EU AI Act risk tiers sort AI systems by the harm they can cause: prohibited uses are banned, high-risk systems need documented controls, transparency-risk systems need disclosures, and minimal-risk uses have no specific Act duty. Boards should classify by purpose, role and evidence, using the Commission's risk-based summary and the legal text.
The board question is not "is this AI?" It is "what is the intended use, who is affected, where is the output used, and what evidence would we show if a regulator or counterparty asked?" For UK organisations, the scope question comes first. Our EU AI Act guide for UK organisations covers that route into scope; this article assumes you already know which systems need classifying.
Key takeaways
- The Act has four practical board categories: prohibited, high-risk, transparency-risk and minimal or no specific Act obligations.
- A system is classified by its intended purpose and actual deployment context, not by whether it uses a famous model or a vendor calls it "low risk".
- Prohibited practices and AI-literacy duties have applied since 2 February 2025, according to the AI Act Service Desk timeline.
- Article 50 transparency duties apply from 2 August 2026 on the Commission's published timeline. The Commission's 2026 AI omnibus page records political agreement to move high-risk obligations to 2 December 2027 for Annex III systems and 2 August 2028 for regulated products, but boards should verify the final published text before relying on those dates.
- UK-only systems outside EU scope still need governance under the UK's five cross-sector principles and UK GDPR, which are mapped in the UK AI Regulation Tracker.
Who this applies to
This guide applies to UK boards that use, buy, sell or oversee AI systems with any realistic EU connection. That can mean placing an AI system on the EU market, using AI output in the EU, operating through an EU branch, or deploying a vendor system for EU customers or workers. If the answer is not yet clear, use the EU AI Act checker before classifying the system.
It also applies to boards that are out of EU scope but want a defensible risk taxonomy. The UK's 2024 government response confirmed five cross-sector principles for existing regulators to apply within their remits: safety, transparency, fairness, accountability and contestability. The ICO's AI and data protection guidance also remains relevant wherever an AI system processes personal data.
The board should avoid two shortcuts. First, do not classify a system by technology name alone. A generative model used to summarise internal meeting notes is not the same governance problem as the same model used to draft public information about entitlement to a service. Second, do not accept the vendor's tier without testing your own role. The Act distinguishes providers and deployers, and the deployer's use can change the risk profile.
How the EU AI Act risk tiers work
The Commission describes the Act as risk-based. The four levels are useful in board terms because each one asks for a different decision, control set and evidence trail.
| Tier | Board meaning | Examples to test |
|---|---|---|
| Prohibited | The use should not be deployed if it falls within Article 5. | Social scoring, harmful manipulation, untargeted facial-image scraping, emotion recognition in workplace or education settings except narrow legal exceptions. |
| High-risk | The use can proceed only with a formal control and evidence file. | Recruitment screening, creditworthiness, access to essential private or public services, education access, certain biometric and law-enforcement uses listed in Annex III. |
| Transparency-risk | The use may be lawful, but people must be told or content must be marked. | Chatbots, deepfakes, synthetic audio or video, and certain AI-generated public-interest text under Article 50. |
| Minimal or no specific Act obligations | The Act does not add a specific obligation, but normal governance still applies. | Spam filters, low-impact productivity assistants and internal classification tools with no decision effect on people. |
The prohibited category is a stop sign. Article 5 of Regulation (EU) 2024/1689 bans specific practices, and the Commission says the prohibitions became effective in February 2025. A board paper for a prohibited use should not ask for approval to proceed. It should record the classification, the legal reason, the withdrawal route and any vendor or process remediation.
High-risk is not a ban. It is an assurance category. The legal text puts high-risk systems in two main groups: systems that are safety components or products covered by listed EU product law, and systems used in sensitive areas in Annex III. For most UK boards, Annex III is the live governance list: employment, education, creditworthiness, access to essential services, migration, justice and democratic processes. The Commission's high-risk guidance page says draft guidelines are open for feedback until 23 June 2026, so classification practice is still being clarified as of 17 June 2026.
Transparency-risk is often the easiest tier to miss because the use feels ordinary. Article 50 covers people interacting with an AI system and certain synthetic or manipulated content. A customer-service chatbot, an AI-generated explainer video or public-interest text generated or manipulated by AI can trigger disclosure duties even where the underlying use is not high-risk.
Minimal-risk does not mean ungoverned. It means the Act does not impose a specific additional obligation on that use. The Commission gives everyday examples such as video games and spam filters. A UK board still needs UK GDPR controls where personal data is processed, sector obligations where a regulator has jurisdiction, and an internal policy position on staff use.
