major systems.

    Also document why you assess that an AI workflow is not high risk.

    Write briefly:

    • system name
    • usage
    • affected persons
    • risk class
    • justification
    • owner
    • next review date

    A simple risk log gives better control than verbal assumptions.

    The readiness question

    If the AI Act auditor, the customer, or the board asks "which AI systems do you use and how are they risk classified?"

    You shouldn't need to search through Slack.

    You should be able to open a register.

    Keep reading

    Cookies. Privacy