What the board needs to decide
The first board decision is scope. Is the organisation a provider, deployer, importer, distributor or product manufacturer for this system, and does any EU route apply? The same AI feature can create different work for a software provider selling into the EU and a UK housing association using a vendor tool only for UK operations.
The second decision is purpose. Classify by the use case, not by the model. A model used to draft a job advert is one question; a model used to filter candidates is another. Annex III is about sensitive uses and affected rights, which is why recruitment, credit and access to essential services sit in a different tier from ordinary productivity support.
The third decision is timing. The Service Desk timeline lists 2 February 2025 for general provisions, AI literacy and prohibitions, 2 August 2025 for general-purpose AI rules and governance, and 2 August 2026 for the majority of rules including Article 50 transparency. The Commission's AI Act page says the May 2026 political agreement on the AI omnibus sets later dates for high-risk systems: 2 December 2027 for certain high-risk areas and 2 August 2028 for systems integrated into products. The board minute should name which timeline source it is using and ask legal counsel to confirm the final Official Journal position before the plan depends on a deferred date.
The fourth decision is risk acceptance. A high-risk system may still be strategically necessary, but the board should not approve it without a controls file. That file should identify who owns human oversight, what data is used, what logs are retained, how incidents are escalated, and what evidence will be kept for assurance.
The fifth decision is boundary management. A system can move tier if its intended purpose changes. A vendor tool piloted for internal analysis can become a high-risk system if the organisation later uses it to rank applicants, determine service eligibility or influence credit decisions. The board should require reclassification at procurement, material change and go-live.
Controls and framework mapping
The table below is the evidence file a board should expect for each tier. It is deliberately practical: a board cannot inspect model weights, but it can ask for named owners, records and assurance artefacts.
| Tier | Minimum control | Evidence the board should see | Framework mapping |
|---|---|---|---|
| Prohibited | Use-case exclusion gate before procurement or deployment. | Classification note, Article 5 reason, vendor withdrawal or configuration record, board or executive minute. | UK accountability principle; ISO 42001-style policy exclusion; NIST Govern. |
| High-risk | Formal impact and risk assessment before go-live. | System register entry, role analysis, human oversight plan, data assessment, monitoring plan, incident route, log-retention evidence. | NIST Govern, Map, Measure and Manage; ISO 42001-style risk and impact assessment; UK GDPR DPIA where personal data is involved. |
| Transparency-risk | Disclosure and content-marking control. | User-facing disclosure copy, synthetic-content marking design, vendor configuration record, monitoring record for public content. | UK transparency principle; NIST Map and Measure; ICO transparency and explainability expectations. |
| Minimal or no specific Act obligations | Internal AI use policy and proportional monitoring. | System inventory entry, data-protection screening, approved-use record, review date. | UK principles baseline; NIST Govern; internal policy control. |
This is where voluntary frameworks earn their place. NIST says the AI RMF is intended for voluntary use to help organisations manage risks to individuals, organisations and society, and it organises that work through Govern, Map, Measure and Manage. In board language, those functions become: set ownership, map the use, test the risk, then manage and review it.
ISO 42001 is the management-system wrapper many UK boards use for the same work. The practical mapping is not that ISO certification "solves" the Act. It does not. The useful point is that a management system gives the classification work a home: scope, policy, risk assessment, controls, documentation, management review and improvement. Our ISO 42001 checklist shows the evidence pack, and our ISO 42001 vs NIST AI RMF guide explains how the two fit together.
For UK boards, add two domestic layers. The government response on AI regulation confirms that existing regulators apply five cross-sector principles rather than one UK AI Act. The ICO guidance then makes data protection the binding layer where personal data is involved. That is why an EU classification table should sit beside, not replace, your UK AI governance framework; our ICO AI code of practice guide explains the UK personal-data evidence track.
Next step
Start with a live inventory and classify only the systems that actually exist or are being procured. For each one, write one line: role, EU route, intended purpose, tier, owner, evidence file, next review date. If the line cannot be completed, the board does not yet have enough information to approve the use.
If you need the scope answer first, run the EU AI Act checker. If you need to see how EU duties sit beside the UK position, use the UK AI Regulation Tracker. If the board wants a maturity baseline, take the Board AI Scorecard. If the classification work needs to become a board-ready evidence file, the AI governance diagnostic maps scope, risk tiers, UK obligations and controls into a sequenced action plan.
Sources: Regulation (EU) 2024/1689, official EUR-Lex text; European Commission, AI Act risk-based framework and implementation notes; European Commission, high-risk AI systems guidelines; AI Act Service Desk, timeline for implementation; AI Act Service Desk, draft high-risk classification guidelines and examples; UK government response to the AI regulation white paper; ICO guidance on AI and data protection; NIST AI Risk Management Framework.
